Loading...

SSL Handling

Table of Contents

    Introduction

    The following document is about handling SSL in our components. Notice that this is a very complex issue. It is impossible to describe everything about using SSL in every situation possible. We will try to tell you the basics about using SSL in our ConnectPlaza application.

    First to remember that ConnectPlaza generates Java applications for you. Do not confuse this with windows certificate handling or other SSL related things on other system. Java handles SSL on its own terms. That said, how did we implement SSL usage in ConnectPlaza?

    Java uses Java Key Stores as a way to keep track of its certificates used for SSL handshakes. ConnectPlaza has 2 default .jks files. You can find them in the following directory: <installation directory>/context with the following names:

    • connectplaza_keystore.jks
    • connectplaza_truststore.jks

    If you have any knowledge about java, this will be somewhat familiar to you. If not, do not give up hope, rescue is near.

    What is a Java Keystore

    A Java Key Store is a repository of security certificates. These can be authorization certificates or key certificates (public certificate and corresponding private keys).. Those can be used in SSL encryption. In ConnectPlaza we use a keystore and a truststore, but both are Java Key Stores. This can be somewhat confusing, but let us explain the difference.

    ConnectPlaza keystore

    The ConnectPlaza keystore is the place where we store the keypairs for the connections to our services. The connecting party must have your public certificate to connect to your service. For instance if you have an HTTPS listener, you store the keypair (Private key and Public certificate) of the connecting server in the keystore.

    ConnectPlaza truststore

    The ConnectPlaza truststore is the place where we store the public certificates of the sites we trust. These are sites your application connect to. For instance your email server can have a TLS connection. The certificate of your email server must be uploaded in the truststore. Remember that it can be necessary to upload the entire chain of certificates! You will find more information about certificate chains on the internet.

    In short, you use the ConnectPlaza truststore if you want to connect to another service / server. It is an outbound connection. You use the ConnectPlaza keystore if you want another service / server to connect to your application. This is an inbound connection.

    Protocol

    The ConnectPlaza keystore and truststore accept keys and certificates in the X.509 or PKCS#12 format (usually .pfx or .p12 files). This can be self-signed certificates, or keys obtained by a certificate reseller.

    Using Java's own trusted SSL CA

    As of version 3.x

    of ConnectAgent a default setting was introduced into the ConnectAgent Properties file to enable java's own trusted SSL CA's.

    connect.ssl.ca.truststore=true

    Open the file [connectplaza-agent-root]/conf/connectplaza-agent.properties. If you have an original pre-3.x version of the agent installed (installtion of a 2.x version and updated to 3.x is also a pre 3.x original ConnectAgent), this setting is probably set to false.

    If you set this setting to true, you probably have no problems in trusting all kinds of HTTPS / SSL sites and services. This is now handled by the Java Trusted SSL CA's. Like your browser instantly knows if your chosen HTTPS site has a valid certificate. You only need to add certificates to your Agents trusted certificates in case of self-signed certificates and if, for any reason, a CA is not trusted by the Java Trusted SSL CA.

    If this setting is set to false, you must trust all specific HTTPS sites and SSL Services out in the world.

    The default setting as of 3.x is therefor set to TRUE.

    Key exchange algorithms (sFTP connections)

    Using SSL you can run into certain key exchange issues. Some of the algorithms are no longer supported in you java version, or the providor has another default installed. Changes in the security layer happen a lot these days. With the SFTP Key Exchange field, you can force the application to use a certain key exchange algorithm.

    For more information about Key Exchange Algorithms, follow this link.

    You can modify the used SSH Ciphers, MAC and key exhange by overriding the default settings using a Java System property: sftpKeyExchange. This system property can be set using the -DsftpKeyExchange=[yourciphers] in the ConnectPlaza Agent's wrapper.conf. You can add this property using the wrapper.conf's file format: ie:

    wrapper.java.additional.X = -DsftpKeyExchange=[yourciphers]

    And add this to the [connectplaza-agent-root]/yajsw/conf/wrapper.conf file.

    Included cipher suits in your connectplaza-agent.properties file

    As of version 3.4.0 there is a change in managing the cipher suits you may use when connecting with SSL. In the connectplaza-agent.properties file you will find an entry which looks like this:

    #connect.jetty.sslconnector.included.protocols=TLSv1,TLSv1.1,TLSv1.2

    This is the default setting. In some cases, it is needed to add one or more protocols. Normally you will add them here with their full names. I was, however, possible to use wild cards. .* was a possible option in version 3.3.2 and below. 

    As of version 3.4.0 this is not allowed anymore. This setting will now be used for internal as well as external connections. Therefore you must put the full protocol name in this list. No wildcards allowed anymore.

     


    Copyright © 2018 ConnectPlaza.   For pricing, account management and more go to https://www.connectplaza.com

    About Connectplaza

    Si components version:   

    Lorem ipsum delore set

    Lorem ipsum delore set

    Window size is not optimal. Please enlarge for optimal experience

    No connection

    No response from the server. This window will automaticly disappear by an valid connection