THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:keyManagers keyPassword="stskpass">
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
</sec:keyManagers>
...
</httpj:tlsServerParameters>
|
...
The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
</sec:trustManagers>
...
</httpj:tlsServerParameters>
|
...
The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES" filters as well, and 3.0.4 onwards additionally excludes all "EXPORT" filters.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
...
</httpj:tlsServerParameters>
|
...
Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:certConstraints>
<sec:SubjectDNConstraints>
<sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression>
</sec:SubjectDNConstraints>
<sec:IssuerDNConstraints combinator="ALL">
<sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
<sec:RegularExpression>.*O=OtherApacheTest.*</sec:RegularExpression>
</sec:IssuerDNConstraints>
</sec:certConstraints>
...
</httpj:tlsServerParameters>
|
...
disableCNCheck is a parameterized boolean, you can use a fixed variable true|false as well as a Spring externalized property variable (e.g. ${disable-https-hostname-verification}) or a Spring expression (e.g. #{systemProperties['dev-mode']}).
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- deactivate HTTPS url hostname verification (localhost, etc) --> <!-- WARNING ! disableCNcheck=true should NOT be used in production --> <http-conf:tlsClientParameters disableCNCheck="true" /> ... |
...
This allows you to define whether client authentication is wanted and/or required.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:clientAuthentication want="true" required="true" />
...
</httpj:tlsServerParameters>
|