JSSEDocumentation
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/fdc742df Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/fdc742df Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/fdc742df Branch: refs/heads/JSSEDocumentation Commit: fdc742dfe41200af301a31247e81c0bfde209f1a Parents: 6bb3988 Author: Arno Noordover <anoordo...@users.noreply.github.com> Authored: Mon Jun 27 19:21:54 2016 +0200 Committer: Arno Noordover <anoordo...@users.noreply.github.com> Committed: Wed Jun 29 20:59:04 2016 +0200 ---------------------------------------------------------------------- docs/user-manual/en/SUMMARY.md | 1 + .../en/camel-configuration-utilities.adoc | 844 +++++++++++++++++++ 2 files changed, 845 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/fdc742df/docs/user-manual/en/SUMMARY.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/SUMMARY.md b/docs/user-manual/en/SUMMARY.md index 1c4ef4a..bfce4c7 100644 --- a/docs/user-manual/en/SUMMARY.md +++ b/docs/user-manual/en/SUMMARY.md @@ -344,3 +344,4 @@ * [Blueprint Testing](test-blueprint.adoc) * [CDI Testing](cdi-testing.adoc) * [Spring Testing](spring-testing.adoc) + * [JSSE Utility](camel-configuration-utilities.adoc) http://git-wip-us.apache.org/repos/asf/camel/blob/fdc742df/docs/user-manual/en/camel-configuration-utilities.adoc ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/camel-configuration-utilities.adoc b/docs/user-manual/en/camel-configuration-utilities.adoc new file mode 100644 index 0000000..15e3689 --- /dev/null +++ b/docs/user-manual/en/camel-configuration-utilities.adoc @@ -0,0 +1,844 @@ +[[CamelConfigurationUtilities-JSSEUtility]] +JSSE Utility +~~~~~~~~~~~~ + +The JSSE Utility, available as of *2.8*, allows you to easily configure +aspects of the +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html[Java +Secure Socket Extension] (JSSE) API in order to greatly simplify the use +of custom transport layer security (TLS) settings on Camel components. + +[[CamelConfigurationUtilities-SupportedComponents]] +Supported Components +^^^^^^^^^^^^^^^^^^^^ + +The following Camel components directly support the use of this +configuration utility: + +* link:http4.html[HTTP4] +* link:jetty.html[Jetty] +* link:ahc.html[AHC] +* link:netty.html[Netty] +* link:cometd.html[Cometd] +* link:ftp2.html[FTP2] +* link:irc.html[IRC] +* link:mail.html[Mail] +* MINA 2 + +The following Camel components indirectly support the use of this +configuration utility: + +* link:cxf.html[CXF] +* link:http.html[HTTP] + +[[CamelConfigurationUtilities-Configuration]] +Configuration +^^^^^^^^^^^^^ + +The key component in configuring TLS through the JSSE API is the +SSLContext. The +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLContext[SSLContext] +provides socket factories for both +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLSocketFactory[client-side] +and +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLSocketFactory[server-side] +sockets as well as another component called an +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLENG[SSLEngine] +that is used by non-blocking IO to support TLS. The JSSE configuration +utility provides an easy to use builder for configuring these JSSE +components, among others, in a manner that allows you to provide all +configuration options up front during the initialization of your +application such that you don't have to customize library code or dig +though the inner workings of a third-party library in order to inject +hooks for the configuration of each component in the JSSE API. The +central builder in the JSSE configuration utility is the +SSLContextParameters. This class serves as the entry point for most +configuration in the JSSE utility. + +[NOTE] +===================================== +All non-native classes are in the org.apache.camel.util.jsse package. +All non-W3C schema defined types are in the +http://camel.apache.org/schema/spring[http://camel.apache.org/schema/spring] +or +http://camel.apache.org/schema/blueprint[http://camel.apache.org/schema/blueprint] +namespaces for Spring and Blueprint based configuration, respectively. +===================================== + + +[[CamelConfigurationUtilities-SSLContextParameters]] +SSLContextParameters +++++++++++++++++++++ + + +[cols="a,a",width="100%",options="header",grids="cols"] +|==================== +|Property|Description +|Field: + +cipherSuites + +Class: + +CipherSuitesParameters + +XML: + +sslContextParameters + +/ciphersuites +|This optional property represents a collection of explicitly named +cipher suites to enable on both the client and server side as well as in +the SSLEngine. These values take precedence over filters supplied in +cipherSuitesFilter. The utility attempts to enable the listed cipher +suites regardless of whether or not the JSSE provider actually supports +them or not. This behavior guarantees that listed cipher suites are +always enabled when listed. For a more lenient option, use +cipherSuitesFilter. +|Field: + +cipherSuitesFilter + +Class: + +link:camel-configuration-utilities.html[FilterParameters] + +XML: + +sslContextParameters + +/cipherSuitesFilter +|This optional property represents a collection of include and exclude +patterns for cipher suites to enable on both the client and server side +as well as in the SSLEngine. The patterns are applied over only the +available cipher suites. The exclude patterns have precedence over the +include patterns. If no cipherSuites and no cipherSuitesFilter are +present, the default patterns applied are: + +Includes + +* .* + +Excludes + +* .*_NULL_.* +* .*_anon_.* +* .*DES.* *Camel 2.15.4* +* .*EXPORT.* *Camel 2.15.4* +|Field: + +secureSocketProtocols + +Class: + +SecureSocketProtocolsParameters + +XML: + +sslContextParameters + +/secureSocketProtocols +|This optional property represents a collection of explicitly named +secure socket protocols, such as SSLv3/TLS/etc., to enable on both the +client and server side as well as in the SSLEngine. These values take +precedence over filters supplied in secureSocketProtocolsFilter. The +utility attempts to enable the listed protocols regardless of whether or +not the JSSE provider actually supports them or not. This behavior +guarantees that listed protocols are always enabled when listed. For a +more lenient option, use secureSocketProtocolsFilter. +|==================== + +secureSocketProtocolsFilter - +link:camel-configuration-utilities.html[FilterParameters] + +sslContextParameters/secureSocketProtocolsFilter - +link:camel-configuration-utilities.html[FilterParameters] + +This optional property represents a collection of include and exclude +patterns for secure socket protocols to enable on both the client and +server side as well as in the SSLEngine. The patterns are applied over +only the available protocols. The exclude patterns have precedence over +the include patterns. If no secureSocketProtocols and no +secureSocketProtocolsFilter are present, the default patterns applied +are: + + + + Includes + +* .* + +sessionTimeout - java.lang.String + +sslContextParameters/@sessionTimeout - xsd:string + +This optional property defines the timeout period, in seconds, for +sessions on both the client and server side as well as in the SSLEngine. + +keyManagers - +link:camel-configuration-utilities.html[KeyManagersParameters] + +sslContextParameters/keyManagers - +link:camel-configuration-utilities.html[KeyManagersParameters] + +This optional property configures the source of key material for +providing identity of client and server side connections as well as in +the SSLEngine. If omitted, no source of key material is provided and +the SSLContext is suitable only for client-side usage when mutual +authentication is not in use. You typically configure this property +with a key store containing a client or server private key. + +trustManagers - +link:camel-configuration-utilities.html[TrustManagersParameters] + +sslContextParameters/trustManagers - +link:camel-configuration-utilities.html[TrustManagersParameters] + +This optional property configures the source of material for verifying +trust of key material used in the handshake process. If omitted, the +default trust manager is automatically used. See the +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores[JSSE +documentation] for more information on how the default trust manager is +configured. You typically configure this property with a key store +containing trusted CA certificates. + +secureRandom - SecureRandomParameters + +sslContextParameters/secureRandom - SecureRandomParameters + +This optional property configures the secure random number generator +used by the client and server side as well as in the SSLEngine. If +omitted, the default secure random number generator is used. + +clientParameters - +link:camel-configuration-utilities.html[SSLContextClientParameters] + +sslContextParameters/clientParameters - +link:camel-configuration-utilities.html[SSLContextClientParameters] + +This optional property configures additional settings that apply only to +the client side aspects of the SSLContext. If present, these settings +override the settings specified at the SSLContextParameters level. + +serverParameters - +link:camel-configuration-utilities.html[SSLContextServerParameters] + +sslContextParameters/serverParameters - +link:camel-configuration-utilities.html[SSLContextServerParameters] + +This optional property configures additional settings that apply only to +the server side aspects of the SSLContext. If present, these settings +override the settings specified at the SSLContextParameters level. + +provider - java.lang.String + +sslContextParameters/@provider - xsd:string + +The optional provider identifier for the JSSE implementation to use when +constructing the SSLContext. If omitted, the standard provider look-up +mechanism is used to resolve the provider. + +secureSocketProtocol - java.lang.String + +sslContextParameters/@secureSocketProtocol - xsd:string + +The optional secure socket protocol. See +http://download.oracle.com/javase/6/docs/technotes/guides//security/jsse/JSSERefGuide.html#AppA[Appendix +A] in the Java Secure Socket Extension Reference Guide for information +about standard protocol names. If omitted, TLS is used by default. +Note that this property is related to but distinctly different from the +secureSocketProtocols and secureSocketProtocolsFilter properties. + +certAlias - java.lang.String + +sslContextParameters/@certAlias - xsd:string + +*Camel 2.13:* An optional certificate alias to use. This is useful when +the keystore has multiple certificates. + +[[CamelConfigurationUtilities-KeyManagersParameters]] +KeyManagersParameters ++++++++++++++++++++++ + +Java Field Name and Class + +XML Attribute/Element and Type + +Description + +keyStore- link:camel-configuration-utilities.html[KeyStoreParameters] + +keyStore - link:camel-configuration-utilities.html[KeyStoreParameters] + +This optional property represents the key store that provides key +material to the key manager. This is typically configured with a key +store containing a user or server private key. In some cases, such as +when using PKCS#11, the key store is omitted entirely. + +keyPassword - java.lang.String + +@keyPassword - xsd:string + +The optional password for recovering/accessing the private key in the +key store. This is typically the password for the private key in the +configured key store; however, in some cases, such as when using +PKCS#11, the key password may be provided through other means and is +omitted entirely in this configuration. + +provider - java.lang.String + +@provider - xsd:string + +The optional provider identifier for the KeyManagerFactory used to +create the KeyManagers represented by this object's configuration. If +omitted, the default look-up behavior is used. + +algorithm - java.lang.String + +@algorithm - xsd:string + +The optional algorithm name for the KeyManagerFactory used to create the +KeyManager represented by this object's configuration. See the +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html[Java +Secure Socket Extension Reference Guide] for information about standard +algorithm names. + +trustManager - java.lang.String + +@trustManager - xsd:string + +*Camel 2.17:*To use a existing configured trust manager instead of using +TrustManagerFactory to get the TrustManager. + +[[CamelConfigurationUtilities-TrustManagersParameters]] +TrustManagersParameters ++++++++++++++++++++++++ + +Java Field Name and Class + +XML Attribute/Element and Type + +Description + +keyStore- link:camel-configuration-utilities.html[KeyStoreParameters] + +keyStore - link:camel-configuration-utilities.html[KeyStoreParameters] + +This optional property represents the key store that provides key +material to the trust manager. This is typically configured with a key +store containing trusted CA certificates / public keys. In some cases, +such as when using PKCS#11, the key store is omitted entirely. + +provider - java.lang.String + +@provider - xsd:string + +The optional provider identifier for the TrustManagerFactory used to +create the TrustManagers represented by this object's configuration. If +omitted, the default look-up behavior is used. + +algorithm - java.lang.String + +@algorithm - xsd:string + +The optional algorithm name for the TrustManagerFactory used to create +the TrustManager represented by this object's configuration. See the +http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html[Java +Secure Socket Extension Reference Guide] for information about standard +algorithm names. + +[[CamelConfigurationUtilities-KeyStoreParameters]] +KeyStoreParameters +++++++++++++++++++ + +Java Field Name and Class + +XML Attribute/Element and Type + +Description + +resource- java.lang.String + +keyStore/@resource - xsd:string + +This optional property represents the location of the key store resource +to load the key store from. In some cases, the resource is omitted as +the key store content is provided by other means. The loading of the +resource, if provided, is attempted by treating the resource as a file +path, a class path resource, and a URL in that order. An exception is +thrown if the resource cannot be resolved to readable input stream using +any of the above methods. + +[Note] +==== + *OSGi Usage* + +For programmatic and Spring based XML configuration in OSGi, a resource +specified as a classpath resource path may be accessible in the bundle +containing the XML configuration file or in a package that is imported +by that bundle. As Blueprint does not define the thread context +classloader behavior, only classpath resources in the bundle containing +the XML configuration file may be resolved from a Blueprint based XML +configuration. + + + + + + +==== + +password - java.lang.String + +keyStore/@password - xsd:string + +The optional password for reading/opening/verifying the key store. + +type - java.lang.String + +keyStore/@type - xsd:string + +The optional type of the key store. See Appendix A in the +http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyStore[Java +Cryptography Architecture Standard Algorithm Name Documentation] for +more information on standard names. If omitted, defaults to the default +lookup mechanism as defined by +http://download.oracle.com/javase/6/docs/api/java/security/KeyStore.html#getDefaultType()[KeyStore.getDefaultType()]. + +provider - java.lang.String + +keyStore/@provider - xsd:string + +The optional provider identifier for the provider used to create the +KeyStores represented by this object's configuration. If omitted, the +default look-up behavior is used. + +[[CamelConfigurationUtilities-FilterParameters]] +FilterParameters +++++++++++++++++ + +Java Field Name and Class + +XML Attribute/Element and Type + +Description + +include - java.util.List<java.lang.String> + +include - xsd:string + +This optional property represents zero or more regular expression +patterns for which matching values should be included. The list of +excludes takes precedence over the include patterns. + +exclude - java.util.List<java.lang.String> + +exclude - xsd:string + +This optional property represents zero or more regular expression +patterns for which matching values should be included. The list of +excludes takes precedence over the include patterns. + +[[CamelConfigurationUtilities-SecureRandomParameters]] +SecureRandomParameters +++++++++++++++++++++++ + +Java Field Name and Class + +XML Attribute/Element and Type + +Description + +algorithm - java.lang.String + +@algorithm - xsd:string + +This optionap property represents the Random Number Generator (RNG) +algorithm identifier for the SecureRandom factory method used to create +the SecureRandom represented by this object's configuration. See +http://download.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA[Appendix +A] in the Java Cryptography Architecture API Specification & Reference +for information about standard RNG algorithm names. + +provider - java.lang.String + +@provider - xsd:string + +The optional provider identifier for the SecureRandom factory method +used to create the SecureRandom represented by this object's +configuration. If omitted, the default look-up behavior is used. + +[[CamelConfigurationUtilities-SSLContextServerParameters]] +SSLContextServerParameters +++++++++++++++++++++++++++ + +Java Field Name and Class + +XML Attribute/Element and Type + +Description + +cipherSuites - CipherSuitesParameters + +sslContextClientParameters/ciphersuites - CipherSuitesParameters + +This optional property represents a collection of explicitly named +cipher suites to enable on the server side only +(SSLServerSocketFactory/SSLServerSocket) by overriding the value of this +setting in the SSLContextParameters. This option has no affect on the +SSLEngine configuration. These values take precedence over filters +supplied in cipherSuitesFilter. The utility attempts to enable the +listed cipher suites regardless of whether or not the JSSE provider +actually supports them or not. This behavior guarantees that listed +cipher suites are always enabled when listed. For a more lenient +option, use cipherSuitesFilter. + +cipherSuitesFilter - +link:camel-configuration-utilities.html[FilterParameters] + +sslContextClientParameters/cipherSuitesFilter - +link:camel-configuration-utilities.html[FilterParameters] + +This optional property represents a collection of include and exclude +patterns for cipher suites to enable on the server side only +(SSLServerSocketFactory/SSLServerSocket) by overriding the value of this +setting in the SSLContextParameters. This option has no affect on the +SSLEngine configuration. The patterns are applied over only the +available cipher suites. The exclude patterns have precedence over the +include patterns. See SSLContextParameters for details of the behavior +if this option and cipherSuites is omitted at this level. + +secureSocketProtocols - SecureSocketProtocolsParameters + +sslContextClientParameters/secureSocketProtocols - +SecureSocketProtocolsParameters + +This optional property represents a collection of explicitly named +secure socket protocols, such as SSLv3/TLS/etc., to enable on the server +side only (SSLServerSocketFactory/SSLServerSocket) by overriding the +value of this setting in the SSLContextParameters. This option has no +affect on the SSLEngine configuration. These values take precedence +over filters supplied in secureSocketProtocolsFilter. The utility +attempts to enable the listed protocols regardless of whether or not the +JSSE provider actually supports them or not. This behavior guarantees +that listed protocols aree always enabled when listed. For a more +lenient option, use secureSocketProtocolsFilter. + +secureSocketProtocolsFilter - +link:camel-configuration-utilities.html[FilterParameters] + +sslContextClientParameters/secureSocketProtocolsFilter - +link:camel-configuration-utilities.html[FilterParameters] + +This optional property represents a collection of include and exclude +patterns for secure socket protocols to enable on theserver side only +(SSLServerSocketFactory/SSLServerSocket) by overriding the value of this +setting in the SSLContextParameters. This option has no affect on the +SSLEngine configuration. The patterns are applied over only the +available protocols. The exclude patterns have precedence over the +include patterns. See SSLContextParameters for details of the behavior +if this option and/or secureSocketProtocols is omitted at this level. + +sessionTimeout - java.lang.String + +sslContextServerParameters/@sessionTimeout - xsd:string + +This optional property defines the timeout period, in seconds, for +sessions on the server side. This setting affects both the +SSLServerSocketFactory/SSLServerSocket as well as the server side of the +SSLEngine. + +clientAuthentication - java.lang.String + +sslContextServerParameters/@clientAuthentication - xsd:string + +This optional property indicates if the server side does not request, +requests, or requires clients to provide authentication credentials +during the handshake process. This is commonly referred to as mutual +authentication, two direction SSL/TLS, or two-legged SSL/TLS. + + Valid values are: NONE, WANT, REQUIRE + +[[CamelConfigurationUtilities-SSLContextClientParameters]] +SSLContextClientParameters +++++++++++++++++++++++++++ + + +[width="100%",options="header"] +|==================== +|Java Field Name and Class|XML Attribute/Element and Type|Description +|cipherSuites - CipherSuitesParameters +|sslContextClientParameters/ciphersuites - CipherSuitesParameters +|This optional property represents a collection of explicitly named +cipher suites to enable on theclient side only +(SSLSocketFactory/SSLSocket) by overriding the value of this setting in +the SSLContextParameters. This option has no affect on the SSLEngine +configuration. These values take precedence over filters supplied in +cipherSuitesFilter. The utility attempts to enable the listed cipher +suites regardless of whether or not the JSSE provider actually supports +them or not. This behavior guarantees that listed cipher suites are +always enabled when listed. For a more lenient option, use +cipherSuitesFilter. +|cipherSuitesFilter - +link:camel-configuration-utilities.html[FilterParameters] +|sslContextClientParameters/cipherSuitesFilter - +link:camel-configuration-utilities.html[FilterParameters] +|This optional property represents a collection of include and exclude +patterns for cipher suites to enable on the client side only +(SSLSocketFactory/SSLSocket) by overriding the value of this setting in +the SSLContextParameters. This option has no affect on the SSLEngine +configuration. The patterns are applied over only the available cipher +suites. The exclude patterns have precedence over the include +patterns. See SSLContextParameters for details of the behavior if this +option and cipherSuites is omitted at this level. +|==================== + +secureSocketProtocols - SecureSocketProtocolsParameters + +sslContextClientParameters/secureSocketProtocols - +SecureSocketProtocolsParameters + +This optional property represents a collection of explicitly named +secure socket protocols, such as SSLv3/TLS/etc., to enable on the client +side only (SSLSocketFactory/SSLSocket) by overriding the value of this +setting in the SSLContextParameters. This option has no affect on the +SSLEngine configuration. These values take precedence over filters +supplied in secureSocketProtocolsFilter. The utility attempts to enable +the listed protocols regardless of whether or not the JSSE provider +actually supports them or not. This behavior guarantees that listed +protocols aree always enabled when listed. For a more lenient option, +use secureSocketProtocolsFilter. + +secureSocketProtocolsFilter - +link:camel-configuration-utilities.html[FilterParameters] + +sslContextClientParameters/secureSocketProtocolsFilter - +link:camel-configuration-utilities.html[FilterParameters] + +This optional property represents a collection of include and exclude +patterns for secure socket protocols to enable on the client side only +(SSLSocketFactory/SSLSocket) by overriding the value of this setting in +the SSLContextParameters. This option has no affect on the SSLEngine +configuration. The patterns are applied over only the available +protocols. The exclude patterns have precedence over the include +patterns. See SSLContextParameters for details of the behavior if this +option and/or secureSocketProtocols is omitted at this level. + +sessionTimeout - java.lang.String + +sslContextServerParameters/@sessionTimeout - xsd:string + +This optional property defines the timeout period, in seconds, for +sessions on the client side This setting affects both the +SSLSocketFactory/SSLSocket as well as the client side of the SSLEngine. + +[[CamelConfigurationUtilities-Examples]] +Examples +^^^^^^^^ + +[[CamelConfigurationUtilities-ProgrammaticUsage]] +Programmatic Usage +++++++++++++++++++ + +[[CamelConfigurationUtilities-SettingClientAuthenticationOntheServerSide]] +Setting Client Authentication On the Server Side + +This configuration sets the server side aspects of the TLS configuration +to require client authentication during the handshake process. This +configuration uses the default trust store and a custom key store to +provide key material for both the server and client sides of the +SSLContext. + +[source,java] +------------------------------------------------------------------- +KeyStoreParameters ksp = new KeyStoreParameters(); +ksp.setResource("/users/home/server/keystore.jks"); +ksp.setPassword("keystorePassword"); + +KeyManagersParameters kmp = new KeyManagersParameters(); +kmp.setKeyStore(ksp); +kmp.setKeyPassword("keyPassword"); + +SSLContextServerParameters scsp = new SSLContextServerParameters(); +scsp.setClientAuthentication(ClientAuthentication.REQUIRE); +SSLContextParameters scp = new SSLContextParameters(); +scp.setServerParameters(scsp); +scp.setKeyManagers(kmp); + +SSLContext context = scp.createSSLContext(); +SSLEngine engine = scp.createSSLEngine(); +------------------------------------------------------------------- + +[[CamelConfigurationUtilities-ConfiguringDifferentOptionsontheClientandServerSide]] +Configuring Different Options on the Client and Server Side + +In this example, both the client and server sides share the same custom +key store; however, the client side allows any supported cipher suite +while the server side will use the default cipher suite filter and +exclude any cipher suites that match the patterns .*_NULL_.* and +.*_anon_.*. + +[source,java] +------------------------------------------------------------------- +KeyStoreParameters ksp = new KeyStoreParameters(); +ksp.setResource("/users/home/server/keystore.jks"); +ksp.setPassword("keystorePassword"); + +KeyManagersParameters kmp = new KeyManagersParameters(); +kmp.setKeyStore(ksp); +kmp.setKeyPassword("keyPassword"); + +FilterParameters filter = new FilterParameters(); +filter.getInclude().add(".*"); + +SSLContextClientParameters sccp = new SSLContextClientParameters(); +sccp.setCipherSuitesFilter(filter); + +SSLContextParameters scp = new SSLContextParameters(); +scp.setClientParameters(sccp); +scp.setKeyManagers(kmp); + +SSLContext context = scp.createSSLContext(); +SSLEngine engine = scp.createSSLEngine(); +------------------------------------------------------------------- + +[[CamelConfigurationUtilities-UsingCamelPropertyPlaceholders]] +Using Camel Property Placeholders + +This configuration utility fully supports the use of property +placeholders (see link:using-propertyplaceholder.html[Using +PropertyPlaceholder]) in all configuration fields. In order to support +this feature, the configuration utility objects must be configured with +a reference to a Camel context. All of the utility classes except for +CipherSuitesParameters and SecureSocketProtocolsParameters provide a +setter method for providing the context reference. Do not confuse the +lack of a setter on CipherSuitesParameters and +SecureSocketProtocolsParameters as an indication that you cannot use +property placeholders when configuring these classes. The lack of a +setter is an internal implementation detail and full placeholder support +is available for both of the configuration classes. + +The following example code demonstrates how to create a KeyStore +instance based on configuration options provided by the Camel Properties +Component and property placeholder support. + +[source,java] +--------------------------------------------------- +PropertiesComponent pc = new PropertiesComponent(); +pc.setLocation("file:./jsse-test.properties"); + +CamelContext context = new DefaultCamelContext(); +context.addComponent("properties", pc); + +KeyStoreParameters ksp = new KeyStoreParameters(); +ksp.setContext(camelContext); +ksp.setType("{{keyStoreParameters.type}}"); +ksp.setProvider("{{keyStoreParameters.provider}}"); +ksp.setResource("{{keyStoreParameters.resource}}"); +ksp.setPassword("{{keyStoreParamerers.password}}"); + +KeyStore keyStore = ksp.createKeyStore(); +--------------------------------------------------- + +[[CamelConfigurationUtilities-XMLConfiguration]] +XML Configuration ++++++++++++++++++ + +[NOTE] +==== + + +Note that XML configuration is supported in both Spring and Blueprint +format. + +==== + +[[CamelConfigurationUtilities-SettingClientAuthenticationOntheServerSide.1]] +Setting Client Authentication On the Server Side + +This configuration sets the server side aspects of the TLS configuration +to require client authentication during the handshake process. This +configuration uses the default trust store and a custom key store to +provide key material for both the server and client sides of the +SSLContext. + +[source,xml] +--------------------------------------------------------------------------------------------------------------- +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:camel="http://camel.apache.org/schema/spring"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd";> + + <camel:sslContextParameters + id="mySslContext"> + + <camel:keyManagers + keyPassword="keyPassword"> + <camel:keyStore + resource="/users/home/server/keystore.jks" + password="keystorePassword"/> + </camel:keyManagers> + + <camel:serverParameters + clientAuthentication="WANT"/> + + </camel:sslContextParameters> + +</beans> +--------------------------------------------------------------------------------------------------------------- + +[[CamelConfigurationUtilities-ConfiguringDifferentOptionsontheClientandServerSide.1]] +Configuring Different Options on the Client and Server Side + +In this example, both the client and server sides share the same custom +key store; however, the client side allows any supported cipher suite +while the server side will use the default cipher suite filter and +exclude any cipher suites that match the patterns .*_NULL_.* and +.*_anon_.*. + +[source,xml] +-------------------------------------------------------------- +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";> + xmlns:camel="http://camel.apache.org/schema/blueprint";> + + <camel:sslContextParameters + id="mySslContext"> + + <camel:keyManagers + keyPassword="keyPassword"> + <camel:keyStore + resource="/users/home/server/keystore.jks" + password="keystorePassword"/> + </camel:keyManagers> + + <camel:clientParameters> + <camel:cipherSuitesFilter> + <camel:include>.*</camel:include> + </camel:cipherSuitesFilter> + </camel:clientParameters> + + </camel:sslContextParameters> + +</blueprint> +-------------------------------------------------------------- + +[[CamelConfigurationUtilities-UsingCamelPropertyPlaceholders.1]] +Using Camel Property Placeholders + +This configuration utility fully supports the use of property +placeholders (see link:using-propertyplaceholder.html[Using +PropertyPlaceholder]) in all configuration fields for XML based +configuration as well. In order to support this feature, the +configuration utility objects must be configured with a reference to a +Camel context. The Spring and Blueprint namespace handlers will +automatically inject the reference to the context for you when there is +one Camel context in scope. If you have more than one Camel context +instance in your XML defined context, you can indicate which context +reference to configure by specifying the camelContextId attribute in the +top-level XML element. + +The following example code demonstrates how to create a KeyStore +instance based on configuration options provided by the Camel Properties +Component and property placeholder support. The Camel context with the +ID example is used to resolve the property placeholders. + +[source,xml] +--------------------------------------------------------------------------------------------------------------- +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:camel="http://camel.apache.org/schema/spring"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd";> + + <camel:camelContext id="example"/> + + <camel:camelContext id="example2"/> + + <camel:keyStoreParameters + id="ksp" + camelContextId="example" + resource="{{keyStoreParameters.resource}}" + type="{{keyStoreParameters.type}}" + provider="{{keyStoreParameters.provider}}" + password="{{keyStoreParamerers.password}}"/> + +</beans> +---------------------------------------------------------------------------------------------------------------
