You can specify programmatically which Secure Sockets Layer (SSL)
configurations to use prior to making an outbound connection. The com.ibm.websphere.ssl.JSSEHelper
interface provides a complete set of application programming interfaces (APIs)
for handling SSL configurations.
About this task
Perform the following steps for your application when using the JSSEHelper
API to establish an SSL properties object on the thread for use by the runtime.
Some of these APIs have Java 2 Security permission requirements. See the JSSEHelper
API documentation for more information about the permissions required by your
application.
Select the approach that best fits your connection situation
when you specify programmatically which Secure Sockets Layer (SSL) configurations
to use prior to making an outbound connection.
Procedure
- Obtain an instance of the JSSEHelper API.
com.ibm.websphere.ssl.JSSEHelper jsseHelper = com.ibm.websphere.ssl.JSSEHelper.getInstance();
- Obtain SSL properties from the WebSphere Application Server configuration
or use those provided by your application. Use one of the following
options.
- By direction selection of an alias name, within the same management scope
or higher as in the following example:
try { String alias = "NodeAServer1SSLSettings"; // As specified in the WebSphere SSL configuration Properties sslProps = jsseHelper.getProperties(alias); } catch (com.ibm.websphere.ssl.SSLException e) { e.printStackTrace(); // handle exception }
- By using the getProperties API for programmatic, direction, dynamic outbound,
or management scope selection (based on precedence rules and inheritance).
The SSL runtime uses the getProperties API to determine which SSL configuration
to use for a particular protocol. This decision is based on both the input
(sslAlias and connectionInfo) and the management scope from which the property
is called. The getProperties API makes decisions in the following order:
- The API checks the thread to see if properties already exist.
- The API checks for a dynamic outbound configuration that matches the ENDPOINT_NAME,
REMOTE_HOST, and or REMOTE_PORT.
- The API checks to see if the optional sslAlias property is specified.
You can configure any protocol as direct or centrally managed. When a protocol
is configured as direct, the sslAlias parameter is null. When a protocol
is configured as centrally managed, the sslAlias parameter is also null.
- If no selection has been made, the API chooses the dynamic outbound configuration
based on the management scope it was called from. If the dynamic outbound
configuration is not defined in the same scope, it then searches the hierarchy
to locate one.
The last choice is the cell-scoped SSL configuration (in Network Deployment)
or the node-scoped SSL configuration (in Base Application Server). The com.ibm.websphere.ssl.SSLConfigChangeListener
parameter is notified when the SSL configuration that is chosen by a call
to the getProperties API changes. The protocol can then call the API again
to obtain the new properties as in the following example:
try { String sslAlias = null; // The sslAlias is not specified directly at this time. String host = "myhost.austin.ibm.com"; // the target host String port = "443"; // the target port HashMap connectionInfo = new HashMap(); connectionInfo.put(JSSEHelper.CONNECTION_INFO_DIRECTION, JSSEHelper.DIRECTION_OUTBOUND); connectionInfo.put(JSSEHelper.CONNECTION_INFO_REMOTE_HOST, host); connectionInfo.put(JSSEHelper.CONNECTION_INFO_REMOTE_PORT, Integer.toString(port)); connectionInfo.put(JSSEHelper.CONNECTION_INFO_ENDPOINT_NAME, JSSEHelper.ENDPOINT_IIOP); java.util.Properties props = jsseHelper.getProperties(sslAlias, connectionInfo, null); } catch (com.ibm.websphere.ssl.SSLException e) { e.printStackTrace(); // handle exception }
- By creating your own SSL properties and then passing them to the runtime,
as in the following example:
try { // This is the recommended "minimum" set of SSL properties. The trustStore can // be the same as the keyStore. Properties sslProps = new Properties(); sslProps.setProperty("com.ibm.ssl.trustStore", "some value"); sslProps.setProperty("com.ibm.ssl.trustStorePassword", "some value"); sslProps.setProperty("com.ibm.ssl.trustStoreType", "some value"); sslProps.setProperty("com.ibm.ssl.keyStore", "some value"); sslProps.setProperty("com.ibm.ssl.keyStorePassword", "some value"); sslProps.setProperty("com.ibm.ssl.keyStoreType", "some value"); jsseHelper.setSSLPropertiesOnThread(sslProps); } catch (com.ibm.websphere.ssl.SSLException e) { e.printStackTrace(); // handle exception }
- Use the JSSEHelper.setSSLPropertiesOnThread(props) API to set the
Properties object on the thread so that the runtime picks it up and uses the
same JSSEHelper.getProperties API. You can also obtain properties
from the thread after they are set with the jsseHelper.getSSLPropertiesOnThread()
API, as in the following example:
try { Properties sslProps = jsseHelper.getProperties(null, connectionInfo, null); jsseHelper.setSSLPropertiesOnThread(sslProps); } catch (com.ibm.websphere.ssl.SSLException e) { e.printStackTrace(); // handle exception }
- When the connection is completed, you must clear the SSL properties
from the thread by passing the null value to the setPropertiesOnThread
API.
try { jsseHelper.setSSLPropertiesOnThread(null); } catch (com.ibm.websphere.ssl.SSLException e) { e.printStackTrace(); // handle exception }