How to configure SSL on a component

Several Apache Camel components (ex: Jetty, Netty, QLT, ...) support SSL. This page explains how to configure an SSL connector in order to use it in a route.

Overview

All Apache Camel components use the SSLContextParameters class for the SSL configuration. See the Camel JSSE Utility properties official documentation.

In order to simplify its configuration we have created the com.systar.aluminium.engine.impl.util.SSLContextParameters class:

  • It extends the standard SSLContextParameters camel class which means that you can use it everywhere a SSLContextParameters is required and configure all the native parameters of the SSLContextParameter class.
  • It simplifies the configuration of the secure socket protocols by providing the secureSocketProtocolsList property which is a comma-separated list of all the protocols.
  • It simplifies the configuration of the cipher suites by providing the cipherSuitesList property which is a comma-separated list of all the ciphers.

Mutual Authentication

Some components can, should or must be configured using mutual authentication, in which case both a key store and a trust store must be defined using the com.systar.aluminium.engine.impl.util.SSLContextParameters class.

Server configuration

Here is an example of the configuration that you can use for a component that receives connections from clients:

Server side mutual authentication

Some components can expose a secure connection with mutual authentication. For example:

Here is an example of the configuration that you can use for a component using server mutual authentication:

Main difference with client mutual authentication is the serverParameters attribute configuration:

Name Default value Description
clientAuthentication none

Indicates if the server side does not request, requests, or requires clients to provide authentication credentials during the handshake process.

Available values are:

NONE: No client authentication required or requested.

WANT: Client authentication requested.

REQUIRE: Client authentication required. We strongly advice you to use REQUIRE.

Client configuration

When a component needs to connect to an SSL server, most of the time no specific SSL configuration is required, so this can be skipped. But in some situation you need to tune the SSL configuration, eg:

  • When the server does not have a CA signed certificates (eg it use a self-signed certificate).
  • The SSL cipher and/or protocol list must be constrained.

Here is an example of the configuration that you can use for a component that connects to an SSL server:

Client side mutual authentication

Some service may need mutual authentication to be able to create a secured TLS connection from ADI. For example:

Here is an example of the configuration that you can use for a component using client mutual authentication:

Protocol and cipher suites


We recommend only using the most secure options available when choosing your secure socket protocol and cipher suites for all TLS connections. You should therefore use TLSv1.2 as your secureSocketProtocolList and restrict your cipherSuitesList to  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite or a list of strong cipher suites.

Recommended cipher suites - ordered list
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

SSLSocketFactory

Some connectors may need to use a property of type javax.net.ssl.SSLSocketFactory. An implementation is provided to help you create one using the com.systar.aluminium.engine.impl.util.SSLContextParameters class.

This class is com.systar.aluminium.engine.impl.util.SSLSocketFactory. Only the sslContextParameters parameter is available and mandatory.

Here is an example of the configuration that you can use for a component that connects to an SSL server:

Related Links