Versions Compared

Old Version 6

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 7

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.

Code Block
xmlxml
titleKey Manager sample
xml
    <httpj:tlsServerParameters>
        ...
        <sec:keyManagers keyPassword="stskpass">
            <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
        </sec:keyManagers>
        ...
    </httpj:tlsServerParameters>

...

The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.

xml
Code Block
xml
titleTrust Manager sample
xml
    <httpj:tlsServerParameters>
        ...
        <sec:trustManagers>
            <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
        </sec:trustManagers>
        ...
    </httpj:tlsServerParameters>

...

The CipherSuites Filter is used to either include or exclude particular CipherSuites.

xml
Code Block
xml
titleCipherSuites Filter sample
xml
    <httpj:tlsServerParameters>
        ...
        <sec:cipherSuitesFilter>
            <sec:include>.*_EXPORT_.*</sec:include>
            <sec:include>.*_EXPORT1024_.*</sec:include>
            <sec:include>.*_WITH_DES_.*</sec:include>
            <sec:include>.*_WITH_AES_.*</sec:include>
            <sec:include>.*_WITH_NULL_.*</sec:include>
            <sec:exclude>.*_DH_anon_.*</sec:exclude>
        </sec:cipherSuitesFilter>
        ...
    </httpj:tlsServerParameters>

...

Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".

Code Block
xmlxml
titleCipherSuites Filter sample
xml
    <httpj:tlsServerParameters>
        ...
        <sec:certConstraints>
            <sec:SubjectDNConstraints>
                <sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression>
            </sec:SubjectDNConstraints>
            <sec:IssuerDNConstraints combinator="ALL">
                <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
                <sec:RegularExpression>.*O=OtherApacheTest.*</sec:RegularExpression>
            </sec:IssuerDNConstraints>
        </sec:certConstraints>
        ...
    </httpj:tlsServerParameters>

...

Attribute

Default

Description

disableCNCheck

false

Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during requests, and failing if there is a mismatch. If set to true (not recommended for production use), such checks will be bypassed. That will allow you, for example, to use a URL such as localhost during development.

sslSocketFactory

 

A SSLSocketFactory to use. All other bean properties are ignored if this is set.

sslCacheTimeout

86400 seconds (24 hours)

SSL Cache Timeout in seconds.

useHttpsURLConnectionDefaultSslSocketFactory

false

This attribute specifies if HttpsURLConnection.getDefaultSSLSocketFactory() should be used to create https connections. If 'true', 'jsseProvider', 'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom', 'cipherSuites' and 'cipherSuitesFilter' configuration parameters are ignored.

useHttpsURLConnectionDefaultHostnameVerifier

false

This attribute specifies if HttpsURLConnection.getDefaultHostnameVerifier() should be used to create https connections. If 'true', 'disableCNCheck' configuration parameter is ignored.

Disable CN Check

Wiki Markup{{disableCNCheck}} is a parameterized boolean, you can use a fixed variable {{true}}\|{{false}} as well as a [Spring externalized property|http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer] variable (e.g. {{${disable-https-hostname-verification\}}}) or a [Spring expression|http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef] (e.g. {{#{systemProperties\['dev-mode'\]\}}}).

Code Block
xmlxml
titleHTTP conduit configuration disabling HTTP URL hostname verification (usage of localhost, etc)
xml
   <!-- deactivate HTTPS url hostname verification (localhost, etc)    -->
   <!-- WARNING ! disableCNcheck=true should NOT be used in production -->
   <http-conf:tlsClientParameters disableCNCheck="true" />
   ...

...

This allows you to define whether client authentication is wanted and/or required.

Code Block
xmlxml
titleClient Authentication sample
xml
    <httpj:tlsServerParameters>
        ...
        <sec:clientAuthentication want="true" required="true" />
        ...
    </httpj:tlsServerParameters>