Package com.ibm.websphere.ssl

Class JSSEHelper

java.lang.Object
com.ibm.websphere.ssl.JSSEHelper
public class JSSEHelper extends Object

This class is for components and applications to utilize the SSL configuration framework for selecting SSL configurations and turning them into SSL objects such as SSLContext, Properties, URLStreamHandlers, and SocketFactories.

Since:
WAS 6.1

  • Field Details

    • DIRECTION_INBOUND

      public static final String DIRECTION_INBOUND

      Variable used when the direction of the SSLContext is inbound. This is associated to receiving requests or server-side sockets, etc. This helps with validation of the required SSL attributes.

      See Also:

    • DIRECTION_OUTBOUND

      public static final String DIRECTION_OUTBOUND

      Variable used when the direction of the SSLContext is outbound. This is associated to sending requests or client-side sockets, etc. This helps with validation of the required SSL attributes.

      See Also:

    • DIRECTION_UNKNOWN

      public static final String DIRECTION_UNKNOWN

      Variable used when the direction of the SSLContext is not currently known. This will require that a TrustStore and KeyStore are both specified.

      See Also:

    • ENDPOINT_IIOP

      public static final String ENDPOINT_IIOP

      EndPoint name when using IIOP protocol for outbound connections. The IIOP endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_HTTP

      public static final String ENDPOINT_HTTP

      EndPoint name when using HTTP protocol for outbound connections. The HTTP endpoint attribute is not used Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_SIP

      public static final String ENDPOINT_SIP

      EndPoint name when using SIP protocol for outbound connections. The SIP endpoint attribute is not used Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_JMS

      public static final String ENDPOINT_JMS

      EndPoint name when using JMS protocol for outbound connections. The JMS endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_BUS_CLIENT

      public static final String ENDPOINT_BUS_CLIENT

      EndPoint name when using BUS_CLIENT protocol for outbound connections. You cannot use the BUS_CLIENT endpoint attribute in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_BUS_TO_WEBSPHERE_MQ

      public static final String ENDPOINT_BUS_TO_WEBSPHERE_MQ

      EndPoint name when using ENDPOINT_BUS_TO_WEBSPHERE_MQ protocol for outbound connections. The ENDPOINT_BUS_TO_WEBSPHERE_MQ endpoint attribute is not in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_BUS_TO_BUS

      public static final String ENDPOINT_BUS_TO_BUS

      EndPoint name when using ENDPOINT_BUS_TO_BUS protocol for outbound connections. The ENDPOINT_BUS_TO_BUS endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_CLIENT_TO_WEBSPHERE_MQ

      public static final String ENDPOINT_CLIENT_TO_WEBSPHERE_MQ

      EndPoint name when using ENDPOINT_CLIENT_TO_WEBSPHERE_MQ protocol for outbound connections. The ENDPOINT_CLIENT_TO_WEBSPHERE_MQ endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_LDAP

      public static final String ENDPOINT_LDAP

      EndPoint name when using LDAP (JNDI) protocol for outbound connections. The LDAP endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_ADMIN_SOAP

      public static final String ENDPOINT_ADMIN_SOAP

      EndPoint name when using SOAP protocol from the SOAP connector for outbound connections. The SOAP endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • ENDPOINT_ADMIN_IPC

      public static final String ENDPOINT_ADMIN_IPC

      EndPoint name when using IPC protocol from the IPC connector for outbound connections. The IPC endpoint attribute is not used in Liberty. This attribute is available for compatibility purposes only.

      See Also:

    • CONNECTION_INFO_DIRECTION

      public static final String CONNECTION_INFO_DIRECTION

      Variable used for the connection information to determine SSLContext validation rules. Connection information mapping is not used in Liberty. This variable is available for compatibility purposes only.

      See Also:

    • CONNECTION_INFO_ENDPOINT_NAME

      public static final String CONNECTION_INFO_ENDPOINT_NAME

      Property used in the connection information Map to define the endpoint. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.

      See Also:

    • CONNECTION_INFO_REMOTE_HOST

      public static final String CONNECTION_INFO_REMOTE_HOST

      Property used in the connection information Map to define the remote host which is being connected to outbound connections. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.

      See Also:

    • CONNECTION_INFO_REMOTE_PORT

      public static final String CONNECTION_INFO_REMOTE_PORT

      Property used in the connection information Map to define the remote port which is being connected to outbound connections. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.

      See Also:

    • CONNECTION_INFO_CERT_MAPPING_HOST

      public static final String CONNECTION_INFO_CERT_MAPPING_HOST

      Property used in the connection information Map to define the host which is being connected to outbound connections. Connection information mapping is not used in Liberty. This property is available for compatibility purposes only.

      See Also:

    • CONNECTION_INFO_IS_WEB_CONTAINER_INBOUND

      public static final String CONNECTION_INFO_IS_WEB_CONTAINER_INBOUND

      Property used to determine if the connection is a Web Container inbound connection.

      See Also:

  • Constructor Details

    • JSSEHelper

      public JSSEHelper()
      Constructor.

  • Method Details

    • getInstance

      public static JSSEHelper getInstance()

      This method returns an instance of the JSSEHelper class. This is the proper way to get a reference of this API class.

      Returns:
      JSSEHelper

    • setSSLPropertiesOnThread

      public void setSSLPropertiesOnThread(Properties props)

      This has the highest precedence in terms of selection rules. When the SSL runtime finds SSL properties on the thread, this should be used before anything else in the selection process. Using SSL properties from the thread is not support in the Liberty profile. This method exists for compatibility purposes.

      It's important to clear the thread after use, especially where thread pools are used. It is not cleared up automatically. Pass in "null" to this API to clear it.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "setSSLConfig" to be granted.

      Parameters:
      props - The SSL properties to set on the thread.

    • getSSLPropertiesOnThread

      public Properties getSSLPropertiesOnThread()

      This method allows the retrieving of SSL properties on the thread of execution. This can be used for verification purposes or to communicate SSL properties among components running on the same thread. Getting SSL properties form the thread is not used in Liberty. This method exits for compatibility purposes only.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Returns:
      Properties

    • getProperties

      public Properties getProperties(String sslAliasName) throws SSLException

      This method returns the SSL properties given a specific SSL configuration alias.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      sslAliasName - - Name of the SSL configuration to get properties for.
      Returns:
      Properties
      Throws:
      SSLException

    • getSSLContext

      public SSLContext getSSLContext(Map<String,Object> connectionInfo, Properties props) throws SSLException

      This method creates an SSLContext given the SSL properties needed to create the SSLContext. The properties can be retrieved from the SSL configuration using the getProperties API in this class.

      Parameters:
      connectionInfo - - contains information about the connection direction, host, port, etc.
      props - - the SSL properties
      Returns:
      SSLContext
      Throws:
      SSLException

    • getURLStreamHandler

      public URLStreamHandler getURLStreamHandler(Properties props) throws SSLException

      This method creates a URLStreamHandler specific SSL properties. The URLStreamHandler is used for outbound URL connections.

      Parameters:
      props - - the SSL properties (connectionInfo derived from URL)
      Returns:
      URLStreamHandler
      Throws:
      SSLException

    • getSSLServerSocketFactory

      public SSLServerSocketFactory getSSLServerSocketFactory(Properties props) throws SSLException

      This method creates an SSLServerSocketFactory given the SSL configuration properties specified. The properties can be retrieved from the SSL configuration using the getProperties API in this class.

      Parameters:
      props -
      Returns:
      SSLServerSocketFactory
      Throws:
      SSLException

    • getSSLSocketFactory

      public SSLSocketFactory getSSLSocketFactory(Map<String,Object> connectionInfo, Properties props) throws SSLException

      This method creates an SSLSocketFactory for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLSocketFactory. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):

      • com.ibm.ssl.remoteHost="hostname.ibm.com"
      • com.ibm.ssl.remotePort="9809"
      • com.ibm.ssl.direction="outbound"

      Example INBOUND case (endpoint name matches serverindex endpoint): com.ibm.ssl.direction="inbound"

      It's highly recommended to supply these properties when possible.
      props - Properties used to configure the SSL socket factory. See Constants for valid properties.
      Returns:
      SSLSocketFactory
      Throws:
      SSLException

    • getSSLContext

      public SSLContext getSSLContext(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener) throws SSLException

      This method creates an SSLContext for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLContext. The selection precedence rules are:

      1. Direct - The sslAliasName parameter, when specified, will be used to choose the alias directly from the SSL configurations.
      2. Dynamic - The remoteHost/remotePort String(s) will contain the target host, or host and port. A SSL configuration to be use for an outbound connection will be selected based on the host or host and port configured.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      sslAliasName - - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):

      • com.ibm.ssl.remoteHost="hostname.ibm.com"
      • com.ibm.ssl.remotePort="9809"
      • com.ibm.ssl.direction="outbound"

      Example INBOUND case (endpoint name matches serverindex endpoint): com.ibm.ssl.direction="inbound"

      It's highly recommended to supply these properties when possible.
      listener - - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.
      Returns:
      SSLContext
      Throws:
      SSLException

    • getSSLContext

      public SSLContext getSSLContext(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener, boolean tryDefault) throws SSLException, SSLConfigurationNotAvailableException
      Like getSSLContext(String, Map, SSLConfigChangeListener), failing over to the default configuration is a choice.
      Parameters:
      sslAliasName - - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here.
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):

      • com.ibm.ssl.remoteHost="hostname.ibm.com"
      • com.ibm.ssl.remotePort="9809"
      • com.ibm.ssl.direction="outbound"

      Example INBOUND case (endpoint name matches serverindex endpoint): com.ibm.ssl.direction="inbound"

      It's highly recommended to supply these properties when possible.
      listener - - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.
      tryDefault - if the specified alias is not available, true indicates the default configuration should be tried.
      Returns:
      Throws:
      SSLException
      SSLConfigurationNotAvailableException

    • getURLStreamHandler

      public URLStreamHandler getURLStreamHandler(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener) throws SSLException

      This method creates a URLStreamHandler for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the URLStreamHandler. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      sslAliasName -
      connectionInfo -
      listener -
      Returns:
      URLStreamHandler
      Throws:
      SSLException

    • getSSLSocketFactory

      public SSLSocketFactory getSSLSocketFactory(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener) throws SSLException

      This method creates an SSLSocketFactory for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLSocketFactory. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      sslAliasName - - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):

      • com.ibm.ssl.remoteHost="hostname.ibm.com"
      • com.ibm.ssl.remotePort="9809"
      • com.ibm.ssl.direction="outbound"

      It's highly recommended to supply these properties when possible.
      listener - - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.
      Returns:
      SSLSocketFactory
      Throws:
      SSLException

    • getSSLServerSocketFactory

      public SSLServerSocketFactory getSSLServerSocketFactory(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener) throws SSLException

      This method creates an SSLSocketFactory for use by an SSL application or component. Precedence logic will determine which parameters are used for creating the SSLSocketFactory. See the JavaDoc for getSSLContext with the same parameters for more info on the behavior of this API.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      sslAliasName - - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example INBOUND case (endpoint name matches serverindex endpoint): com.ibm.ssl.direction="inbound"

      It's highly recommended to supply these properties when possible.
      listener - - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.
      Returns:
      SSLServerSocketFactory
      Throws:
      SSLException

    • getProperties

      public Properties getProperties(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener) throws SSLException

      This method returns the effective SSL properties object for use by an SSL application or component.

      When Java 2 Security is enabled, access to call this method requires WebSphereRuntimePermission "getSSLConfig" to be granted.

      Parameters:
      sslAliasName - - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):

      • com.ibm.ssl.remoteHost="hostname.ibm.com"
      • com.ibm.ssl.remotePort="9809"
      • com.ibm.ssl.direction="outbound"

      Example INBOUND case (endpoint name matches serverindex endpoint): com.ibm.ssl.direction="inbound"

      It's highly recommended to supply these properties when possible.
      listener - - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.
      Returns:
      Properties for the requested sslAliasName. If the requested sslAliasName is not avialable, the default properties will be returned. If the default properties are not available, null is returned.
      Throws:
      SSLException

    • getProperties

      public Properties getProperties(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener, boolean tryDefault) throws SSLException
      Like getProperties(String, Map, SSLConfigChangeListener), except failing over to the default configuration is a choice.
      Parameters:
      sslAliasName - - Used in direct selection. The alias name of a specific SSL configuration (optional). You can pass in "null" here. If sslAliasName is provided but does not exist it will check connection information for a match. Then look for a default if no match with the connection information.
      connectionInfo - - This refers to the remote connection information. The current properties known by the runtime include:

      Example OUTBOUND case (endpoint refers more to protocol used since outbound names are not well-known):

      • com.ibm.ssl.remoteHost="hostname.ibm.com"
      • com.ibm.ssl.remotePort="9809"
      • com.ibm.ssl.direction="outbound"

      Example INBOUND case (endpoint name matches serverindex endpoint): com.ibm.ssl.direction="inbound"

      It's highly recommended to supply these properties when possible.
      listener - - This is used to notify the caller of this API that the SSL configuration changed in the runtime. It's up to the caller to decide if they want to call this API again to get the new SSLContext for the configuration. Passing in NULL indicates no notification is desired. See the com.ibm.websphere.ssl.SSLConfigChangeListener interface for more information.
      tryDefault - if the specified alias is not available, true indicates the default configuration should be tried.
      Returns:
      Properties for the requested sslAliasName. If the requested sslAliasName properties are not available, null is returned.
      Throws:
      SSLException

    • registerSSLConfigChangeListener

      public void registerSSLConfigChangeListener(String sslAliasName, Map<String,Object> connectionInfo, SSLConfigChangeListener listener) throws SSLException

      This method registers an SSLConfigChangeListener for the specific SSL configuration chosen based upon the parameters passed in using the precedence logic described in the JavaDoc for the getSSLContext API. The SSLConfigChangeListener must be deregistered by deregisterSSLConfigChangeListener when it is no longer needed.

      Parameters:
      sslAliasName -
      connectionInfo -
      listener -
      Throws:
      SSLException

    • deregisterSSLConfigChangeListener

      public void deregisterSSLConfigChangeListener(SSLConfigChangeListener listener) throws SSLException

      This method removes the specific SSLConfigChangeListener from the list of active listeners.

      Parameters:
      listener -
      Throws:
      SSLException

    • doesSSLConfigExist

      public boolean doesSSLConfigExist(String sslAliasName)

      This method checks to ensure the SSL configuration name is known.

      Parameters:
      sslAliasName - - Name of the SSL configuration to check to see if it exits.
      Returns:
      boolean

    • reinitializeClientDefaultSSLProperties

      public void reinitializeClientDefaultSSLProperties()

      This method is not implemented.

    • validateSSLProperties

      public void validateSSLProperties(Properties props) throws SSLException

      This method attempts to create an SSLContext using the properties provided. It is assumed the API is called on the node where the KeyStore information specified in the properties resides.

      Parameters:
      props - The SSL properties to validate.
      Throws:
      SSLException

    • getInboundConnectionInfo

      public Map<String,Object> getInboundConnectionInfo()

      This method is used to obtain information about the connection on the thread of execution. This connection information can then be used from Custom Key and Trust Managers.

      Returns:
      Map<String,Object>

    • setInboundConnectionInfo

      public void setInboundConnectionInfo(Map<String,Object> connectionInfo)

      This method sets information about the connection on the thread of execution. This connection information can then be used from Custom Key and Trust Managers. This method is invoked prior to an SSL handshake.

      It's important to clear the thread after use, especially where thread pools are used. It is not cleared up automatically. Pass in "null" to this API to clear it.

      Parameters:
      connectionInfo - - This refers to the inbound connection information.

    • getOutboundConnectionInfo

      public Map<String,Object> getOutboundConnectionInfo()

      This method is used to obtain information about the connection on the thread of execution. This connection information can then be used to set the connection information prior to creating and SSL socket.

      Returns:
      Map<String,Object>

    • setOutboundConnectionInfo

      public void setOutboundConnectionInfo(Map<String,Object> connectionInfo)

      This method sets information about the connection on the thread of execution. This method is invoked prior to creating an SSL socket.

      It's important to clear the thread after use, especially where thread pools are used. It is not cleared up automatically. Pass in "null" to this API to clear it.

      Parameters:
      connectionInfo -