...
Java Field Name and Class | XML Attribute/Element and Type | Description |
---|---|---|
cipherSuites - CipherSuitesParameters | sslContextParameters/ciphersuites - CipherSuitesParameters | This optional property represents a collection of explicitly named cipher suites to enable on both the client and server side as well as in the SSLEngine. These values take precedence over filters supplied in cipherSuitesFilter. The utility attempts to enable the listed cipher suites regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed cipher suites are always enabled when listed. For a more lenient option, use cipherSuitesFilter. |
cipherSuitesFilter - FilterParameters | sslContextParameters/cipherSuitesFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for cipher suites to enable on both the client and server side as well as in the SSLEngine. The patterns are applied over only the available cipher suites. The exclude patterns have precedence over the include patterns. If no cipherSuites and no cipherSuitesFilter are present, the default patterns applied are:
|
secureSocketProtocols - SecureSocketProtocolsParameters | sslContextParameters/secureSocketProtocols - SecureSocketProtocolsParameters | This optional property represents a collection of explicitly named secure socket protocols, such as SSLv3/TLS/etc., to enable on both the client and server side as well as in the SSLEngine. These values take precedence over filters supplied in secureSocketProtocolsFilter. The utility attempts to enable the listed protocols regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed protocols aree always enabled when listed. For a more lenient option, use secureSocketProtocolsFilter. |
secureSocketProtocolsFilter - FilterParameters | sslContextParameters/secureSocketProtocolsFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for secure socket protocols to enable on both the client and server side as well as in the SSLEngine. The patterns are applied over only the available protocols. The exclude patterns have precedence over the include patterns. If no secureSocketProtocols and no secureSocketProtocolsFilter are present, the default patterns applied are:
|
sessionTimeout - java.lang.Integer | sslContextParameters/@sessionTimeout - xsd:int | This optional property defines the timeout period, in seconds, for sessions on both the client and server side as well as in the SSLEngine. |
keyManagers - KeyManagersParameters | sslContextParameters/keyManagers - KeyManagersParameters | This optional property configures the source of key material for providing identity of client and server side connections as well as in the SSLEngine. If omitted, no source of key material is provided and the SSLContext is suitable only for client-side usage when mutual authentication is not in use. You typically configure this property with a key store containing a client or server private key. |
trustManagers - TrustManagersParameters | sslContextParameters/trustManagers - TrustManagersParameters | This optional property configures the source of material for verifying trust of key material used in the handshake process. If omitted, the default trust manager is automatically used. See the JSSE documentation for more information on how the default trust manager is configured. You typically configure this property with a key store containing trusted CA certificates. |
secureRandom - SecureRandomParameters | sslContextParameters/secureRandom - SecureRandomParameters | This optional property configures the secure random number generator used by the client and server side as well as in the SSLEngine. If omitted, the default secure random number generator is used. |
clientParameters - SSLContextClientParameters | sslContextParameters/clientParameters - SSLContextClientParameters | This optional property configures additional settings that apply only to the client side aspects of the SSLContext. If present, these settings override the settings specified at the SSLContextParameters level. |
serverParameters - SSLContextServerParameters | sslContextParameters/serverParameters - SSLContextServerParameters | This optional property configures additional settings that apply only to the server side aspects of the SSLContext. If present, these settings override the settings specified at the SSLContextParameters level. |
provider - java.lang.String | sslContextParameters/@provider - xsd:string | The optional provider identifier for the JSSE implementation to use when constructing the SSLContext. If omitted, the standard provider look-up mechanism is used to resolve the provider. |
secureSocketProtocol - java.lang.String | sslContextParameters/@secureSocketProtocol - xsd:string | The optional secure socket protocol. See Appendix A in the Java Secure Socket Extension Reference Guide for information about standard protocol names. If omitted, TLS is used by default. Note that this property is related to but distinctly different from the secureSocketProtocols and secureSocketProtocolsFilter properties. |
...
Java Field Name and Class | XML Attribute/Element and Type | Description |
---|---|---|
include - java.util.List<java.lang.String> | include - xsd:string | This optional property represents zero or more regular expression patterns for which matching values should be included. The list of excludes takes precedence over the include patterns. |
exclude - java.util.List<java.lang.String> | exclude - xsd:string | This optional property represents zero or more regular expression patterns for which matching values should be included. The list of excludes takes precedence over the include patterns. |
...
SecureRandomParameters
Java Field Name and Class | XML Attribute/Element and Type | Description |
---|---|---|
algorithm - java.lang.String | @algorithm - xsd:string | This optionap property represents the Random Number Generator (RNG) algorithm identifier for the SecureRandom factory method used to create the SecureRandom represented by this object's configuration. See Appendix A in the Java Cryptography Architecture API Specification & Reference for information about standard RNG algorithm names. |
provider - java.lang.String | @provider - xsd:string | The optional provider identifier for the SecureRandom factory method used to create the SecureRandom represented by this object's configuration. If omitted, the default look-up behavior is used. |
SSLContextServerParameters
Java Field Name and Class | XML Attribute/Element and Type | Description | |||
---|---|---|---|---|---|
cipherSuites - CipherSuitesParameters | sslContextClientParameters/ciphersuites - CipherSuitesParameters | ||||
cipherSuites - CipherSuitesParameters | sslContextClientParameters/ciphersuites - CipherSuitesParameters | This optional property represents a collection of explicitly named cipher suites to enable on the server side only (SSLServerSocketFactory) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. These values take precedence over filters supplied in cipherSuitesFilter. The utility attempts to enable the listed cipher suites regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed cipher suites are always enabled when listed. For a more lenient option, use cipherSuitesFilter. | |||
cipherSuitesFilter - FilterParameters | sslContextClientParameters/cipherSuitesFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for explicitly named cipher suites to enable on the server side only (SSLServerSocketFactory/SSLServerSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. The patterns are applied over only the available cipher suites. The exclude patterns have precedence over the include patterns. See SSLContextParameters for details of the behavior if this option and cipherSuites is omitted at this level. | secureSocketProtocols - SecureSocketProtocolsParameters | These values take precedence over filters supplied in cipherSuitesFilter. The utility attempts to enable the listed cipher suites regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed cipher suites are always enabled when listed. For a more lenient option, use cipherSuitesFilter. | |
cipherSuitesFilter - FilterParameters | sslContextClientParameters/cipherSuitesFilter - FilterParameters sslContextClientParameters/secureSocketProtocols - SecureSocketProtocolsParameters | This optional property represents a collection of explicitly named secure socket protocols, such as SSLv3/TLS/etc., include and exclude patterns for cipher suites to enable on the server side only (SSLServerSocketFactory/SSLServerSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. These values take precedence over filters supplied in secureSocketProtocolsFilter. The utility attempts to enable the listed protocols regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed protocols aree always enabled when listed. For a more lenient option, use secureSocketProtocolsFilter. | secureSocketProtocolsFilter - FilterParameters | The patterns are applied over only the available cipher suites. The exclude patterns have precedence over the include patterns. See SSLContextParameters for details of the behavior if this option and cipherSuites is omitted at this level. | |
secureSocketProtocols - SecureSocketProtocolsParameters | sslContextClientParameters/secureSocketProtocols - SecureSocketProtocolsParameters sslContextClientParameters/secureSocketProtocolsFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for explicitly named secure socket protocols, such as SSLv3/TLS/etc., to enable on theserver the server side only (SSLServerSocketFactory/SSLServerSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. The patterns are applied over only the available protocols. The exclude patterns have precedence over the include patterns. See SSLContextParameters for details of the behavior if this option and/or secureSocketProtocols is omitted at this level. | |||
sessionTimeout - java.lang.Integer | sslContextServerParameters/@sessionTimeout - xsd:int | This optional property defines the timeout period, in seconds, for sessions on both the server side as well as in the SSLEngine. | |||
These values take precedence over filters supplied in secureSocketProtocolsFilter. The utility attempts to enable the listed protocols regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed protocols aree always enabled when listed. For a more lenient option, use secureSocketProtocolsFilter. | |||||
secureSocketProtocolsFilter - FilterParameters | sslContextClientParameters/secureSocketProtocolsFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for secure socket protocols to enable on theserver side only (SSLServerSocketFactory/SSLServerSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. The patterns are applied over only the available protocols. The exclude patterns have precedence over the include patterns. See SSLContextParameters for details of the behavior if this option and/or secureSocketProtocols is omitted at this level. | |||
sessionTimeout - java.lang.Integer | sslContextServerParameters/@sessionTimeout - xsd:int | This optional property defines the timeout period, in seconds, for sessions on the server side. This setting affects both the SSLServerSocketFactory/SSLServerSocket as well as the server side of the SSLEngine. | |||
clientAuthentication - ClientAuthentication | sslContextServerParameters/@clientAuthentication - ClientAuthentication | This optional property indicates | clientAuthentication - ClientAuthentication | sslContextServerParameters/@clientAuthentication - ClientAuthentication | This optional property indicates if the server side does not request, requests, or requires clients to provide authentication credentials during the handshake process. This is commonly referred to as mutual authentication, two direction SSL/TLS, or two-legged SSL/TLS. |
SSLContextClientParameters
Java Field Name and Class | XML Attribute/Element and Type | Description |
---|---|---|
cipherSuites - CipherSuitesParameters | sslContextClientParameters/ciphersuites - CipherSuitesParameters | This optional property represents a collection of explicitly named cipher suites to enable on theclient side only (SSLSocketFactory/SSLSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. These values take precedence over filters supplied in cipherSuitesFilter. The utility attempts to enable the listed cipher suites regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed cipher suites are always enabled when listed. For a more lenient option, use cipherSuitesFilter. |
cipherSuitesFilter - FilterParameters | sslContextClientParameters/cipherSuitesFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for cipher suites to enable on the client side only (SSLSocketFactory/SSLSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. The patterns are applied over only the available cipher suites. The exclude patterns have precedence over the include patterns. See SSLContextParameters for details of the behavior if this option and cipherSuites is omitted at this level. |
secureSocketProtocols - SecureSocketProtocolsParameters | sslContextClientParameters/secureSocketProtocols - SecureSocketProtocolsParameters | This optional property represents a collection of explicitly named secure socket protocols, such as SSLv3/TLS/etc., to enable on the client side only (SSLSocketFactory/SSLSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. These values take precedence over filters supplied in secureSocketProtocolsFilter. The utility attempts to enable the listed protocols regardless of whether or not the JSSE provider actually supports them or not. This behavior guarantees that listed protocols aree always enabled when listed. For a more lenient option, use secureSocketProtocolsFilter. |
secureSocketProtocolsFilter - FilterParameters | sslContextClientParameters/secureSocketProtocolsFilter - FilterParameters | This optional property represents a collection of include and exclude patterns for secure socket protocols to enable on the client side only (SSLSocketFactory/SSLSocket) by overriding the value of this setting in the SSLContextParameters. This option has no affect on the SSLEngine configuration. The patterns are applied over only the available protocols. The exclude patterns have precedence over the include patterns. See SSLContextParameters for details of the behavior if this option and/or secureSocketProtocols is omitted at this level. |
sessionTimeout - java.lang.Integer | sslContextServerParameters/@sessionTimeout - xsd:int | This optional property defines the timeout period, in seconds, for sessions on the client side This setting affects both the SSLSocketFactory/SSLSocket as well as the client side of the SSLEngine. |
Examples
Programmatic Usage
Setting Client Authentication On the Server Side
This configuration sets the server side aspects of the TLS configuration to require client authentication during the handshake process. This configuration uses the default trust store and a custom key store to provide key material for both the server and client sides of the SSLContext.
Code Block |
---|
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("/users/home/server/keystore.jks");
ksp.setPassword("keystorePassword");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("keyPassword");
SSLContextServerParameters scsp = new SSLContextServerParameters();
scsp.setClientAuthentication(ClientAuthentication.REQUIRE);
SSLContextParameters scp = new SSLContextParameters();
scp.setServerParameters(scsp);
scp.setKeyManagers(kmp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = scp.createSSLEngine();
|
Configuring Different Options on the Client and Server Side
In this example, both the client and server sides share the same custom key store; however, the client side allows any supported cipher suite while the server side will use the default cipher suite filter and exclude any cipher suites that match the patterns .*NULL.* and .*anon.*.
Code Block |
---|
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("/users/home/server/keystore.jks");
ksp.setPassword("keystorePassword");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("keyPassword");
FilterParameters filter = new FilterParameters();
filter.getInclude().add(".*");
SSLContextClientParameters sccp = new SSLContextClientParameters();
sccp.setCipherSuitesFilter(filter);
SSLContextParameters scp = new SSLContextParameters();
scp.setClientParameters(sccp);
scp.setKeyManagers(kmp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = scp.createSSLEngine();
|
XML Configuration
Info |
---|
Note that XML configuration is supported in both Spring and Blueprint format. |
Setting Client Authentication On the Server Side
This configuration sets the server side aspects of the TLS configuration to require client authentication during the handshake process. This configuration uses the default trust store and a custom key store to provide key material for both the server and client sides of the SSLContext.
Code Block | ||||
---|---|---|---|---|
| ||||
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:camel="http://camel.apache.org/schema/spring"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd">
<camel:sslContextParameters
id="mySslContext">
<camel:keyManagers
keyPassword="keyPassword">
<camel:keyStore
resource="/users/home/server/keystore.jks"
password="keystorePassword"/>
</camel:keyManagers>
<camel:serverParameters
clientAuthentication="WANT"/>
</camel:sslContextParameters>
</beans>
|
Configuring Different Options on the Client and Server Side
In this example, both the client and server sides share the same custom key store; however, the client side allows any supported cipher suite while the server side will use the default cipher suite filter and exclude any cipher suites that match the patterns .*NULL.* and .*anon.*.
Code Block | ||||
---|---|---|---|---|
| ||||
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0">
xmlns:camel="http://camel.apache.org/schema/blueprint">
<camel:sslContextParameters
id="mySslContext">
<camel:keyManagers
keyPassword="keyPassword">
<camel:keyStore
resource="/users/home/server/keystore.jks"
password="keystorePassword"/>
</camel:keyManagers>
<camel:clientParameters>
<camel:cipherSuitesFilter>
<camel:include>.*</camel:include>
</camel:cipherSuitesFilter>
</camel:clientParameters>
</camel:sslContextParameters>
</blueprint>
|