Platform SDK Java 8.5 API Reference

com.genesyslab.platform.commons.connection.tls
Class TLSConfiguration

java.lang.Object
  extended by com.genesyslab.platform.commons.connection.tls.TLSConfiguration
All Implemented Interfaces:
java.lang.Cloneable

public class TLSConfiguration
extends java.lang.Object
implements java.lang.Cloneable

Describes TLS configuration options used in Genesys products deployment and supported by PSDK Commons.

WARNING: If you set up only "tls" option flag in a client application configuration then an encrypted connection will be established but no TLS authentication and certificate validation will be performed.

Example. How to use TLSConfiguration:

       TLSConfiguration tlsConfig = new TLSConfiguration();
       tlsConfig.setTlsEnabled(true);
       tlsConfig.setClientMode(true);
       // ...
       Endpoint endpoint = new Endpoint(HOST, PORT, connConfig, 
                  true, tlsConfig.createSslContext(), tlsConfig.createSslExtendedOptions());
       UniversalContactServerProtocol ucs = new UniversalContactServerProtocol(endpoint);
       ucs.open();
       //... 
   

Note: Only shallow cloning is implemented.

See Also:
TLSConfigurationHelper, TLSConfigurationParser

Field Summary
static java.lang.String SSL_VERSION_2_HELLO
          SSL version 2 hello

Note: it's availability depends from OS and JVM configuration and version.
static java.lang.String SSL_VERSION_3
          SSL version 3

Note: it's availability depends from OS and JVM configuration and version.
static java.lang.String SSL_VERSION_DEFAULT
          SSL version default

Note: it's availability depends from OS and JVM configuration and version.
static java.lang.String TLS_PROVIDER_JKS
          Predefined value for TLSProvider field.
static java.lang.String TLS_PROVIDER_MSCAPI
          Predefined value for TLSProvider field.
static java.lang.String TLS_PROVIDER_PEM_FILE
          Predefined value for TLSProvider field.
static java.lang.String TLS_PROVIDER_PKCS11
          Predefined value for TLSProvider field.
static java.lang.String TLS_VERSION_1
          TLS version 1.0

Note: it's availability depends from OS and JVM configuration and version.
static java.lang.String TLS_VERSION_1_1
          TLS version 1.1

Note: it's availability depends from OS and JVM configuration and version.
static java.lang.String TLS_VERSION_1_2
          TLS version 1.2

Note: it's availability depends from OS and JVM configuration and version.
static java.lang.String TLS_VERSION_DEFAULT
          TLS default version (depends from System and JVM configuration)
 
Constructor Summary
TLSConfiguration()
           
 
Method Summary
 java.lang.Object clone()
           
 javax.net.ssl.SSLContext createSslContext()
          Prepares SSLContext that can be then used to create Endpoints.
 SSLExtendedOptions createSslExtendedOptions()
          Prepares SSLExtendedOptions instance that can be then used to create Endpoints.
static java.lang.String enabledProtocols2sec(java.lang.String enabledProtocols)
           
 java.lang.String getCertificate()
           
 java.lang.String getCertificateKey()
           
 java.lang.String getCipherList()
          Gets list of cipher names separated by space character that will be used to calculate enabled cipher suites as an intersection of sets: (cipher suites supported by SSLEngine) x (cipherSuites).
 java.lang.String getCrl()
           
 java.lang.String getEnabledProtocols()
          Gets list of protocol names separated by space character that can be used
 java.lang.String getExpectedHostname()
           
 javax.security.auth.callback.CallbackHandler getKeyStoreCallbackHandler()
           
 javax.security.auth.callback.CallbackHandler getKeyStoreEntryCallbackHandler()
          Gets CallbackHandler instance used to provide password to access key store entry containing key/certificate for this side.
 java.lang.String getProvider()
          Gets security provider, for key manager and trust manager, to be used.
 java.lang.String getSecProtocol()
          It's virtual property.
 java.lang.String getTrustedCaCertificate()
           
 javax.security.auth.callback.CallbackHandler getTrustStoreCallbackHandler()
           
 java.lang.String getVersion()
          Gets security protocol that must be used if property isTlsEnabled() returns true.
 boolean isClientMode()
           
 boolean isFips140Enabled()
           
 boolean isMutual()
           
 boolean isTargetNameCheckEnabled()
           
 boolean isTlsEnabled()
          Returns TLS usage flag for the connection.
True value means that TLS should be started before any protocol communications with server.
static java.lang.String sec2EnabledProtocols(java.lang.String secProtocol)
           
static java.lang.String sec2Version(java.lang.String secProtocol)
           
 void setCertificate(java.lang.String certificate)
          Sets path to certificate file for PEM security provider or certificate thumbprint for MSCAPI provider.
 void setCertificateKey(java.lang.String certificateKey)
          Sets path to certificate key file.
 void setCipherList(java.lang.String cipherList)
          Sets list of cipher names separated by space character that will be used to calculate enabled cipher suites as an intersection of sets: (cipher suites supported by SSLEngine) x (cipherSuites).
 void setClientMode(boolean clientMode)
          Sets whether TLS shall be used by client side or by server side of the connection.
 void setCrl(java.lang.String crl)
          Sets path to certificate revocation list (CRL) file.
 void setEnabledProtocols(java.lang.String... enabledProtocolList)
          Sets enabled list of protocols that supported by the protocol that was set using setVersion(String)
 void setEnabledProtocols(java.lang.String enabledProtocolList)
          Sets enabled list of protocols that supported by the protocol that was set using setVersion(String)
 void setExpectedHostname(java.lang.String expectedHostname)
          Sets host name or IP address to check host name contained in a peer certificate against it.
 void setFips140Enabled(boolean fips140Enabled)
          Sets flag that requests usage of PKCS#11 security provider in FIPS mode.
 void setKeyStoreCallbackHandler(javax.security.auth.callback.CallbackHandler keyStoreCallbackHandler)
          Set CallbackHandler instance used to provide password to access key store containing key/certificate for this side.
 void setKeyStoreEntryCallbackHandler(javax.security.auth.callback.CallbackHandler keyStoreEntryCallbackHandler)
          Sets CallbackHandler instance used to provide password to access key store entry containing key/certificate for this side.
 void setMutual(boolean mutual)
          Applicable for server application only.
 void setProvider(java.lang.String provider)
          Allows explicit setting of security provider, for key manager and trust manager, to be used.
 void setSecProtocol(java.lang.String value)
          It's virtual property.
 void setTargetNameCheckEnabled(boolean targetNameCheckEnabled)
          Controls whether peer certificate should be checked for host name match.
 void setTlsEnabled(boolean tlsEnabled)
          Sets TLS usage flag for the connection.
 void setTrustedCaCertificate(java.lang.String trustedCaCertificate)
          Sets path to CA certificate file.
 void setTrustStoreCallbackHandler(javax.security.auth.callback.CallbackHandler trustStoreCallbackHandler)
          Set CallbackHandler instance used to provide password to access store containing trusted CA certificate.
 void setVersion(java.lang.String protocol)
          Sets security protocol that must be used for secured communications.
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

TLS_VERSION_DEFAULT

public static final java.lang.String TLS_VERSION_DEFAULT
TLS default version (depends from System and JVM configuration)

See Also:
Constant Field Values

TLS_VERSION_1

public static final java.lang.String TLS_VERSION_1
TLS version 1.0

Note: it's availability depends from OS and JVM configuration and version.

See Also:
Constant Field Values

TLS_VERSION_1_1

public static final java.lang.String TLS_VERSION_1_1
TLS version 1.1

Note: it's availability depends from OS and JVM configuration and version.

See Also:
Constant Field Values

TLS_VERSION_1_2

public static final java.lang.String TLS_VERSION_1_2
TLS version 1.2

Note: it's availability depends from OS and JVM configuration and version.

See Also:
Constant Field Values

SSL_VERSION_3

public static final java.lang.String SSL_VERSION_3
SSL version 3

Note: it's availability depends from OS and JVM configuration and version.

See Also:
Constant Field Values

SSL_VERSION_2_HELLO

public static final java.lang.String SSL_VERSION_2_HELLO
SSL version 2 hello

Note: it's availability depends from OS and JVM configuration and version.

See Also:
Constant Field Values

SSL_VERSION_DEFAULT

public static final java.lang.String SSL_VERSION_DEFAULT
SSL version default

Note: it's availability depends from OS and JVM configuration and version.

See Also:
Constant Field Values

TLS_PROVIDER_PEM_FILE

public static final java.lang.String TLS_PROVIDER_PEM_FILE

Predefined value for TLSProvider field. Signals that keys and certificates are contained in PEM files and Java built-in security provider should be used.

See Also:
Constant Field Values

TLS_PROVIDER_PKCS11

public static final java.lang.String TLS_PROVIDER_PKCS11

Predefined value for TLSProvider field. Signals that PKCS#11 security provider (e.g. Mozilla NSS) should be used.

See Also:
Constant Field Values

TLS_PROVIDER_MSCAPI

public static final java.lang.String TLS_PROVIDER_MSCAPI

Predefined value for TLSProvider field. Signals that MSCAPI security provider (Windows Certificate Services) should be used.

Note: this provider is only available since Java 6 32bit and Java 7 32bit and 64bit.

See Also:
Constant Field Values

TLS_PROVIDER_JKS

public static final java.lang.String TLS_PROVIDER_JKS

Predefined value for TLSProvider field. Signals that JKS security provider (native java keystore format) should be used.

See Also:
Constant Field Values
Constructor Detail

TLSConfiguration

public TLSConfiguration()
Method Detail

sec2EnabledProtocols

public static java.lang.String sec2EnabledProtocols(java.lang.String secProtocol)

sec2Version

public static java.lang.String sec2Version(java.lang.String secProtocol)

enabledProtocols2sec

public static java.lang.String enabledProtocols2sec(java.lang.String enabledProtocols)

createSslContext

public javax.net.ssl.SSLContext createSslContext()
Prepares SSLContext that can be then used to create Endpoints.

Returns:
Configured SSLContext instance.
Throws:
java.lang.SecurityException - if TLS parameters are inconsistent, not valid or do not match OS/Java configuration.
See Also:
TLSConfigurationParser

createSslExtendedOptions

public SSLExtendedOptions createSslExtendedOptions()
Prepares SSLExtendedOptions instance that can be then used to create Endpoints. SSLExtendedOptions carries TLS/SSL options that can not be set directly to SSLContext.

Returns:
Configured SSLExtendedOptions instance.
See Also:
TLSConfigurationParser

isTlsEnabled

public boolean isTlsEnabled()
Returns TLS usage flag for the connection.
True value means that TLS should be started before any protocol communications with server.

Note: There is a special case with Genesys Configuration Server "TLS Auto-detect" port usage. For this case TLS should not be enabled at the beginning - it will be started by special server request in the middle of the handshake procedure.
So, for Configuration Server "TLS Auto-detect" port connection this value should be false.

To control what security protocol should be used see getVersion().

Returns:
initial TLS usage flag
See Also:
Connection#TLS_KEY} = "TLS", AbstractConnectionConfiguration#isTLSEnabled()}, AbstractConnectionConfiguration#setTLSEnabled(boolean)}

setTlsEnabled

public void setTlsEnabled(boolean tlsEnabled)

Sets TLS usage flag for the connection.

See details isTlsEnabled()

Parameters:
tlsEnabled - If set to true, TLS shall be started before any protocol communications. If set to false, TLS will not be started immediately but can be started by protocol if TLS port upgrade feature is used.

getProvider

public java.lang.String getProvider()
Gets security provider, for key manager and trust manager, to be used.

Returns:
security provider name.

setProvider

public void setProvider(java.lang.String provider)

Allows explicit setting of security provider, for key manager and trust manager, to be used.

Security provider can be determined implicitly by certificate or CA certificate values. For example, setting file path to TLSCertificate will imply PEM provider and setting hexadecimal string will imply MSCAPI provider. But in some cases this is not a desired behavior.

Explicit provider setting is useful if user can not or does not provide values for TLSCertificate, TLSTrustedCaCertificate, and/or TLSFips140Enabled fields. For example, MSCAPI and PKCS#11 providers keep certificates and keys in their internal databases and automatically find suitable ones.

Parameters:
provider - Currently supported values are TLS_PROVIDER_PEM_FILE, TLS_PROVIDER_PKCS11, and TLS_PROVIDER_MSCAPI.

getCertificate

public java.lang.String getCertificate()

setCertificate

public void setCertificate(java.lang.String certificate)

Sets path to certificate file for PEM security provider or certificate thumbprint for MSCAPI provider.

Has no meaning for PKCS#11 provider, since it does not allow explicit certificate selection.

Examples:

     // MSCAPI provider: whitespace symbols are okay, they are filtered out
     setTlsCertificate("4A 3F E5 08 48 3A 00 71 8E E6 C1 34 56 A4 48 34 55 49 D9 0E");
     // PEM provider:
     setTlsCertificate("c:/certificates/server-cert.pem");
 

Parameters:
certificate - For PEM security provider, sets path to an existing file containing certificate in PEM-encoded X.509 format. For MSCAPI security provider, sets hexadecimal thumbprint (SHA1 hash of signed certificate data) used to identify entry in Windows Certificate Services.

getCertificateKey

public java.lang.String getCertificateKey()

setCertificateKey

public void setCertificateKey(java.lang.String certificateKey)

Sets path to certificate key file.

Applicable for PEM security provider only. Has no meaning for PKCS#11 and MSCAPI providers. PKCS#11 does not allow explicit selection of certificates and keys. MSCAPI provider keeps key attached to corresponding certificate.

Example:

     // PEM provider:
     setTlsCertificateKey("c:/certificates/server-cert-key.pem");
 

Parameters:
certificateKey - For PEM security provider, sets path to an existing file containing private key in PEM-encoded PKCS#8 format.

getTrustedCaCertificate

public java.lang.String getTrustedCaCertificate()

setTrustedCaCertificate

public void setTrustedCaCertificate(java.lang.String trustedCaCertificate)

Sets path to CA certificate file.

Applicable for PEM security provider only. Has no meaning for PKCS#11 and MSCAPI providers. PKCS#11 does not allow explicit selection of CA certificate. MSCAPI provider keeps list of CA certificates and selects one automatically.

Example:

     // PEM provider:
     setTlsTrustedCaCertificate("c:/certificates/ca-cert.pem");
 

Parameters:
trustedCaCertificate - For PEM security provider, sets path to file in X.509 PEM format to read CA certificate from.

isMutual

public boolean isMutual()

setMutual

public void setMutual(boolean mutual)

Applicable for server application only. Controls whether server will check if clients have valid certificates.

Parameters:
mutual - true - server will require connecting client to present a valid certificate, false - server will not require client certificate.

getCrl

public java.lang.String getCrl()

setCrl

public void setCrl(java.lang.String crl)

Sets path to certificate revocation list (CRL) file. Only file-based CRLs in PEM format are supported.

Applicable to all security providers.

Example:

     setTlsCrl("c:/certificates/ca-crl.pem");
 

Parameters:
crl - Path to CRL file in PEM format to read CRL data from. Can be null - in this case CRL will not be used.

isTargetNameCheckEnabled

public boolean isTargetNameCheckEnabled()

setTargetNameCheckEnabled

public void setTargetNameCheckEnabled(boolean targetNameCheckEnabled)

Controls whether peer certificate should be checked for host name match.

Applicable to PEM and MSCAPI providers. PKCS#11 provider does not allow custom certificate validation.

Parameters:
targetNameCheckEnabled - true - host name check will be performed, false - any host name in certificate will be accepted.
See Also:
setExpectedHostname(String)

getCipherList

public java.lang.String getCipherList()

Gets list of cipher names separated by space character that will be used to calculate enabled cipher suites as an intersection of sets: (cipher suites supported by SSLEngine) x (cipherSuites).

Applicable to all security providers, although exact provider behavior may depend on provider and/or OS configuration.

Example:

     setTlsCipherList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA " +
             "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA");
 

Information on cipher names can be found in
Java TM Cryptography Architecture Standard Algorithm Name Documentation

To retrieve what cipher are supported for specified security protocol you can use next code:

      SSLContext context = SSLContext.getInstance("TLSv1.2");
      SSLEngine ssle = context.createSSLEngine();
      String[] supportedCipherSuites = ssle.getSupportedCipherSuites();
  

Parameters:
cipherList - List of cipher names separated by space character.
See Also:
SSLEngine, TLSConfiguration#getProtocol()}

setCipherList

public void setCipherList(java.lang.String cipherList)

Sets list of cipher names separated by space character that will be used to calculate enabled cipher suites as an intersection of sets: (cipher suites supported by SSLEngine) x (cipherSuites).

Applicable to all security providers, although exact provider behavior may depend on provider and/or OS configuration.

Example:

     setTlsCipherList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA " +
             "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA");
 

Information on cipher names can be found in
Java TM Cryptography Architecture Standard Algorithm Name Documentation

To retrieve what cipher are supported for specified security protocol you can use next code:

      SSLContext context = SSLContext.getInstance("TLSv1.2");
      SSLEngine ssle = context.createSSLEngine();
      String[] supportedCipherSuites = ssle.getSupportedCipherSuites();
  

Parameters:
cipherList - List of cipher names separated by space character.
See Also:
SSLEngine, TLSConfiguration#getProtocol()}

isFips140Enabled

public boolean isFips140Enabled()

setFips140Enabled

public void setFips140Enabled(boolean fips140Enabled)

Sets flag that requests usage of PKCS#11 security provider in FIPS mode.

Parameters:
fips140Enabled - true - implies usage of PKCS11 provider in FIPS mode, false - Platform SDK will throw exception on attempt to use non-PKCS11 provider.

getKeyStoreCallbackHandler

public javax.security.auth.callback.CallbackHandler getKeyStoreCallbackHandler()

setKeyStoreCallbackHandler

public void setKeyStoreCallbackHandler(javax.security.auth.callback.CallbackHandler keyStoreCallbackHandler)

Set CallbackHandler instance used to provide password to access key store containing key/certificate for this side.

Must be always provided, can not be null. Use DummyCallbackHandler instance if no password is required.

If the same store is used for both key/certificate and trusted CA certificate then the same callback handler can be used.

Example:

     setKeyStoreCallbackHandler(new DummyCallbackHandler());
     // or,
     setKeyStoreCallbackHandler(new CallbackHandler() {
         public void handle(Callback[] callbacks) {
             final char[] password = new char[] {'p', 'a', 's', 's', 'w', 'o', 'r', 'd'};
                 for (Callback c : callbacks) {
                     if (c instanceof PasswordCallback) {
                         ((PasswordCallback) c).setPassword(password);
                     }
                 }
             }
         }
     );
 

Parameters:
keyStoreCallbackHandler - CallbackHandler instance for key/certificate key store.

getTrustStoreCallbackHandler

public javax.security.auth.callback.CallbackHandler getTrustStoreCallbackHandler()

setTrustStoreCallbackHandler

public void setTrustStoreCallbackHandler(javax.security.auth.callback.CallbackHandler trustStoreCallbackHandler)

Set CallbackHandler instance used to provide password to access store containing trusted CA certificate.

Must be always provided, can not be null. Use DummyCallbackHandler instance if no password is required.

If the same store is used for both key/certificate and trusted CA certificate then the same callback handler can be used.

Example:

     setKeyStoreCallbackHandler(new DummyCallbackHandler());
     // or,
     setKeyStoreCallbackHandler(new CallbackHandler() {
         public void handle(Callback[] callbacks) {
             final char[] password = new char[] {'p', 'a', 's', 's', 'w', 'o', 'r', 'd'};
                 for (Callback c : callbacks) {
                     if (c instanceof PasswordCallback) {
                         ((PasswordCallback) c).setPassword(password);
                     }
                 }
             }
         }
     );
 

Parameters:
trustStoreCallbackHandler - CallbackHandler instance for trusted CA certificate store.

getExpectedHostname

public java.lang.String getExpectedHostname()

setExpectedHostname

public void setExpectedHostname(java.lang.String expectedHostname)

Sets host name or IP address to check host name contained in a peer certificate against it. Check is performed when "expectedHostname" has non-null value.

A peer certificate is first checked for an "Alternative Name" extension to get host name from it. If no such extension is found, certificate's "Distinguished Name" field is searched for host name. Resulting certificate host name is matched to expectedHostname. If expectedHostname contains IP address, strict char-to-char match is used. If expectedHostname contains DNS name, wildcards can be used.

Example:

     setExpectedHostname("foo.bar.com");

     // Wildcards can be used; "foo.bar.com" will match the following patterns:
     setExpectedHostname("*.bar.com");
     setExpectedHostname("foo.*.com");

     // Wildcard can match only one level in domain name.
     // "foo.bar.com" will NOT match the following patterns:
     setExpectedHostname("*");
     setExpectedHostname("*.com");

     // IP addresses can be used. They imply exact char-to-char matching:
     setExpectedHostname("192.168.1.1");
     setExpectedHostname("127.0.0.1");
     setExpectedHostname("::");
     setExpectedHostname("::ffff:192.168.1.1");
     setExpectedHostname("2001:DB8::CAFE");
 

Parameters:
expectedHostname - DNS name or IP address to match certificate against. Can be null, in this case no check will be performed.
See Also:
setTargetNameCheckEnabled(boolean)

isClientMode

public boolean isClientMode()

setClientMode

public void setClientMode(boolean clientMode)

Sets whether TLS shall be used by client side or by server side of the connection. In the end, this setting will be passed to SSLEngine instance used to support TLS and affect TLS protocol behavior. In particular, this flag defines which side will start TLS negotiation upon connection.

Note: TLSConfigurationParser sets this flag automatically.

Parameters:
clientMode - If set to true, TLS will be configured for client-side behavior, if set to false - for server-side behavior.
See Also:
TLSConfigurationParser

getVersion

public java.lang.String getVersion()
Gets security protocol that must be used if property isTlsEnabled() returns true.

WARNING: this property doesn't warrant using of exactly the same protocol as defined.
See details at setVersion(String)

Returns:
security protocol name.
See Also:
AbstractConnectionConfiguration.getTLSVersion(), AbstractConnectionConfiguration.getTLSVersion()

setVersion

public void setVersion(java.lang.String protocol)
Sets security protocol that must be used for secured communications.

Information on protocol names can be found in
Java TM Cryptography Architecture Standard Algorithm Name Documentation

You can use the predefined constants:
TLS_VERSION_DEFAULT; TLS_VERSION_1; TLS_VERSION_1_1; TLS_VERSION_1_2;
SSL_VERSION_DEFAULT; #SSL_VERSION_2; SSL_VERSION_3;

If this property is set to null then "TLS" value will be used
i.e a default TLS version will be chosen by security provider.

WARNING: "TLSv1.2" is default TLS version since Java 8.
But in earlier java versions the default TLS version is "TLSv1".

WARNING: this property doesn't warrant using of exactly the same protocol as defined.
Because any protocol can support many protocols (for example earlier versions) and allows to use them.
Use setEnabledProtocols(String) to control what protocols can be used.

To retrieve list of supported protocols by some implementation you can use next code:

      SSLContext context = SSLContext.getInstance("TLSv1.2");
      sslContext.init( new KeyManager[]{KeyManagerHelper.createEmptyKeyManager()}, 
               new TrustManager[]{TrustManagerHelper.createTrustEveryoneTrustManager()}, new SecureRandom());
      SSLEngine ssle = context.createSSLEngine();
      String[] supportedProtocols = ssle.getSupportedProtocols();

INFO: On JDK7 "TLSv1.2" protocol implementation supports: "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2".

NOTE: TLSv1.2 is available by default since Java 7.
But it can be made available in earlier java version on windows
using java control panel in "advanced" tab by checking the option "use TLS 1.2".

This property is used for SSLContext creation in the follow way:

  SSLContext.getInstance(getVersion())

Information on JDK security providers (that provide security protocols) can be found in
JCA Oracle Providers Documentation

Set of available security protocols depends on security providers that them provide
and these security providers are defined in {JDK}\jre\lib\security\java.security" file.
You can change their priority (order) or add/remove some ones.

Parameters:
protocol - security protocol name.

getEnabledProtocols

public java.lang.String getEnabledProtocols()

Gets list of protocol names separated by space character that can be used

See details at setEnabledProtocols(String)

Returns:
protocol names separated by space character.
See Also:
SSLEngine

setEnabledProtocols

public void setEnabledProtocols(java.lang.String enabledProtocolList)

Sets enabled list of protocols that supported by the protocol that was set using setVersion(String)

The most of security protocols enable using earlier versions of the protocol.
And this method is provided to limit list of protocols that can be used.

For example. On Java 7 protocol "TLSv1.2" enables to use follow protocols:
"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2".

Example:

     setEnabledProtocols("TLSv1 TLSv1.1 TLSv1.2");
 

Information on protocol names can be found in
Java TM Cryptography Architecture Standard Algorithm Name Documentation for J2SE 8

To retrieve what protocols are supported for specified security protocol you can use next code:

      SSLContext context = SSLContext.getInstance("TLSv1.2");
      sslContext.init( new KeyManager[]{KeyManagerHelper.createEmptyKeyManager()}, 
               new TrustManager[]{TrustManagerHelper.createTrustEveryoneTrustManager()}, new SecureRandom());
      SSLEngine ssle = context.createSSLEngine();
      String[] supportedProtocols = ssle.getSupportedProtocols();
  

Parameters:
enabledProtocolList - List of protocol names separated by space character.
See Also:
SSLEngine

setEnabledProtocols

public void setEnabledProtocols(java.lang.String... enabledProtocolList)

Sets enabled list of protocols that supported by the protocol that was set using setVersion(String)

The most of security protocols enable using earlier versions of the protocol.
And this method is provided to limit list of protocols that can be used.

For example. On Java 7 protocol "TLSv1.2" enables to use follow protocols:
"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2".

Example:

     setEnabledProtocols("TLSv1","TLSv1.1","TLSv1.2");
 

Information on protocol names can be found in
Java TM Cryptography Architecture Standard Algorithm Name Documentation for J2SE 8

To retrieve what protocols are supported for specified security protocol you can use next code:

      SSLContext context = SSLContext.getInstance("TLSv1.2");
      sslContext.init( new KeyManager[]{KeyManagerHelper.createEmptyKeyManager()}, 
               new TrustManager[]{TrustManagerHelper.createTrustEveryoneTrustManager()}, new SecureRandom());
      SSLEngine ssle = context.createSSLEngine();
      String[] supportedProtocols = ssle.getSupportedProtocols();
  

Parameters:
enabledProtocolList - List of protocol names.
See Also:
SSLEngine

getSecProtocol

public java.lang.String getSecProtocol()
It's virtual property. It tries to get "sec-protocol" value based on the values of the java specific properties: ProtocolVersion and EnabledProtocolList.

Returns:
one of the following values null, "SSLv23", "SSLv3", "TLSv1", "TLSv11", "TLSv12". null means that "sec-protocol "value can't be determined, i.e. there is no mapping from the java specific properties' values.

setSecProtocol

public void setSecProtocol(java.lang.String value)
It's virtual property. It tries to apply a "sec-protocol" value to the java specific properties: ProtocolVersion and EnabledProtocolList.

Parameters:
value - supported values: "SSLv23", "SSLv3", "TLSv1", "TLSv11", "TLSv12".
Throws:
java.lang.IllegalArgumentException - if an unsupported value is passed as the argument.

clone

public java.lang.Object clone()
Overrides:
clone in class java.lang.Object

getKeyStoreEntryCallbackHandler

public javax.security.auth.callback.CallbackHandler getKeyStoreEntryCallbackHandler()

Gets CallbackHandler instance used to provide password to access key store entry containing key/certificate for this side.

NOTE: if it isn't assigned (is null) then getKeyStoreCallbackHandler() is used.

Returns:
CallbackHandler instance used to provide password to access key store entry containing key/certificate for this side.

setKeyStoreEntryCallbackHandler

public void setKeyStoreEntryCallbackHandler(javax.security.auth.callback.CallbackHandler keyStoreEntryCallbackHandler)

Sets CallbackHandler instance used to provide password to access key store entry containing key/certificate for this side.

NOTE: if it isn't assigned (is null) then getKeyStoreCallbackHandler() is used.

If the same store is used for both key/certificate and trusted CA certificate then the same callback handler can be used.

Example:

     setKeyStoreEntryCallbackHandler(new DummyCallbackHandler());
     // or,
     setKeyStoreEntryCallbackHandler(new CallbackHandler() {
         public void handle(Callback[] callbacks) {
             final char[] password = new char[] {'p', 'a', 's', 's', 'w', 'o', 'r', 'd'};
                 for (Callback c : callbacks) {
                     if (c instanceof PasswordCallback) {
                         ((PasswordCallback) c).setPassword(password);
                     }
                 }
             }
         }
     );
 

Parameters:
keyStoreEntryCallbackHandler - CallbackHandler instance for key/certificate key store entry.

Platform SDK Java 8.5 API Reference

Send comments on this topicTechpubs.webadmin@genesys.com.
Document version: 8.5.302.00
Copyright © 2006–2017 Genesys Telecommunications Laboratories, Inc. All rights reserved.