Decision Insight 20200928 Save PDF Selected topic Selected topic and subtopics All content How to configure SSL on a component Several Apache Camel components (ex: Jetty, Netty, QLT, ...) support SSL. This page explains how to configure an SSL connector in order to use it in a route. Overview All Apache Camel components use the SSLContextParameters class for the SSL configuration. See the Camel JSSE Utility properties official documentation. In order to simplify its configuration we have created the com.systar.aluminium.engine.impl.util.SSLContextParameters class: It extends the standard SSLContextParameters camel class which means that you can use it everywhere a SSLContextParameters is required and configure all the native parameters of the SSLContextParameter class. It simplifies the configuration of the secure socket protocols by providing the secureSocketProtocolsList property which is a comma-separated list of all the protocols. It simplifies the configuration of the cipher suites by providing the cipherSuitesList property which is a comma-separated list of all the ciphers. Mutual Authentication Some components can, should or must be configured using mutual authentication, in which case both a key store and a trust store must be defined using the com.systar.aluminium.engine.impl.util.SSLContextParameters class. Server configuration Here is an example of the configuration that you can use for a component that receives connections from clients: Server side mutual authentication Some components can expose a secure connection with mutual authentication. For example: Lumberjack QLT Here is an example of the configuration that you can use for a component using server mutual authentication: Main difference with client mutual authentication is the serverParameters attribute configuration: Name Default value Description clientAuthentication none Indicates if the server side does not request, requests, or requires clients to provide authentication credentials during the handshake process.Available values are:NONE: No client authentication required or requested.WANT: Client authentication requested.REQUIRE: Client authentication required. We strongly advice you to use REQUIRE. Client configuration When a component needs to connect to an SSL server, most of the time no specific SSL configuration is required, so this can be skipped. But in some situation you need to tune the SSL configuration, eg: When the server does not have a CA signed certificates (eg it use a self-signed certificate). The SSL cipher and/or protocol list must be constrained. Here is an example of the configuration that you can use for a component that connects to an SSL server: Client side mutual authentication Some service may need mutual authentication to be able to create a secured TLS connection from ADI. For example: JMS DIMS Here is an example of the configuration that you can use for a component using client mutual authentication: Protocol and cipher suites We recommend only using the most secure options available when choosing your secure socket protocol and cipher suites for all TLS connections. You should therefore use TLSv1.2 as your secureSocketProtocolList and restrict your cipherSuitesList to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite or a list of strong cipher suites. Recommended cipher suites - ordered list TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 SSLSocketFactory Some connectors may need to use a property of type javax.net.ssl.SSLSocketFactory. An implementation is provided to help you create one using the com.systar.aluminium.engine.impl.util.SSLContextParameters class. This class is com.systar.aluminium.engine.impl.util.SSLSocketFactory. Only the sslContextParameters parameter is available and mandatory. Here is an example of the configuration that you can use for a component that connects to an SSL server: Related Links
How to configure SSL on a component Several Apache Camel components (ex: Jetty, Netty, QLT, ...) support SSL. This page explains how to configure an SSL connector in order to use it in a route. Overview All Apache Camel components use the SSLContextParameters class for the SSL configuration. See the Camel JSSE Utility properties official documentation. In order to simplify its configuration we have created the com.systar.aluminium.engine.impl.util.SSLContextParameters class: It extends the standard SSLContextParameters camel class which means that you can use it everywhere a SSLContextParameters is required and configure all the native parameters of the SSLContextParameter class. It simplifies the configuration of the secure socket protocols by providing the secureSocketProtocolsList property which is a comma-separated list of all the protocols. It simplifies the configuration of the cipher suites by providing the cipherSuitesList property which is a comma-separated list of all the ciphers. Mutual Authentication Some components can, should or must be configured using mutual authentication, in which case both a key store and a trust store must be defined using the com.systar.aluminium.engine.impl.util.SSLContextParameters class. Server configuration Here is an example of the configuration that you can use for a component that receives connections from clients: Server side mutual authentication Some components can expose a secure connection with mutual authentication. For example: Lumberjack QLT Here is an example of the configuration that you can use for a component using server mutual authentication: Main difference with client mutual authentication is the serverParameters attribute configuration: Name Default value Description clientAuthentication none Indicates if the server side does not request, requests, or requires clients to provide authentication credentials during the handshake process.Available values are:NONE: No client authentication required or requested.WANT: Client authentication requested.REQUIRE: Client authentication required. We strongly advice you to use REQUIRE. Client configuration When a component needs to connect to an SSL server, most of the time no specific SSL configuration is required, so this can be skipped. But in some situation you need to tune the SSL configuration, eg: When the server does not have a CA signed certificates (eg it use a self-signed certificate). The SSL cipher and/or protocol list must be constrained. Here is an example of the configuration that you can use for a component that connects to an SSL server: Client side mutual authentication Some service may need mutual authentication to be able to create a secured TLS connection from ADI. For example: JMS DIMS Here is an example of the configuration that you can use for a component using client mutual authentication: Protocol and cipher suites We recommend only using the most secure options available when choosing your secure socket protocol and cipher suites for all TLS connections. You should therefore use TLSv1.2 as your secureSocketProtocolList and restrict your cipherSuitesList to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite or a list of strong cipher suites. Recommended cipher suites - ordered list TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 SSLSocketFactory Some connectors may need to use a property of type javax.net.ssl.SSLSocketFactory. An implementation is provided to help you create one using the com.systar.aluminium.engine.impl.util.SSLContextParameters class. This class is com.systar.aluminium.engine.impl.util.SSLSocketFactory. Only the sslContextParameters parameter is available and mandatory. Here is an example of the configuration that you can use for a component that connects to an SSL server: