Sterling B2B Integrator uses IBM JSSE
parameters to control how restrictive SSL/TLS renegotiation is. The following parameters are
available to be updated in the security.properties file.
| Parameter Name |
Definition |
Valid Values |
| com.ibm.jsse2.extended.renegotiation.indicator |
Use this property to force all negotiations to require RFC 5746, not just renegotiations. This
negotiation would be practical only after all the required communication partners have implemented
RFC 5746. The default setting is OPTIONAL.
|
Valid values are:
- BOTH - Causes the IBM JSSE2 Server or IBM JSSE2 client to connect only if the peer indicated
support for RFC 5746 renegotiation. Note: Setting the property to BOTH causes interoperability
problems with clients or servers that have not been updated to support RFC 5746.
- CLIENT - Causes the IBM JSSE2 Client to connect only if the server indicated support for RFC
5746 Renegotiation. Note: Setting the property to CLIENT causes interoperability problems with
servers that have not been updated to support RFC 5746.
- OPTIONAL - This setting is the default. Using this option means that the IBM JSSE2 Server or IBM
JSSE2 Client do not require the renegotiation indicator during the initial handshake.
- SERVER - Causes the IBM JSSE2 Server to connect only if the client indicated support for RFC
5746 Renegotiation. Note: Setting the property to SERVER causes interoperability problems with
clients that have not been updated to support RFC 5746.
|
| com.ibm.jsse2.renegotiate |
Use this property to change the renegotiation ability of IBM JSSE2. The default value is NONE.
|
Valid values are:
- ABBREVIATED - This setting overrides and allows unsecured abbreviated handshake during
renegotiation when session continuity is proven. RFC 5746 renegotiations are allowed.
- ALL - This setting overrides and allows unsecured full handshake, and unsecured abbreviated
handshake, during renegotiation. RFC 5746 renegotiations are allowed.
- DISABLED - This setting overrides and disables all unsecure and RFC 5746 renegotiations.
- NONE - This setting is the default. No unsecured handshake renegotiation is allowed. Only RFC
5746 renegotiations are allowed.
|
| com.ibm.jsse2.renegotiation.peer.cert.check |
Use this property to change the renegotiation ability of IBM JSSE2 to require the peer support
that is specified in RFC 5746. This requirement is only practical after all the required
communication partners have implemented RFC 5746. The default value is OFF.
|
Valid values are:
- OFF - This setting is the default. It stops the IBM JSSE2 Client or IBM JSSE2 Server performing
an identify check against the certificate from the peer. The result is to allow the peer certificate
to change during renegotiation.
- ON - This setting causes the IBM JSSE2 Client or IBM JSSE2 Server to perform a comparison
against the certificate from the peer. The reason is to ensure that the certificate does not change
during renegotiation. The comparison is applicable to both secure and non-secure
renegotiations.
|