ConnectionFactory SSL parameters

For more information about each parameter, see the description of the equivalent parameter in tibemsd.conf.

Parameter Description
ssl_vendor The vendor name of the SSL implementation that the client uses. Since software release 8.4.0, only one vendor (JSSE) is supported for the Java client, so use of this parameter is optional in that context.
ssl_identity The client’s digital certificate.

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_issuer Issuer’s certificate chain for the client’s certificate. Supply the entire chain, including the CA root certificate. The client reads the certificates in the chain in the order they are presented in this parameter.

Example

ssl_issuer = certs\CA_root.pem
ssl_issuer = certs\CA_child1.pem
ssl_issuer = certs\CA_child2.pem

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_private_key The client’s private key. If the key is included in the digital certificate in ssl_identity, then you may omit this parameter.

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_trusted List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates.

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_verify_host Specifies whether the client should verify the server’s certificate. The values for this parameter are enabled or disabled. By default, this parameter is enabled, signifying the client should verify the server’s certificate.

When disabled, the client establishes secure communication with the server, but does not verify the server’s identity.

ssl_verify_hostname Specifies whether the client should verify the name in the CN field of the server’s certificate. The values for this parameter are enabled and disabled. By default, this parameter is enabled, signifying the client should verify the name of the connected host or the name specified in the ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the client rejects the connection.

When disabled, the client establishes secure communication with the server, but does not verify the server’s name.

ssl_expected_hostname The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server.

The value of this parameter is used when the ssl_verify_hostname parameter is enabled.

ssl_ciphers Specifies the cipher suites that the client can use.

Supply a colon-separated list of cipher names. Names may be either OpenSSL names, or longer descriptive names.

For more information, see Specify Cipher Suites.

ssl_auth_only Specifies whether SSL should be used to encrypt all server-client communications, or only client authentication.

When enabled, the client requests SSL be used only for authentication. The server then uses TCP communications for further data exchange. When disabled or absent, all communication between the client and server must be SSL encrypted.

For an overview of this feature, see SSL Authentication Only.

ssl_rand_egd The path for the entropy gathering daemon (EGD), if one is installed. This daemon generates random data for the client.