Table of Contents
The following document is about handling SSL in our components. Notice that this is a very complex issue. It is impossible to describe everything about using SSL in every situation possible. We will try to tell you the basics about using SSL in our ConnectPlaza application.
First to remember that ConnectPlaza generates Java applications for you. Do not confuse this with windows certificate handling or other SSL related things on other system. Java handles SSL on its own terms. That said, how did we implement SSL usage in ConnectPlaza?
Java uses Java Key Stores as a way to keep track of its certificates used for SSL handshakes. ConnectPlaza has 2 default .jks files. You can find them in the following directory: <installation directory>/context with the following names:
If you have any knowledge about java, this will be somewhat familiar to you. If not, do not give up hope, rescue is near.
What is a Java Keystore
A Java Key Store is a repository of security certificates. These can be authorization certificates or key certificates (public certificate and corresponding private keys).. Those can be used in SSL encryption. In ConnectPlaza we use a keystore and a truststore, but both are Java Key Stores. This can be somewhat confusing, but let us explain the difference.
The ConnectPlaza keystore is the place where we store the keypairs for the connections to our services. The connecting party must have your public certificate to connect to your service. For instance if you have an HTTPS listener, you store the keypair (Private key and Public certificate) of the connecting server in the keystore.
The ConnectPlaza truststore is the place where we store the public certificates of the sites we trust. These are sites your application connect to. For instance your email server can have a TLS connection. The certificate of your email server must be uploaded in the truststore. Remember that it can be necessary to upload the entire chain of certificates! You will find more information about certificate chains on the internet.
In short, you use the ConnectPlaza truststore if you want to connect to another service / server. It is an outbound connection. You use the ConnectPlaza keystore if you want another service / server to connect to your application. This is an inbound connection.
The ConnectPlaza keystore and truststore accept keys and certificates in the X.509 or PKCS#12 format (usually .pfx or .p12 files). This can be self-signed certificates, or keys obtained by a certificate reseller.
Using Java's own trusted SSL CA
As of version 3.x
of ConnectAgent a default setting was introduced into the ConnectAgent Properties file to enable java's own trusted SSL CA's.
Open the file [connectplaza-agent-root]/conf/connectplaza-agent.properties. If you have an original pre-3.x version of the agent installed (installtion of a 2.x version and updated to 3.x is also a pre 3.x original ConnectAgent), this setting is probably set to false.
If you set this setting to true, you probably have no problems in trusting all kinds of HTTPS / SSL sites and services. This is now handled by the Java Trusted SSL CA's. Like your browser instantly knows if your chosen HTTPS site has a valid certificate. You only need to add certificates to your Agents trusted certificates in case of self-signed certificates and if, for any reason, a CA is not trusted by the Java Trusted SSL CA.
If this setting is set to false, you must trust all specific HTTPS sites and SSL Services out in the world.
The default setting as of 3.x is therefor set to TRUE.
Key exchange algorithms (sFTP connections)
Using SSL you can run into certain key exchange issues. Some of the algorithms are no longer supported in you java version, or the providor has another default installed. Changes in the security layer happen a lot these days. With the SFTP Key Exchange field, you can force the application to use a certain key exchange algorithm.
For more information about Key Exchange Algorithms, follow this link.
You can modify the used SSH Ciphers, MAC and key exhange by overriding the default settings using a Java System property: sftpKeyExchange. This system property can be set using the -DsftpKeyExchange=[yourciphers] in the ConnectPlaza Agent's wrapper.conf. You can add this property using the wrapper.conf's file format: ie:
wrapper.java.additional.X = -DsftpKeyExchange=[yourciphers]
And add this to the [connectplaza-agent-root]/yajsw/conf/wrapper.conf file.
Included cipher suits in your connectplaza-agent.properties file
As of version 3.4.0 there is a change in managing the cipher suits you may use when connecting with SSL. In the connectplaza-agent.properties file you will find an entry which looks like this:
This is the default setting. In some cases, it is needed to add one or more protocols. Normally you will add them here with their full names. I was, however, possible to use wild cards. .* was a possible option in version 3.3.2 and below.
As of version 3.4.0 this is not allowed anymore. This setting will now be used for internal as well as external connections. Therefore you must put the full protocol name in this list. No wildcards allowed anymore.
Copyright © 2018 ConnectPlaza. For pricing, account management and more go to https://www.connectplaza.com