WebSphere® Application Server provides
a way to specify programmatically which Secure Sockets Layer (SSL)
configurations to use prior to making an outbound connection. The
com.ibm.websphere.ssl.JSSEHelper interface provides a complete set
of application programming interfaces (APIs) for handling SSL configurations.
About this task
Perform the following steps for your application when using
the JSSEHelper API to establish an SSL properties object on the thread
for use by the runtime. Some of these APIs have Java™ 2
Security permission requirements. See the JSSEHelper API documentation
for more information about the permissions required by your application.Select
the approach that best fits your connection situation when you specify
programmatically which Secure Sockets Layer (SSL) configurations to
use prior to making an outbound connection.
Procedure
- Obtain an instance of the JSSEHelper API.
com.ibm.websphere.ssl.JSSEHelper jsseHelper = com.ibm.websphere.ssl.JSSEHelper.getInstance();
- Obtain SSL properties from the WebSphere Application Server configuration
or use those provided by your application.
Use one of the
following options.
- By direction selection of an alias name, within the same management
scope or higher as in the following example:
try
{ String alias = "NodeAServer1SSLSettings";
// As specified in the WebSphere SSL configuration Properties
sslProps = jsseHelper.getProperties(alias); }
catch (com.ibm.websphere.ssl.SSLException e)
{ e.printStackTrace(); // handle exception }
- By using the getProperties API for programmatic, direction, dynamic
outbound, or management scope selection (based on precedence rules
and inheritance). The SSL runtime uses the getProperties API to determine
which SSL configuration to use for a particular protocol. This decision
is based on both the input (sslAlias and connectionInfo) and the management
scope from which the property is called. The getProperties API makes
decisions in the following order:
- The API checks the thread to see if properties already exist.
- The API checks for a dynamic outbound configuration that matches
the ENDPOINT_NAME, REMOTE_HOST, and or REMOTE_PORT.
- The API checks to see if the optional sslAlias property is specified.
You can configure any protocol as direct or centrally managed. When
a protocol is configured as direct, the sslAlias parameter is null.
When a protocol is configured as centrally managed, the sslAlias parameter
is also null.
- If no selection has been made, the API chooses the dynamic outbound
configuration based on the management scope it was called from. If
the dynamic outbound configuration is not defined in the same scope,
it then searches the hierarchy to locate one.
The last choice is the cell-scoped SSL configuration (in WebSphere Application Server Network Deployment) or the node-scoped
SSL configuration (in Base Application Server). The com.ibm.websphere.ssl.SSLConfigChangeListener
parameter is notified when the SSL configuration that is chosen by
a call to the getProperties API changes. The protocol can then call
the API again to obtain the new properties as in the following example:
try { String sslAlias = null;
// The sslAlias is not specified directly at this time. String host = "myhost.austin.ibm.com";
// the target host String port = "443";
// the target port HashMap connectionInfo = new HashMap();
connectionInfo.put(JSSEHelper.CONNECTION_INFO_DIRECTION, JSSEHelper.DIRECTION_OUTBOUND);
connectionInfo.put(JSSEHelper.CONNECTION_INFO_REMOTE_HOST, host);
connectionInfo.put(JSSEHelper.CONNECTION_INFO_REMOTE_PORT, Integer.toString(port));
connectionInfo.put(JSSEHelper.CONNECTION_INFO_ENDPOINT_NAME, JSSEHelper.ENDPOINT_IIOP);
java.util.Properties props = jsseHelper.getProperties(sslAlias, connectionInfo, null); }
catch (com.ibm.websphere.ssl.SSLException e)
{ e.printStackTrace(); // handle exception }
- By creating your own SSL properties and then passing them to the
runtime, as in the following example:
try {
// This is the recommended "minimum" set of SSL properties. The trustStore can
// be the same as the keyStore. Properties sslProps = new Properties();
sslProps.setProperty("com.ibm.ssl.trustStore", "some value");
sslProps.setProperty("com.ibm.ssl.trustStorePassword", "some value");
sslProps.setProperty("com.ibm.ssl.trustStoreType", "some value");
sslProps.setProperty("com.ibm.ssl.keyStore", "some value");
sslProps.setProperty("com.ibm.ssl.keyStorePassword", "some value");
sslProps.setProperty("com.ibm.ssl.keyStoreType", "some value");
jsseHelper.setSSLPropertiesOnThread(sslProps); }
catch (com.ibm.websphere.ssl.SSLException e)
{ e.printStackTrace(); // handle exception }
- Use the JSSEHelper.setSSLPropertiesOnThread(props) API
to set the Properties object on the thread so that the runtime picks
it up and uses the same JSSEHelper.getProperties API.
You
can also obtain properties from the thread after they are set with
the jsseHelper.getSSLPropertiesOnThread() API, as in the following
example:
try
{ Properties sslProps = jsseHelper.getProperties(null, connectionInfo, null);
jsseHelper.setSSLPropertiesOnThread(sslProps); }
catch (com.ibm.websphere.ssl.SSLException e)
{ e.printStackTrace(); // handle exception }
- When the connection is completed, you must clear the SSL
properties from the thread by passing the null value to the
setPropertiesOnThread API.
try
{ jsseHelper.setSSLPropertiesOnThread(null); }
catch (com.ibm.websphere.ssl.SSLException e)
{ e.printStackTrace(); // handle exception }