Jump to: navigation, search

Difference between revisions of "Jetty/Reference/SSL Connectors"

m
Line 1: Line 1:
 
{{Jetty Reference
 
{{Jetty Reference
 
| introduction =  
 
| introduction =  
There are 2 ssl connectors in jetty-- [http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSocketConnector.html SslSocketConnector] and the [http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.html SslSelectChannelConnector]. The SslSocketConnector is built on top of the Jetty SocketConnector which is Jetty's implementation of a blocking connector. It makes use of java's SslSocket to add the security layer. On the other hand, SslSelectChannelConnector is an extension of Jetty's SelectChannelConnector which makes use of non-blocking IO. For its security layer, it uses java nio SslEngine. Both Connectors can be configured in the same way. Only difference is in the implementation.
+
There are 2 ssl connectors in jetty -- [http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSocketConnector.html SslSocketConnector] and the [http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.html SslSelectChannelConnector]. The SslSocketConnector is built on top of the Jetty SocketConnector which is Jetty's implementation of a blocking connector. It makes use of java's SslSocket to add the security layer. On the other hand, SslSelectChannelConnector is an extension of Jetty's SelectChannelConnector which makes use of non-blocking IO. For its security layer, it uses java nio SslEngine. Both Connectors can be configured in the same way. Only difference is in the implementation.
  
 
| body =
 
| body =
 
==Configuration==
 
==Configuration==
  
The following is an example of an SslSelectChannelConnector configuration. An SslSocketConnector may be configured the same way-- just change the value of class to "org.eclipse.jetty.server.ssl.SslSocketConnector".
+
Starting in Jetty 7.3.1, the preferred way to configure the SSL parameters for the connector is by configuring the [http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/http/ssl/SslContextFactory.html SslContextFactory] object and passing it to the connector's constructor.
  
<div class="code panel" style="border-width: 1px"><div class="codeContent panelContent">
+
The following is an example of an SslSelectChannelConnector configuration. An SslSocketConnector may be configured the same way -- just change the value of class to "org.eclipse.jetty.server.ssl.SslSocketConnector".
  
+
<div class="code panel" style="border-width: 1px"><div class="codeContent panelContent">
<Call name="addConnector">
+
  <Call name="addConnector">
 
     <Arg>
 
     <Arg>
 
       <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
 
       <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
         <Set name="Port">8443</Set>
+
         <Arg>
 +
          <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
 +
            <Set name="port">8443</Set>
 +
            <Set name="keyStore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
 +
            <Set name="keyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
 +
            <Set name="keyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
 +
            <Set name="trustStore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
 +
            <Set name="trustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
 +
          </New>
 +
        </Arg
 
         <Set name="maxIdleTime">30000</Set>
 
         <Set name="maxIdleTime">30000</Set>
        <Set name="keystore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
 
        <Set name="password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
 
        <Set name="keyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
 
        <Set name="truststore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
 
        <Set name="trustPassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
 
 
       </New>
 
       </New>
 
     </Arg>
 
     </Arg>
 
   </Call>
 
   </Call>
 
 
</div></div>
 
</div></div>
  
If there is no value for the "truststore", it will use the "keystore" value. Passwords can be obfuscated by using Jetty [[Jetty/Howto/Secure_Passwords|password utility]].
+
Other properties which can be set for SslContextFactory are:
 
+
Other properties which can be set for SslSocketConnector/SslSelectChannelConnector are:
+
  
* keystoreType - default value: "JKS"
+
* keyStoreType - default value: "JKS"
 +
* keyStoreProvider - defaults to the SunJSSE provider
 
* trustStoreType - default value: "JKS"
 
* trustStoreType - default value: "JKS"
 +
* trustStoreProvider - defaults to the SunJSSE provider
 
* sslKeyManagerFactoryAlgorithm - set to the value of the "ssl.KeyManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
 
* sslKeyManagerFactoryAlgorithm - set to the value of the "ssl.KeyManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
 
* sslTrustManagerFactoryAlgorithm - set to the value of the "ssl.TrustManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
 
* sslTrustManagerFactoryAlgorithm - set to the value of the "ssl.TrustManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
 
* secureRandomAlgorithm - default value is null
 
* secureRandomAlgorithm - default value is null
* provider - defaults to the SunJSSE provider
 
 
* protocol - default value is "TLS"
 
* protocol - default value is "TLS"
 +
* provider - defaults to the first provider that supports protocol
 +
* includeCipherSuites - see [[Jetty/Howto/CipherSuites|How to configure SSL Cipher Suites]] page.
 
* excludeCipherSuites - see [[Jetty/Howto/CipherSuites|How to configure SSL Cipher Suites]] page.
 
* excludeCipherSuites - see [[Jetty/Howto/CipherSuites|How to configure SSL Cipher Suites]] page.
 +
* needClientAuth - defaults to false
 +
* wantClientAuth - defaults to false
 +
* validateCerts - defaults to false
 +
* allowRenegotiate - defaults to false
 +
* crlPath - path to certificate revocation list file for SSL certificate validation
 +
* maxCertPathLengh - maximum allowed number of intermediate certificates, defaults to -1 (unlimited)
 +
 +
If there is no value for the "truststore", it will use the "keystore" value. Passwords can be obfuscated by using Jetty [[Jetty/Howto/Secure_Passwords|password utility]].
 +
 +
==Deprecated methods==
 +
The methods of SslConnector that previously were being used to configure SSL parameters have been deprecated and will be removed in a future version of Jetty. Following is an example of configuring SslSelectChannelConnector connector in Jetty 7.3.0 and earlier.
 +
 +
<div class="code panel" style="border-width: 1px"><div class="codeContent panelContent">
 +
  <Call name="addConnector">
 +
    <Arg>
 +
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
 +
        <Set name="Port">8443</Set>
 +
        <Set name="maxIdleTime">30000</Set>
 +
        <Set name="keystore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
 +
        <Set name="password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
 +
        <Set name="keyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
 +
        <Set name="truststore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
 +
        <Set name="trustPassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
 +
      </New>
 +
    </Arg>
 +
  </Call>
 +
</div></div>
  
reference http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE
+
| more =
 +
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE
 
}}
 
}}

Revision as of 18:35, 13 April 2011



Introduction

There are 2 ssl connectors in jetty -- SslSocketConnector and the SslSelectChannelConnector. The SslSocketConnector is built on top of the Jetty SocketConnector which is Jetty's implementation of a blocking connector. It makes use of java's SslSocket to add the security layer. On the other hand, SslSelectChannelConnector is an extension of Jetty's SelectChannelConnector which makes use of non-blocking IO. For its security layer, it uses java nio SslEngine. Both Connectors can be configured in the same way. Only difference is in the implementation.

Configuration

Starting in Jetty 7.3.1, the preferred way to configure the SSL parameters for the connector is by configuring the SslContextFactory object and passing it to the connector's constructor.

The following is an example of an SslSelectChannelConnector configuration. An SslSocketConnector may be configured the same way -- just change the value of class to "org.eclipse.jetty.server.ssl.SslSocketConnector".

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg>
          <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
            <Set name="port">8443</Set>
            <Set name="keyStore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
            <Set name="keyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
            <Set name="keyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
            <Set name="trustStore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
            <Set name="trustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
          </New>
        </Arg
        <Set name="maxIdleTime">30000</Set>
      </New>
    </Arg>
  </Call>

Other properties which can be set for SslContextFactory are:

  • keyStoreType - default value: "JKS"
  • keyStoreProvider - defaults to the SunJSSE provider
  • trustStoreType - default value: "JKS"
  • trustStoreProvider - defaults to the SunJSSE provider
  • sslKeyManagerFactoryAlgorithm - set to the value of the "ssl.KeyManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
  • sslTrustManagerFactoryAlgorithm - set to the value of the "ssl.TrustManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
  • secureRandomAlgorithm - default value is null
  • protocol - default value is "TLS"
  • provider - defaults to the first provider that supports protocol
  • includeCipherSuites - see How to configure SSL Cipher Suites page.
  • excludeCipherSuites - see How to configure SSL Cipher Suites page.
  • needClientAuth - defaults to false
  • wantClientAuth - defaults to false
  • validateCerts - defaults to false
  • allowRenegotiate - defaults to false
  • crlPath - path to certificate revocation list file for SSL certificate validation
  • maxCertPathLengh - maximum allowed number of intermediate certificates, defaults to -1 (unlimited)

If there is no value for the "truststore", it will use the "keystore" value. Passwords can be obfuscated by using Jetty password utility.

Deprecated methods

The methods of SslConnector that previously were being used to configure SSL parameters have been deprecated and will be removed in a future version of Jetty. Following is an example of configuring SslSelectChannelConnector connector in Jetty 7.3.0 and earlier.

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Set name="Port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="keystore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
        <Set name="password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
        <Set name="keyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
        <Set name="truststore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
        <Set name="trustPassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
      </New>
    </Arg>
  </Call>

Additional Resources

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE