SSL Context Provider

An SSL Context Provider defines the parameters used to make to make server or client connections secure over SSL. Once a provider is defined, it can be applied to IP-based protocols (such as HTTP or AS2). An SSL Context provider refers to other providers to simplify its configuration. You will need to create these providers before you can complete the creation of the SSL Context Provider.

The Security Protocol property specifies the version of the protocol. The options are: SSL, SSLv2, SSLv3, TLS, TLSv1, and TLSv2. SSL is the Secure Socket Layer and TLS is the Transport Layer Security. TLS is the successor of SSL. In fact, SSLv3 and TLSv1 are very similar except they are not compatible with each other.

As of iSM version 6.1.3, TLS protocol version 2 is supported. Basic SSL is no longer considered to be sufficiently secure, and many of its shortcomings have been addressed with TLS. The SSL level setting represents the minimum acceptable security algorithm. iWay Software strongly recommends that TLS be considered as the minimum acceptable level. For secure transactions, specification of TLS version 2 is recommended, provided that both sides of the transaction have this algorithm available. iSM will negotiate for the highest level available when connections are established.

Note: You must have Java version 1.7 configured on your system to use TLS protocol version 2.

When the Client Authentication property is true, servers using this provider will use SSL client authentication, that is, the server must receive and authenticate a certificate from the client as part of the SSL handshake.

When the Hostname Verification property is true, clients using this provider will attempt to verify that the server's certificate matches its host name. That is, the common name part of the subject distinguished name must be the hostname.

The Enabled Cipher Suites property determines which cipher suites will be available during SSL negotiation. This is a comma-delimited list forming a subset of the Cipher Suites supported by the platform. If left blank, all available cipher suites will be enabled. A secure connection is only as secure as its weakest available cipher suite. Since some built-in cipher suites can be very weak, it is important to review the enabled cipher suites to verify they meet the security requirements of the application. The list of standard cipher suite names appears in Oracle's "Java Cryptography Architecture Standard Algorithm Name Documentation". The exact list of all cipher suites on the platform can be obtained by calling String[] SSLServerSocketFactory.getSupportedCipherSuites().

A KeyStore provider is needed to know where to find the private keys. This can be the default SSL KeyStore or a specific KeyStore provider selected by name. A server always needs a private key associated with its server certificate. You can let JSSE pick a private key within the KeyStore, or you can choose exactly which key to use by specifying the server key alias. A client does not need a private key associated with a client certificate, unless client authentication is used. In that case, you can let JSSE pick a private key within the KeyStore, or you can choose exactly which key to use by specifying the client key alias.

Another KeyStore provider is needed to list the certificate of Trusted CAs. Preferably, this should not contain any other keys because they would also be treated as Trusted CAs. In particular, it is not recommended to use the same KeyStore provider for the private keys and the TrustStore. The client will use the TrustStore to validate the server certificate. The server will use the TrustStore to validate the client certificate when client authentication is used.

The validation can be improved by enabling certificate revocation to verify the peer certificate has not been revoked. This requires the name of a CertStore provider in the PKIX CertStore Provider property to specify where to find the certificate revocation lists.

An SSL Context maintains a session cache. Sessions in the cache can be reconnected with less overhead than those not cached. The Session Cache Size property determines the maximum number of SSL sessions that will be retained in the cache. The Session Timeout is the maximum length of time (in seconds) that an SSL session can remain in the cache.

It is possible to select exactly which JCE provider will be used to create certain objects. The JCE SSL Context Provider determines which provider will be used to create the SSLContext. The JCE PKIX Trust Manager Provider property specifies which JCE provider will be used to get the instance of the PKIX TrustManagerFactory. The JCE Signature Provider property tells the TrustManagerFactory which JCE provider to use to get Signature objects. These properties can be set to "Not Specified" to choose the corresponding default JCE provider.

The following table lists the SSL Context Provider properties.

Property

Description

Name *

The name of the SSL Context definition to add.

Description

A brief description of the use of this SSL Context.

Keystore Provider *

Configured Security Provider for the keystore you wish to use for this SSL context. Choose default to use the default SSL Keystore Provider. Keystores hold private keys.

Truststore Provider *

Configured Security Provider for the truststore you wish to use for this SSL context. Choose default to use the default SSL Keystore Provider. Truststores hold the certificate of Trusted CAs used to verify peer certificates.

Security Protocol *

Specify the version of security protocol that should be used. During SSL handshake, a negotiation selects the protocol to be used from the best mutually supported. This field sets the minimum acceptable security protocol. If the handshake cannot select a mutually supported protocol, the connection fails. The options are: SSL, SSLv2, SSLv3, TLS, TLSv1, and TLSv2.

Note: You must have Java version 1.7 configured on your system to use TLS protocol version 2.

JCE SSL Context Provider

JCE Provider for the SSL Context.

Server Key Alias

Alias for the key to be used to identify secure servers using this SSL context. If not supplied, the key will be selected using JSSE default behavior.

Client Key Alias

Alias for the key to be used to identify secure clients using this SSL context. If not supplied, the key will be selected using JSSE default behavior.

Session Cache Size

The maximum number of SSL sessions that will be retained in the session cache. Sessions in the cache can be reconnected with less overhead than those not cached.

Session Timeout

Maximum length of time (in seconds) that an SSL session can remain in the cache.

Enable Certificate Revocation

Enable CRL checking of certificates during handshake.

OCSP Responder

Name of the OCSP Responder provider. This verifies the status of certificates online instead of relying on Certificate Revocation Lists (CRLs).

JCE PKIX Trust Manager Provider

JCE provider to construct PKIX Trust Manager. Choose 'Not Specified' for default.

JCE Signature Provider

JCE provider used to verify digital certificate signatures during handshake.

PKIX Certificate Store

Certificate store from which certificate revocation lists are loaded.

Enabled Cipher Suites

If supplied, only cipher suites on this list will be enabled for SSL sockets or SSL engines created using this provider. The user must take care that enabled cipher suites are supported by other components specified. Enter as comma-delimited list or use FILE() function. If left blank, all available cipher suites will be enabled and be available during SSL negotiation.

Hostname Verification

If true, client SSL connections using this provider will attempt to verify that the server certificate matches its host name.

Client Authentication

If true, servers using this provider will use SSL client authentication, that is, the server must receive and authenticate a certificate from the client as part of the SSL handshake.


iWay Software