6. Security

ssl

Configures inbound or outbound SSL connections.



Can be used in:

serviceProxy, api, stompClient, httpClientConfig, stompProxy, swaggerProxy, registration, etcdBasedConfigurator, membrane, bean, internalProxy and soapProxy

Syntax

<ssl
  [algorithm="..."]
  [protocol="..."]
  [ciphers="..."]
  [clientAuth="..."]>
  <keystore
	location="..." [password="..."]
	[type="..."] [provider="..."]
	[keyPassword="..."] [keyAlias="..."] >?
  <truststore
	location="..." [password="..."]
	[type="..."] [provider="..."]
	[algorithm="..."] >?
</ssl>

Sample

Inbound Sample

This example is taken from examples/ssl-server. It demonstrates how to configure inbound SSL.

<serviceProxy port="443">
  <ssl>
	<keystore
	  location="../../conf/membrane.jks"
	  password="secret" keyPassword="secret" />
	<truststore
	  location="../../conf/membrane.jks" password="secret" />
  </ssl>
  <wsdlRewriter protocol="https" />
  <target host="thomas-bayer.com" />
</serviceProxy>

Outbound Sample

This example is taken from examples/ssl-client. It demonstrates how to configure outbound SSL.

<serviceProxy port="8080">
  <path>/svn</path>
  <target host="predic8.com" port="443">
	<ssl />
  </target>
</serviceProxy>

Attributes

NameRequiredDefaultDescriptionExample
useExperimentalHttp2 false false
 whether to enable receiving HTTP/2 requests. (experimental) -
protocol false TLS
 <a href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/SSLContext.html#getInstance%28java.lang.String%29">SSLContext.getInstance()</a> -
showSSLExceptions false true
 Tells Membrane to show SSL exceptions in its log -
useAsDefault false true
 whether to use the SSLContext built from this SSLParser when no SNI header was transmitted. -
endpointIdentificationAlgorithm false HTTPS
 See <a href="http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLParameters.html#setEndpointIdentificationAlgorithm%28java.lang.String%29">setEndpointIdentificationAlgorithm()</a>. -
ciphers false all system default ciphers
 Space separated list of ciphers to allow. <a href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/SSLSocketFactory.html#getSupportedCipherSuites%28%29">getSupportedCipherSuites()</a> TLS_ECDH_anon_WITH_RC4_128_SHA
serverName false same as target hostname.
 Setting the serverName tells Java to use the SNI (<a href="http://www.rfc-base.org/txt/rfc-3546.txt">...</a>) on outbound TLS connections to indicate to the TLS server, which hostname the client wants to connect to. -
protocols false TLS*
 <a href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/SSLSocket.html#setEnabledProtocols%28java.lang.String[]%29">SSLSocket.setEnabledProtocols()</a> -
clientAuth false not set
 Either not set (=no), or <tt>want</tt> or <tt>need</tt>. need
ignoreTimestampCheckFailure false - - -
algorithm false java default
 <a href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/KeyManagerFactory.html#getDefaultAlgorithm%28%29">getDefaultAlgorithm()</a> SunX509

Child Elements

ElementsDescriptionCardinality
key Used to manually compose the keystore. 0..1
keyGenerator Used to dynamically generate a key for the incoming connection on the fly. 0..1
trust Used to manually compose the truststore. 0..1

Other optional Child Elements


keystore, truststore, acme

More information

For more information, especially the context and definition of the terminology, see the Java Secure Socket Extension (JSSE) reference guide.