Class JSSEHelper
This class is for components and applications to utilize the SSL configuration framework for selecting SSL configurations and turning them into SSL objects such as SSLContext, Properties, URLStreamHandlers, and SocketFactories.
- Since:
- WAS 6.1
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Property used in the connection information Map to define the host which is being connected to outbound connections.static final String
Variable used for the connection information to determine SSLContext validation rules.static final String
Property used in the connection information Map to define the endpoint.static final String
Property used to determine if the connection is a Web Container inbound connection.static final String
Property used in the connection information Map to define the remote host which is being connected to outbound connections.static final String
Property used in the connection information Map to define the remote port which is being connected to outbound connections.static final String
Variable used when the direction of the SSLContext is inbound.static final String
Variable used when the direction of the SSLContext is outbound.static final String
Variable used when the direction of the SSLContext is not currently known.static final String
EndPoint name when using IPC protocol from the IPC connector for outbound connections.static final String
EndPoint name when using SOAP protocol from the SOAP connector for outbound connections.static final String
EndPoint name when using BUS_CLIENT protocol for outbound connections.static final String
EndPoint name when using ENDPOINT_BUS_TO_BUS protocol for outbound connections.static final String
EndPoint name when using ENDPOINT_BUS_TO_WEBSPHERE_MQ protocol for outbound connections.static final String
EndPoint name when using ENDPOINT_CLIENT_TO_WEBSPHERE_MQ protocol for outbound connections.static final String
EndPoint name when using HTTP protocol for outbound connections.static final String
EndPoint name when using IIOP protocol for outbound connections.static final String
EndPoint name when using JMS protocol for outbound connections.static final String
EndPoint name when using LDAP (JNDI) protocol for outbound connections.static final String
EndPoint name when using SIP protocol for outbound connections. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
This method removes the specific SSLConfigChangeListener from the list of active listeners.boolean
doesSSLConfigExist
(String sslAliasName) This method checks to ensure the SSL configuration name is known.This method is used to obtain information about the connection on the thread of execution.static JSSEHelper
This method returns an instance of the JSSEHelper class.This method is used to obtain information about the connection on the thread of execution.getProperties
(String sslAliasName) This method returns the SSL properties given a specific SSL configuration alias.getProperties
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) This method returns the effective SSL properties object for use by an SSL application or component.getProperties
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener, boolean tryDefault) LikegetProperties(String, Map, SSLConfigChangeListener)
, except failing over to the default configuration is a choice.getSSLContext
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) This method creates an SSLContext for use by an SSL application or component.getSSLContext
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener, boolean tryDefault) LikegetSSLContext(String, Map, SSLConfigChangeListener)
, failing over to the default configuration is a choice.getSSLContext
(Map<String, Object> connectionInfo, Properties props) This method creates an SSLContext given the SSL properties needed to create the SSLContext.This method allows the retrieving of SSL properties on the thread of execution.getSSLServerSocketFactory
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) This method creates an SSLSocketFactory for use by an SSL application or component.This method creates an SSLServerSocketFactory given the SSL configuration properties specified.getSSLSocketFactory
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) This method creates an SSLSocketFactory for use by an SSL application or component.getSSLSocketFactory
(Map<String, Object> connectionInfo, Properties props) This method creates an SSLSocketFactory for use by an SSL application or component.getURLStreamHandler
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) This method creates a URLStreamHandler for use by an SSL application or component.getURLStreamHandler
(Properties props) This method creates a URLStreamHandler specific SSL properties.void
registerSSLConfigChangeListener
(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) This method registers an SSLConfigChangeListener for the specific SSL configuration chosen based upon the parameters passed in using the precedence logic described in the JavaDoc for the getSSLContext API.void
This method is not implemented.void
setInboundConnectionInfo
(Map<String, Object> connectionInfo) This method sets information about the connection on the thread of execution.void
setOutboundConnectionInfo
(Map<String, Object> connectionInfo) This method sets information about the connection on the thread of execution.void
This has the highest precedence in terms of selection rules.void
validateSSLProperties
(Properties props) This method attempts to create an SSLContext using the properties provided.
-
Field Details
-
DIRECTION_INBOUND
Variable used when the direction of the SSLContext is inbound. This is associated to receiving requests or server-side sockets, etc. This helps with validation of the required SSL attributes.
- See Also:
-
DIRECTION_OUTBOUND
Variable used when the direction of the SSLContext is outbound. This is associated to sending requests or client-side sockets, etc. This helps with validation of the required SSL attributes.
- See Also:
-
DIRECTION_UNKNOWN
Variable used when the direction of the SSLContext is not currently known. This will require that a TrustStore and KeyStore are both specified.
- See Also:
-
ENDPOINT_IIOP
EndPoint name when using IIOP protocol for outbound connections. The IIOP endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_HTTP
EndPoint name when using HTTP protocol for outbound connections. The HTTP endpoint attribute is not used Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_SIP
EndPoint name when using SIP protocol for outbound connections. The SIP endpoint attribute is not used Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_JMS
EndPoint name when using JMS protocol for outbound connections. The JMS endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_BUS_CLIENT
EndPoint name when using BUS_CLIENT protocol for outbound connections. You cannot use the BUS_CLIENT endpoint attribute in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_BUS_TO_WEBSPHERE_MQ
EndPoint name when using ENDPOINT_BUS_TO_WEBSPHERE_MQ protocol for outbound connections. The ENDPOINT_BUS_TO_WEBSPHERE_MQ endpoint attribute is not in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_BUS_TO_BUS
EndPoint name when using ENDPOINT_BUS_TO_BUS protocol for outbound connections. The ENDPOINT_BUS_TO_BUS endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_CLIENT_TO_WEBSPHERE_MQ
EndPoint name when using ENDPOINT_CLIENT_TO_WEBSPHERE_MQ protocol for outbound connections. The ENDPOINT_CLIENT_TO_WEBSPHERE_MQ endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_LDAP
EndPoint name when using LDAP (JNDI) protocol for outbound connections. The LDAP endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_ADMIN_SOAP
EndPoint name when using SOAP protocol from the SOAP connector for outbound connections. The SOAP endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
ENDPOINT_ADMIN_IPC
EndPoint name when using IPC protocol from the IPC connector for outbound connections. The IPC endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.
- See Also:
-
CONNECTION_INFO_DIRECTION
Variable used for the connection information to determine SSLContext validation rules. Connection information mapping is not used in Liberty. This variable is available for compatibility purposes only.
- See Also:
-
CONNECTION_INFO_ENDPOINT_NAME
Property used in the connection information Map to define the endpoint. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.
- See Also:
-
CONNECTION_INFO_REMOTE_HOST
Property used in the connection information Map to define the remote host which is being connected to outbound connections. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.
- See Also:
-
CONNECTION_INFO_REMOTE_PORT
Property used in the connection information Map to define the remote port which is being connected to outbound connections. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.
- See Also:
-
CONNECTION_INFO_CERT_MAPPING_HOST
Property used in the connection information Map to define the host which is being connected to outbound connections. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.
- See Also:
-
CONNECTION_INFO_IS_WEB_CONTAINER_INBOUND
Property used to determine if the connection is a Web Container inbound connection.
- See Also:
-
-
Constructor Details
-
JSSEHelper
public JSSEHelper()Constructor.
-
-
Method Details
-
getInstance
This method returns an instance of the JSSEHelper class. This is the proper way to get a reference of this API class.
- Returns:
- JSSEHelper
-
setSSLPropertiesOnThread
This has the highest precedence in terms of selection rules. When the SSL runtime finds SSL properties on the thread, this should be used before anything else in the selection process. Using SSL properties from the thread is not support in the Liberty profile. This method exists for compatibility purposes.
It's important to clear the thread after use, especially where thread pools are used. It is not cleared up automatically. Pass in "null" to this API to clear it.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "setSSLConfig" to be granted.
- Parameters:
props
- The SSL properties to set on the thread.
-
getSSLPropertiesOnThread
This method allows the retrieving of SSL properties on the thread of execution. This can be used for verification purposes or to communicate SSL properties among components running on the same thread. Getting SSL properties form the thread is not used in Liberty. This method exits for compatibility purposes only.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Returns:
- Properties
-
getProperties
This method returns the SSL properties given a specific SSL configuration alias.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
sslAliasName
- - Name of the SSL configuration to get properties for.- Returns:
- Properties
- Throws:
SSLException
-
getSSLContext
public SSLContext getSSLContext(Map<String, Object> connectionInfo, Properties props) throws SSLExceptionThis method creates an SSLContext given the SSL properties needed to create the SSLContext. The properties can be retrieved from the SSL configuration using the getProperties API in this class.
- Parameters:
connectionInfo
- - contains information about the connection direction, host, port, etc.props
- - the SSL properties- Returns:
- SSLContext
- Throws:
SSLException
-
getURLStreamHandler
This method creates a URLStreamHandler specific SSL properties. The URLStreamHandler is used for outbound URL connections.
- Parameters:
props
- - the SSL properties (connectionInfo derived from URL)- Returns:
- URLStreamHandler
- Throws:
SSLException
-
getSSLServerSocketFactory
This method creates an SSLServerSocketFactory given the SSL configuration properties specified. The properties can be retrieved from the SSL configuration using the getProperties API in this class.
- Parameters:
props
-- Returns:
- SSLServerSocketFactory
- Throws:
SSLException
-
getSSLSocketFactory
public SSLSocketFactory getSSLSocketFactory(Map<String, Object> connectionInfo, Properties props) throws SSLExceptionThis method creates an SSLSocketFactory for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLSocketFactory. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):
- com.ibm.ssl.remoteHost="hostname.ibm.com"
- com.ibm.ssl.remotePort="9809"
- com.ibm.ssl.direction="outbound"
Example INBOUND case (endpoint name matches serverindex endpoint):
It's highly recommended to supply these properties when possible.com.ibm.ssl.direction="inbound"
props
- Properties used to configure the SSL socket factory. SeeConstants
for valid properties.- Returns:
- SSLSocketFactory
- Throws:
SSLException
-
getSSLContext
public SSLContext getSSLContext(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) throws SSLExceptionThis method creates an SSLContext for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLContext. The selection precedence rules are:
- Direct - The sslAliasName parameter, when specified, will be used to choose the alias directly from the SSL configurations.
- Dynamic - The remoteHost/remotePort String(s) will contain the target host, or host and port. A SSL configuration to be use for an outbound connection will be selected based on the host or host and port configured.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
sslAliasName
- - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):
- com.ibm.ssl.remoteHost="hostname.ibm.com"
- com.ibm.ssl.remotePort="9809"
- com.ibm.ssl.direction="outbound"
Example INBOUND case (endpoint name matches serverindex endpoint):
It's highly recommended to supply these properties when possible.com.ibm.ssl.direction="inbound"
listener
- - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.- Returns:
- SSLContext
- Throws:
SSLException
-
getSSLContext
public SSLContext getSSLContext(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener, boolean tryDefault) throws SSLException, SSLConfigurationNotAvailableExceptionLikegetSSLContext(String, Map, SSLConfigChangeListener)
, failing over to the default configuration is a choice.- Parameters:
sslAliasName
- - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here.connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):
- com.ibm.ssl.remoteHost="hostname.ibm.com"
- com.ibm.ssl.remotePort="9809"
- com.ibm.ssl.direction="outbound"
Example INBOUND case (endpoint name matches serverindex endpoint):
It's highly recommended to supply these properties when possible.com.ibm.ssl.direction="inbound"
listener
- - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.tryDefault
- if the specified alias is not available,true
indicates the default configuration should be tried.- Returns:
- Throws:
SSLException
SSLConfigurationNotAvailableException
-
getURLStreamHandler
public URLStreamHandler getURLStreamHandler(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) throws SSLExceptionThis method creates a URLStreamHandler for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the URLStreamHandler. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
sslAliasName
-connectionInfo
-listener
-- Returns:
- URLStreamHandler
- Throws:
SSLException
-
getSSLSocketFactory
public SSLSocketFactory getSSLSocketFactory(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) throws SSLExceptionThis method creates an SSLSocketFactory for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLSocketFactory. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
sslAliasName
- - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):
- com.ibm.ssl.remoteHost="hostname.ibm.com"
- com.ibm.ssl.remotePort="9809"
- com.ibm.ssl.direction="outbound"
listener
- - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.- Returns:
- SSLSocketFactory
- Throws:
SSLException
-
getSSLServerSocketFactory
public SSLServerSocketFactory getSSLServerSocketFactory(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) throws SSLExceptionThis method creates an SSLSocketFactory for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLSocketFactory. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
sslAliasName
- - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example INBOUND case (endpoint name matches serverindex endpoint):
It's highly recommended to supply these properties when possible.com.ibm.ssl.direction="inbound"
listener
- - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.- Returns:
- SSLServerSocketFactory
- Throws:
SSLException
-
getProperties
public Properties getProperties(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) throws SSLExceptionThis method returns the effective SSL properties object for use by an SSL application or component.
When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.
- Parameters:
sslAliasName
- - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):
- com.ibm.ssl.remoteHost="hostname.ibm.com"
- com.ibm.ssl.remotePort="9809"
- com.ibm.ssl.direction="outbound"
Example INBOUND case (endpoint name matches serverindex endpoint):
It's highly recommended to supply these properties when possible.com.ibm.ssl.direction="inbound"
listener
- - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.- Returns:
- Properties for the requested sslAliasName. If the requested sslAliasName is not avialable, the default properties will be returned. If the default properties are not available, null is returned.
- Throws:
SSLException
-
getProperties
public Properties getProperties(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener, boolean tryDefault) throws SSLExceptionLikegetProperties(String, Map, SSLConfigChangeListener)
, except failing over to the default configuration is a choice.- Parameters:
sslAliasName
- - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.connectionInfo
- - This refers to the remote connection information. The current properties known by the runtime include:Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):
- com.ibm.ssl.remoteHost="hostname.ibm.com"
- com.ibm.ssl.remotePort="9809"
- com.ibm.ssl.direction="outbound"
Example INBOUND case (endpoint name matches serverindex endpoint):
It's highly recommended to supply these properties when possible.com.ibm.ssl.direction="inbound"
listener
- - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.tryDefault
- if the specified alias is not available,true
indicates the default configuration should be tried.- Returns:
- Properties for the requested sslAliasName. If the requested sslAliasName properties are not available, null is returned.
- Throws:
SSLException
-
registerSSLConfigChangeListener
public void registerSSLConfigChangeListener(String sslAliasName, Map<String, Object> connectionInfo, SSLConfigChangeListener listener) throws SSLExceptionThis method registers an SSLConfigChangeListener for the specific SSL configuration chosen based upon the parameters passed in using the precedence logic described in the JavaDoc for the getSSLContext API. The SSLConfigChangeListener must be deregistered by deregisterSSLConfigChangeListener when it is no longer needed.
- Parameters:
sslAliasName
-connectionInfo
-listener
-- Throws:
SSLException
-
deregisterSSLConfigChangeListener
This method removes the specific SSLConfigChangeListener from the list of active listeners.
- Parameters:
listener
-- Throws:
SSLException
-
doesSSLConfigExist
This method checks to ensure the SSL configuration name is known.
- Parameters:
sslAliasName
- - Name of the SSL configuration to check to see if it exits.- Returns:
- boolean
-
reinitializeClientDefaultSSLProperties
public void reinitializeClientDefaultSSLProperties()This method is not implemented.
-
validateSSLProperties
This method attempts to create an SSLContext using the properties provided. It is assumed the API is called on the node where the KeyStore information specified in the properties resides.
- Parameters:
props
- The SSL properties to validate.- Throws:
SSLException
-
getInboundConnectionInfo
This method is used to obtain information about the connection on the thread of execution. This connection information can then be used from Custom Key and Trust Managers.
- Returns:
- Map<String,Object>
-
setInboundConnectionInfo
This method sets information about the connection on the thread of execution. This connection information can then be used from Custom Key and Trust Managers. This method is invoked prior to an SSL handshake.
It's important to clear the thread after use, especially where thread pools are used. It is not cleared up automatically. Pass in "null" to this API to clear it.
- Parameters:
connectionInfo
- - This refers to the inbound connection information.
-
getOutboundConnectionInfo
This method is used to obtain information about the connection on the thread of execution. This connection information can then be used to set the connection information prior to creating and SSL socket.
- Returns:
- Map<String,Object>
-
setOutboundConnectionInfo
This method sets information about the connection on the thread of execution. This method is invoked prior to creating an SSL socket.
It's important to clear the thread after use, especially where thread pools are used. It is not cleared up automatically. Pass in "null" to this API to clear it.
- Parameters:
connectionInfo
-
-