Package com.tibco.tibjms

Class TibjmsSSL

  • java.lang.Object
    • com.tibco.tibjms.TibjmsSSL
  • public class TibjmsSSL
extends java.lang.Object
    Provides methods and defines properties and miscellaneous constants which are used to set parameters for TLS connections.

    Normally a client EMS application obtains TLS setup as a part of the ConnectionFactory definition. ConnectionFactory is usually obtained by the client applications via JNDI lookup calls. However, in some cases it may be more convenient or required to define TLS parameters locally in the client rather than as a result of JNDI lookup operation. This may be necessary, for example, due to security considerations when JNDI lookup operation can not be performed securely over TLS protocol.

    An EMS client is communicating with the server via TLS protocol when the server URL provided to the ConnectionFactory is specified in the form ssl://host:port. One exception is when using TIBCO Enterprise Message Service JNDI lookups, in that case the provider URL should specify tibjmsnaming protocol and the TLS connection type is set via com.tibco.tibjms.naming.TibjmsContext.SECURITY_PROTOCOL environment property.

    When the connection between the client and the server is a TLS connection, the server and the client application must set parameters in order for the TLS handshake to be successful. The server parameters are set by the administrator. Each client application is responsible for setting TLS parameters correctly in order to be able to establish TLS connection to the server. Setting up SSL parameters by the client can be done in one of three ways:
    1. All TLS parameters are specified in the ConnectionFactory, that factory is obtained by the client via a JNDI lookup call. Notice this does not address an issue of making JNDI lookup calls over TLS connection.
    2. TLS parameters are set globally via calls to this class. When a ConnectionFactory is using a URL specifying 'ssl' protocol but does not specify any other TLS parameters, the TLS parameters set via calls to the methods of this class will be used.
    3. A client application can create a Map of TLS parameters and pass it directly into constructor of TibjmsTopicConnectionFactory or TibjmsQueueConnectionFactory.

    Notice that when using native JNDI supported by TIBCO Enterprise Message Service, JNDI lookup calls can be also made securely over TLS protocol. See documentation of com.tibco.tibjms.naming.TibjmsContext class for more details.

    TLS Vendors.

    TIBCO Enterprise Message Service supports multiple TLS vendors. Currently it supports the JSSE vendor (JSSE is a Java Secure Socket Extension which is an add-on package for JDK 1.3.x and is included with JDK 1.4.0 and later). The TLS vendor can be specified in the ConnectionFactory the client application loads via JNDI lookup call, or it can be set directly as a JNDI context or ConnectionFactory property. Currently valid values for the vendor specification is one of the following strings:

    'j2se' - to specify Sun's JSSE TLS vendor.
    'j2se-default' - to specify the default JSSE TLS vendor. Sun and IBM JSSE providers are supported.
    'bcfips' - to specify the Bouncy Castle FIPS vendor.

    Notice that after the first TLS connection is initialized, the TLS vendor specification cannot be changed and is ignored for all subsequent connections created by the same application.

    SSL Parameters.

    When a client establishes TLS connection to the EMS server, it should either specify trusted server certificates or completely disable host verification. If neither is specified then TLS communication will fail.
    Trusted server certificates are the certificates which were used to issue server certificate. More than one trusted certificate can be specified by the client. Alternatively a client can completely disable server certificate verification and will effectively trust any server. If the client specifies trusted certificates then it should also make sure the common name in the certificate sent by the server is same as the server host name, or the client can supply another name which the name in the certificate will be verified against. Alternatively the client can disable host name verification or supply a custom host name verifier program.
    If the server requires clients to present certificates then the client must set the client-side certificate, private key and optionally issuer certificates before establishing the TLS connection to the server. The client can also specify its choice and/or preference of the cipher suites to be used.

    Certificates, Private Key and Identity formats.

    There are a number of supported formats which can be used to represent the set of trusted certificates, client certificate, client private key and optionally extra issuer certificates. Also note that the client identity consisting of the certificate, private key and optionally extra issuer certificates can be included into a single data block using PKCS12, or KeyStore encodings.
    The set of Trusted Certificates represents all trusted issuers of the server certificate. It must be specified by the client application unless the host certificate verification is completely disabled. Trusted Certificates can be present in PEM or DER formats or as a PKCS7 file. Client certificate can be present in PEM or DER format or be a part of PKCS12, or KeyStore data. Private key can be present as PKCS8 file or be a part of PKCS12, or KeyStore data. Issuer certificates can be present in PEM or DER format or be a part of PKCS12, or KeyStore data. Currently JSSE does not support PKCS8-encoded private keys thus the client identity when using "j2se" TLS vendor must be preset as either PKCS12 or KeyStore data.
    When a certificate, private key or the store is passed to any method of this class or is set as the value of corresponding properties, the format of the data can be detected automatically or, if not, the format must be specified explicitly by the application. In all cases the data passed as byte[] or InputStream does not require format specification if it represents one or more certificates encoded in PEM or DER format.
    The following data types are accepted:
    1. java.lang.String. If a certificate, identity or a private key are specified as java.lang.String then the value must be the name of the file on disk. If the file name has one of the predefined extensions described below then it is not necessary to provide the type of the data in the file. If the filename does not end with one of the predefined extensions, the type parameter or the corresponding property must be present.
    2. byte[]. Can be used to specify the certificate, the private key or the store data. If specified byte[] represents one or more certificates in PEM or DER format or a private key in PKCS8 format then the type is not required. If the specified byte[] contains serialized PKCS12, or Java KeyStore data then the type must be specified.
    3. java.io.InputStream. Can represent one or more certificates in PEM or DER format, private key in PKCS8 format, serialized PKCS12, or Java KeyStore data. The encoding and the type requirements are the same as for byte[] data.
    4. java.security.cert.X509Certificate. Can be used to present a trusted certificate, client certificate or issuer certificate.
    5. java.security.cert.X509Certificate[]. Can be used to present a set of trusted certificates.
    6. java.security.KeyStore. Can be used to present Java KeyStore object as client identity data. Normally the KeyStore object includes the client certificate, corresponding private key and optionally extra issuer certificates.

    Standard File Name Extentions.

    The file names are accepted as the name of a certificate or private key file in many TLS parameters for trusted certificates, client identity and other. When a file name is specified it should either end with one of the standard extensions defining the encoding of the file or the file encoding must be provided separately, for instance as a parameter to addTrustedCerts or as an Integer object in the Vector of trusted certificates set by TRUSTED_CERTIFICATES property. The standard extensions include: .pem (PEM), .der (DER), .p8 (PKCS8), .p12 (PKCS12), .p7b (PKCS7), and .jks (Java KeyStore). Notice that depending on the usage and chosen TLS vendor not all formats may be supported in all cases.

    Cipher Suites.

    The cipher suites supported by EMS clients are defined by this class as int values. When a client application is required to change the priority of cipher suites, or only use selected cipher suites, it can do so by setting the list of cipher suites. The list of cipher suites can be presented as an array of int values or alternatively as a java.lang.String value containing the list of cipher suite names. When the String representation is used, the application can specify only cipher suites to add or remove and can also change the priority of the cipher suite. When the list of cipher suites is presented as array of int values, it must specify all cipher suites allowed by the application in the order of priority.
    When a String with the list of names is used, each cipher suite name can be prepended with a special character:
    '+' - add cipher suite to the list
    '-' - remove cipher suite from the list
    '<' - move the cipher suite to be the first in the list
    '>' - move the cipher suite to be the last in the list

    The accepted cipher suite names are the same as the constant names defined by this class. In addition OpenSSL names can be used as well as the short names used by TIBCO Enterprise Message Service in the configuration files. In addition, clients can also specify 'ALL' when specifying the cipher suites as a string to indicate that client is specifying all the available ciphers (In this case it's then up to EMS Server and client to negotiate on the cipher). It is advised that the Java applications only use the full names as defined by this class:

    since EMS 8.3.0
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_256_GCM_SHA384
    since EMS 8.5.1
    TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
    TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
    TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_PSK_WITH_AES_128_GCM_SHA256
    TLS_PSK_WITH_AES_256_GCM_SHA384
    TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
    TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
    TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
    TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
    since EMS 10.0.0
    TLS_AES_128_GCM_SHA256
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_CCM_SHA256
    TLS_AES_128_CCM_8_SHA256

    FIPS 140-2.

    EMS client Java applications can achieve FIPS 140-2 compliance by use of the BCFIPS TLS vendor. The EMS client library will operate in FIPS 140-2 mode either if the TLS vendor is set to 'bcfips' or if the following environment variable is set: com.tibco.security.FIPS=true


    • Field Detail

      • TLS_RSA_WITH_AES_128_CBC_SHA256

        public static final int TLS_RSA_WITH_AES_128_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_RSA_WITH_AES_256_CBC_SHA256

        public static final int TLS_RSA_WITH_AES_256_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

        public static final int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

        public static final int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_RSA_WITH_AES_128_GCM_SHA256

        public static final int TLS_RSA_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_RSA_WITH_AES_256_GCM_SHA384

        public static final int TLS_RSA_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

        public static final int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

        public static final int TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

        public static final int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

        public static final int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        Cipher Suite: TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

        public static final int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

        public static final int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        Cipher Suite: TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

        public static final int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

        public static final int TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

        public static final int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        public static final int TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_PSK_WITH_AES_128_GCM_SHA256

        public static final int TLS_PSK_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_PSK_WITH_AES_256_GCM_SHA384

        public static final int TLS_PSK_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

        public static final int TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_PSK_WITH_AES_256_GCM_SHA384

        public static final int TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_RSA_PSK_WITH_AES_128_GCM_SHA256

        public static final int TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_RSA_PSK_WITH_AES_256_GCM_SHA384

        public static final int TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_PSK_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256

        public static final int TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_AES_128_GCM_SHA256

        public static final int TLS_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.3 Kx=N/A Au=N/A Enc=AESGCM(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_AES_256_GCM_SHA384

        public static final int TLS_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.3 Kx=N/A Au=N/A Enc=AESGCM(256) Mac=SHA384
        See Also:
        Constant Field Values

      • TLS_CHACHA20_POLY1305_SHA256

        public static final int TLS_CHACHA20_POLY1305_SHA256
        Cipher Suite: TLSv1.3 Kx=N/A Au=N/A Enc=CHACHA20/POLY1305 Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_AES_128_CCM_SHA256

        public static final int TLS_AES_128_CCM_SHA256
        Cipher Suite: TLSv1.3 Kx=N/A Au=N/A Enc=AESCCM(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_AES_128_CCM_8_SHA256

        public static final int TLS_AES_128_CCM_8_SHA256
        Cipher Suite: TLSv1.3 Kx=N/A Au=N/A Enc=AESCCM(128) Mac=SHA256
        See Also:
        Constant Field Values

      • SSL_RSA_WITH_RC4_128_MD5

        public static final int SSL_RSA_WITH_RC4_128_MD5
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

        public static final int SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_EXPORT_WITH_RC4_40_MD5

        public static final int SSL_RSA_EXPORT_WITH_RC4_40_MD5
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_EXPORT_WITH_DES_40_CBC_SHA

        public static final int SSL_RSA_EXPORT_WITH_DES_40_CBC_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_DHE_RSA_EXPORT_WITH_DES_40_CBC_SHA

        public static final int SSL_DHE_RSA_EXPORT_WITH_DES_40_CBC_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_DHE_DSS_EXPORT_WITH_DES_40_CBC_SHA

        public static final int SSL_DHE_DSS_EXPORT_WITH_DES_40_CBC_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_WITH_NULL_MD5

        public static final int SSL_RSA_WITH_NULL_MD5
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_WITH_NULL_SHA

        public static final int SSL_RSA_WITH_NULL_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_WITH_DES_CBC_SHA

        public static final int SSL_RSA_WITH_DES_CBC_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_DHE_DSS_WITH_DES_CBC_SHA

        public static final int SSL_DHE_DSS_WITH_DES_CBC_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_DHE_RSA_WITH_DES_CBC_SHA

        public static final int SSL_DHE_RSA_WITH_DES_CBC_SHA
        This cipher is no longer supported.
        See Also:
        Constant Field Values

      • SSL_RSA_WITH_RC4_128_SHA

        public static final int SSL_RSA_WITH_RC4_128_SHA
        Cipher Suite: SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
        See Also:
        Constant Field Values

      • SSL_RSA_WITH_3DES_EDE_CBC_SHA

        public static final int SSL_RSA_WITH_3DES_EDE_CBC_SHA
        Cipher Suite: SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
        See Also:
        Constant Field Values

      • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

        public static final int SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Cipher Suite: SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
        See Also:
        Constant Field Values

      • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

        public static final int SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        Cipher Suite: SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_RSA_WITH_AES_128_CBC_SHA

        public static final int TLS_RSA_WITH_AES_128_CBC_SHA
        Cipher Suite: SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_RSA_WITH_AES_256_CBC_SHA

        public static final int TLS_RSA_WITH_AES_256_CBC_SHA
        Cipher Suite: SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_DHE_DSS_WITH_AES_128_CBC_SHA

        public static final int TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Cipher Suite: SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_DHE_DSS_WITH_AES_256_CBC_SHA

        public static final int TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        Cipher Suite: SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

        public static final int TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        Cipher Suite: SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

        public static final int TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        Cipher Suite: SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

        public static final int TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

        public static final int TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
        See Also:
        Constant Field Values

      • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

        public static final int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
        Cipher Suite: TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

        public static final int TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
        Cipher Suite: TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

        public static final int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

        public static final int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

        public static final int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

        public static final int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_RC4_128_SHA

        public static final int TLS_ECDHE_RSA_WITH_RC4_128_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

        public static final int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

        public static final int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
        See Also:
        Constant Field Values

      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

        public static final int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        Cipher Suite: SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
        See Also:
        Constant Field Values

      • _vendors

        public static java.lang.String[] _vendors

      • client_enableSSLv3

        @Deprecated
public static final boolean client_enableSSLv3
        Deprecated.
        As of release 8.5.1

      • VENDOR

        public static final java.lang.String VENDOR
        Name of TLS property specifying the TLS vendor to be used. Valid value are strings "j2se" or "bcfips".

        This name is defined as "com.tibco.tibjms.ssl.vendor".
        See Also:
        Constant Field Values

      • TRACE

        public static final java.lang.String TRACE
        Name of TLS property specifying if client trace is required. The value is a Boolean object.

        This name is defined as "com.tibco.tibjms.ssl.trace".
        See Also:
        Constant Field Values

      • AUTH_ONLY

        public static final java.lang.String AUTH_ONLY
        Name of TLS property specifying if TLS is used for authentication only. The value is a Boolean object.

        This name is defined as "com.tibco.tibjms.ssl.auth_only".
        See Also:
        Constant Field Values

      • DEBUG_TRACE

        public static final java.lang.String DEBUG_TRACE
        Name of TLS property specifying if client debug trace is required. This trace will produce additional EMS client related info. Notice that enabling debug tracing can generate very large output and should be used only for debugging. The value is a Boolean object.

        This name is defined as "com.tibco.tibjms.ssl.debug_trace".
        See Also:
        Constant Field Values

      • TRUSTED_CERTIFICATES

        public static final java.lang.String TRUSTED_CERTIFICATES
        Name of TLS property specifying the set of trusted certificates. The value is a Vector object, elements of the Vector can be:
        - certificate object,
        - an Integer object specifying the certificate type followed by the certificate object.
        An Integer object before the object presenting the certificate data may be required when certificate data does not allow automatic detection of the encoding format.

        This name is defined as "com.tibco.tibjms.ssl.trusted_certs".
        See Also:
        Constant Field Values

      • ENABLE_VERIFY_HOST

        public static final java.lang.String ENABLE_VERIFY_HOST
        Name of TLS property specifying if client should verify server certificate. By default the client always verifies server certificate to be issued by one or more certificates specified by TRUSTED_CERTIFICATES parameter. If this property is set to false then the client does not perform server certificate verification.
        The value is a Boolean object.

        This name is defined as "com.tibco.tibjms.ssl.enable_verify_host".
        See Also:
        Constant Field Values

      • ENABLE_VERIFY_HOST_NAME

        public static final java.lang.String ENABLE_VERIFY_HOST_NAME
        Name of TLS property specifying if client should verify the common name in the server certificate. It is enabled by default, unless the host verification is disabled. By default, if the EXPECTED_HOST_NAME property is not specified, the client verifies the common name to be the same as the name of the connected host. If EXPECTED_HOST_NAME is set then it should be the name in the certificate. Alternatively the client can provide custom host name verifier or disable host name verification completely setting this property to false.
        The value is a Boolean object.

        This name is defined as "com.tibco.tibjms.ssl.enable_verify_hostname".
        See Also:
        Constant Field Values

      • EXPECTED_HOST_NAME

        public static final java.lang.String EXPECTED_HOST_NAME
        Name of TLS property specifying the common name in the server certificate. if server certificate has different name then SSL handshake fails.
        The value is a String object.

        This name is defined as "com.tibco.tibjms.ssl.expected_hostname".
        See Also:
        Constant Field Values

      • HOST_NAME_VERIFIER

        public static final java.lang.String HOST_NAME_VERIFIER
        Name of TLS property specifying the custom host name verifier. Notice when this property is specified, the Map of parameters can not be stored in JNDI. The value is a TibjmsSSLHostNameVerifier object.

        This name is defined as "com.tibco.tibjms.ssl.hostname_verifier".
        See Also:
        Constant Field Values

      • IDENTITY

        public static final java.lang.String IDENTITY
        Name of TLS property specifying the client-side identity. An identity usually consists of the certificate, corresponding private key and optionally a set of issuer certificates. The value specified by this property can be a certificate, a PKCS12 file or a KeyStore object. The last two object types normally include all elements of the identity into a single storage. In this case only PASSWORD property should be specified as the password required to decrypt the content of the specified identity data. If this property specifies the certificate file then PRIVATE_KEY must be also set and optionally ISSUER_CERTIFICATES.

        This name is defined as "com.tibco.tibjms.ssl.identity".
        See Also:
        Constant Field Values

      • IDENTITY_ENCODING

        public static final java.lang.String IDENTITY_ENCODING
        Name of TLS property specifying the encoding of the data presented by IDENTITY property. This should be used when the type of data presented in IDENTITY property can not be detected automatically. The value of this property should be set as the String specifying one of the standard format names (i.e. "PEM", "P12", etc.), or as an Integer or String object specifying one of ENCODING_xxx values as they are defined by this class.

        This name is defined as "com.tibco.tibjms.ssl.identity_encoding".
        See Also:
        Constant Field Values

      • ISSUER_CERTIFICATES

        public static final java.lang.String ISSUER_CERTIFICATES
        Name of TLS property specifying the additional issuer certificates for the client certificate. This should only be used when the IDENTITY property specifies a certificate but not the PKCS12 or KeyStore objects.

        This name is defined as "com.tibco.tibjms.ssl.issuer_certs".
        See Also:
        Constant Field Values

      • PRIVATE_KEY

        public static final java.lang.String PRIVATE_KEY
        Name of TLS property specifying the private key for the client certificate. This should only be used when the IDENTITY* property specifies a certificate but not the PKCS12 or KeyStore objects.

        This name is defined as "com.tibco.tibjms.ssl.private_key".
        See Also:
        Constant Field Values

      • PRIVATE_KEY_ENCODING

        public static final java.lang.String PRIVATE_KEY_ENCODING
        Name of TLS property specifying the encoding of the data presented by PRIVATE_KEY property. This should be used when the type of data presented in PRIVATE_KEY property can not detected automatically The value of this property should be set as the String specifying one of the standard format names (i.e. "PEM", "P12", etc.), or as an Integer or String object specifying one of ENCODING_xxx values as they are defined by this class.

        This name is defined as "com.tibco.tibjms.ssl.private_key_encoding".
        See Also:
        Constant Field Values

      • PASSWORD

        public static final java.lang.String PASSWORD
        Name of TLS property specifying the password for the private key or the identity store. The value is a java.lang.String object or char[].

        This name is defined as "com.tibco.tibjms.ssl.password".
        See Also:
        Constant Field Values

      • CIPHER_SUITES

        public static final java.lang.String CIPHER_SUITES
        Name of TLS property specifying the set of cipher suites to be used by the TLS connection. The value can be either an array of int values specifying the cipher suites in the order of priority using the cipher suite constants defined by this class. Alternatively the value can be specified as a java.lang.String listing the cipher suites by name.
        See description of this class for more details.

        This name is defined as "com.tibco.tibjms.ssl.cipher_suites".
        See Also:
        Constant Field Values

      • CIPHERS

        public static final java.lang.String CIPHERS
        Name of TLS property specifying the set of cipher suites to be used by the TLS connection. The value can be either an array of int values specifying the cipher suites in the order of priority using the cipher suite constants defined by this class. Alternatively the value can be specified as a java.lang.String listing the cipher suites by name.
        See description of this class for more details.
        (The name of this property, 'CIPHERS', is a synonym for the property named 'CIPHER_SUITES'.)

        This name is defined as "com.tibco.tibjms.ssl.ciphers".
        See Also:
        Constant Field Values

      • ENCODING_AUTO

        public static final int ENCODING_AUTO
        Integer defining AUTO format of the certificate or private key data.
        See Also:
        Constant Field Values

      • ENCODING_PEM

        public static final int ENCODING_PEM
        Integer defining PEM format of the certificate or private key data.
        See Also:
        Constant Field Values

      • ENCODING_DER

        public static final int ENCODING_DER
        Integer defining DER format of the certificate or private key data.
        See Also:
        Constant Field Values

      • ENCODING_PKCS7

        public static final int ENCODING_PKCS7
        Integer defining PKCS7 format.
        See Also:
        Constant Field Values

      • ENCODING_PKCS8

        public static final int ENCODING_PKCS8
        Integer defining PKCS8 format of the private key data.
        See Also:
        Constant Field Values

      • ENCODING_PKCS12

        public static final int ENCODING_PKCS12
        Integer defining PKCS12 format of the client identity data.
        See Also:
        Constant Field Values

      • ENCODING_KEYSTORE

        public static final int ENCODING_KEYSTORE
        Integer defining KeyStore format of the client identity data.
        See Also:
        Constant Field Values

    • Constructor Detail

      • TibjmsSSL

        public TibjmsSSL()

    • Method Detail

      • getVendor

        public static java.lang.String getVendor()
        Returns a String with the name of currently used TLS vendor.

      • setVendor

        public static void setVendor​(java.lang.String vendorName)
                      throws JMSSecurityException
        Set the TLS vendor to the specified vendor. Parameter vendorName should be one of 'j2se' or 'bcfips'. After the TLS environment has been initialized, the vendor cannot be changed and calls to this methods are ignored.
        Throws:
        JMSSecurityException - if specified vendor is not supported.

      • initialize

        public static void initialize()
                       throws JMSSecurityException
        Initializes TLS environment. Normally TLS environment is initialized automatically when creating the first TLS connection. If TLS environment has been already initialized this method does nothing.
        Throws:
        JMSSecurityException - if method fails due to some error.

      • initialize

        public static void initialize​(java.lang.String vendorName)
                       throws JMSSecurityException
        Initializes TLS environment with specified TLS vendor. Normally TLS environment is initialized automatically when creating the first TLS connection. If TLS environment has been already initialized this method does nothing.
        Throws:
        JMSSecurityException - if specified vendor is not supported or if method fails due to some error.

      • setDebugTraceEnabled

        public static void setDebugTraceEnabled​(boolean enabled)
        Enables additional debug tracing. Java 'j2se' level tracing should be enabled via javax.net.debug system property.

      • setAuthOnly

        public static void setAuthOnly​(boolean b)
        Set client connections to use TLS only during initial connection authentication. If parameter is true then connections use TLS only for authentication and switch to TCP protocol for all subsequent messaging. If parameter is false then TLS is used for the lifetime of the connection, which is the default mode. Connections use this setting at the time they are created. Changing this setting only affects connection created after the change. By default this parameter is disabled.
        Parameters:
        b - - true to only use TLS for authentication, false to use TLS for the lifetime of the connections.

      • isAuthOnly

        public static boolean isAuthOnly()
        Returns true if TLS is used only during connection authentication, returns false otherwise.

      • getDebugTraceEnabled

        public static boolean getDebugTraceEnabled()
        Returns true if debug tracing is enabled.

      • setClientTracer

        public static void setClientTracer​(java.io.PrintStream tracer)
        Set client tracer to given output stream. Specify null as parameter to disable client tracing. Client tracing prints loaded certificates and information about the TLS handshake errors and results.

      • getClientTracer

        public static java.io.PrintStream getClientTracer()
        Returns client tracer or null if client tracing is disabled.

      • setSecureRandom

        public static void setSecureRandom​(java.security.SecureRandom secureRandom)
        Set a java.Security.SecureRandom object.

      • getCipherSuiteName

        public static java.lang.String getCipherSuiteName​(int cipherSuite)
                                           throws JMSSecurityException
        Returns the name of cipher suite with specified number.
        Throws:
        JMSSecurityException - if cipherSuite parameter does not specify a valid cipher suite number.

      • getCipherSuiteNumber

        public static int getCipherSuiteNumber​(java.lang.String cipherSuite)
                                throws JMSSecurityException
        Returns the integer value of cipher suite with specified name.
        Throws:
        JMSSecurityException - if cipherSuite parameter does not specify a supported cipher suite name.

      • isCipherSuiteSupported

        public static boolean isCipherSuiteSupported​(int cipherSuite)
                                      throws JMSSecurityException
        Returns true if the specified cipher suite is supported.
        Throws:
        JMSSecurityException - if cipherSuite parameter does not specify a supported cipher suite number.

      • isCipherSuiteSupported

        public static boolean isCipherSuiteSupported​(java.lang.String cipherSuite)
                                      throws JMSSecurityException
        Returns true if the specified cipher suite is supported.
        Throws:
        JMSSecurityException - if cipherSuite parameter does not specify a supported cipher suite name.

      • getSupportedCipherSuites

        public static int[] getSupportedCipherSuites()
                                      throws JMSSecurityException
        Returns all supported cipher suites.
        Throws:
        JMSSecurityException - if method fails due to some error.

      • setCipherSuites

        public static void setCipherSuites​(int[] cipherSuites)
                            throws JMSSecurityException
        Set cipher suites to be used by TLS connections.
        Throws:
        JMSSecurityException - if method fails due to some error.

      • setCipherSuites

        public static void setCipherSuites​(java.lang.String cipherSuites)
                            throws JMSSecurityException
        Set cipher suites as a String specification.
        Throws:
        JMSSecurityException - if method fails due to some error.

      • getClientCipherSuites

        public static java.lang.String[] getClientCipherSuites()
                                                throws JMSException
        Throws:
        JMSException

      • setVerifyHost

        public static void setVerifyHost​(boolean enable)
        Set if the host certificate should be verified by the client. By default it is always enabled.

      • getVerifyHost

        public static boolean getVerifyHost()
        Returns if the host certificate verification is enabled. By default it is always enabled.

      • setExpectedHostName

        public static void setExpectedHostName​(java.lang.String hostname)
        Set the name which is expected to be set in the host certificate. Name in the certificate is present in the CN field of the certificate subject. By default the expected certificate name is the name of the connected host.

      • getExpectedHostName

        public static java.lang.String getExpectedHostName()
        Returns the name set as the expected name in the host certificate.

      • setVerifyHostName

        public static void setVerifyHostName​(boolean enable)
        Set if the name in the host certificate should be verified or not. By default this is always enabled.

      • getVerifyHostName

        public static boolean getVerifyHostName()
        Returns if the verification of the host certificate name is enabled. By default this is always enabled.

      • setHostNameVerifier

        public static void setHostNameVerifier​(TibjmsSSLHostNameVerifier verifier)
        Set the custom host name verifier. Set to null to remove custom host name verifier.

      • getHostNameVerifier

        public static TibjmsSSLHostNameVerifier getHostNameVerifier()
        Returns currently set custom host name verifier. Returns null if custom host name verifier is not set.

      • addTrustedCerts

        public static void addTrustedCerts​(java.lang.Object cert)
                            throws JMSSecurityException
        Adds one or more trusted certificates to the set of trusted certificates. If a Java client uses TibjmsSSL.addTrustedCerts to add a certificate, the EMS server it communicates with must provide a certificate that can be directly authenticated by one of the client's trusted certificates. If the client's certificate chain lists an intermediary certificate between the provided and trusted certificates, the client will reject the connection.
        Throws:
        JMSSecurityException - if certificate data is not valid or if method fails due to some error.

      • addTrustedCerts

        public static void addTrustedCerts​(java.lang.Object cert,
                                   int encoding)
                            throws JMSSecurityException
        Adds one or more trusted certificates in the specified format to the set of trusted certificates.
        Throws:
        JMSSecurityException - if certificate data is not valid or if method fails due to some error.

      • addIssuerCerts

        public static void addIssuerCerts​(java.lang.Object cert)
                           throws JMSSecurityException
        Adds one or more issuer certificates to the set of issuer certificates.
        Throws:
        JMSSecurityException - if certificate data is not valid or if method fails due to some error.

      • addIssuerCerts

        public static void addIssuerCerts​(java.lang.Object cert,
                                  int encoding)
                           throws JMSSecurityException
        Adds one or more issuer certificates in the specified format to the set of issuer certificates.
        Throws:
        JMSSecurityException - if certificate data is not valid or if method fails due to some error.

      • setIdentity

        public static void setIdentity​(java.lang.Object identity,
                               char[] password)
                        throws JMSSecurityException
        Set client identity object and password. Client identity must include the certificate, private key and optionally issuer certificates.
        Throws:
        JMSSecurityException - if identity data is not valid or if method fails due to some error.

      • setIdentity

        public static void setIdentity​(java.lang.Object identity,
                               java.lang.Object key,
                               char[] password)
                        throws JMSSecurityException
        Set client identity, private key and password.
        Throws:
        JMSSecurityException - if identity or private key data is not valid or if method fails due to some error.

      • setIdentity

        public static void setIdentity​(java.lang.Object identity,
                               int encoding,
                               char[] password)
                        throws JMSSecurityException
        Set client identity object in the specified format and password. Client identity must include the certificate, private key and optionally issuer certificates.
        Throws:
        JMSSecurityException - if identity data is not valid or if method fails due to some error.

      • setIdentity

        public static void setIdentity​(java.lang.Object identity,
                               int encoding,
                               java.lang.Object key,
                               char[] password)
                        throws JMSSecurityException
        Set client identity object in the specified format, private key and password.
        Throws:
        JMSSecurityException - if identity or private key data is not valid or if method fails due to some error.

      • setIdentity

        public static void setIdentity​(java.lang.Object identity,
                               int identityEncoding,
                               java.lang.Object key,
                               int keyEncoding,
                               char[] password)
                        throws JMSSecurityException
        Set client identity object in the specified format, private key in the specified format and password.
        Throws:
        JMSSecurityException - if identity or private key data is not valid or if method fails due to some error.

      • setPassword

        public static void setPassword​(char[] password)
        Sets private key password.