SSLSessionInfo component provides information about a SSL session such as peer certificate, negotiated ciphersuite etc.
|
|
|
certificateLabel | The label is a simple name by which a X.509 certificate/private key is identified in a PKCS#11 token. If it is anticipated that the peer would request the client's certificate, this property needs to be set. If this property is not set and server requests client authentication, credentialCallback (if any set - getCertificateLabel method in the SSLCallback interface) will be invoked. If both credential callback and this property are not set, and client authentication is requested, then SSL session will fail. | None. |
version | This is the SSL protocol version to utilize for the SSL connection. | SSL v3.0 |
loginTimeout | This is the time in seconds for which login to pkcs11 token is kept valid. If this property is set to x (say) seconds, after x seconds when the user attempts to establish a SSL session, the user is required to supply the pkcs11 pin in login callback (getPin Method in the SSLCallback Interface). This property is useful only when the login callback is set. Otherwise, it is ignored. | Indefinite. |
host | Host name of the peer to which a SSL connection is attempted/made. | N/A |
port | Port number of the peer to which a SSL connection is attempted/made. | N/A |
reuseSession | This specifies if the current ssl session used use a cached SSL session ID. | TRUE |
cipherSuite | Specifies the negotiated SSL Ciphersuite that is used by the current SSL session. This indicates the type of key exchange and algorithms used for the bulk data encryption and MAC (message authentication code). | N/A |
tokenName | This property specifies the name of the pkcs11 or security token that holds the keys and certificates. Currently, only Sybase PKCS11 token and Entrust are supported implicitly. Sybase PKCS#11 token is essentially the data store for the private keys, user certificates, CA certificates and trust information associated with these CA certificates. Possible values of this property are "SYBASE" and "Entrust". | SYBASE |
qop | This essentially identifies the list of ciphersuites the client is willing to utilize while negotiating a SSL connection. Once a SSL connection has been established, the server and the client would have agreed upon one ciphersuite. There are predefined labels for lists of ciphersuites offered by the client runtime. This property specifies one of these. Refer to availableQop on how to retrieve the available qop. | sybpks_domestic for domestic version and sybpks_intl for export version. |
pin | Specifies the PKCS11 token PIN. This is required for logging into pkcs11 token for client authentication and for retrieving trust information. If this property is not set and server requests client authentication, login callback (if any set - getPin method in SSLCallback interface) will be invoked to get the pkcs11 PIN. If both this property and login callback property are not set and pkcs11 token login is required, SSL session will fail. Can be set at application wide using the SSLServiceProvider context. Cannot be retrieved once set. | None. |
callbackImpl | Specifies the user's SSLCallback
implementation. This will be the DLL name followed by package and the component
name (separated by '/') in C++ ORBs and a fully qualified class name
(without .class suffix) in Java ORB.
Login Callback (getPin Method in SSLCallback interface): This callback is invoked by the SSL runtime engine to retrieve the PKCS11 token PIN or Entrust Password. Password will be required if the password wasn't supplied before by the user or the login timed out.
Certificate Label Callback (getCertificateLabel Method in SSLCallback interface): This callback is invoked by SSL runtime engine to retrieve a user certificate label if the server has requested client authentication and the certificate label wasn't set earlier.
Trust Verification Callback (trustVerify Method in SSLCallback Interface): During the SSL handshake, it is necessary to verify if the server certificate is valid and trusted. A series of checks are performed to determine if the server certificate and its signer(CA) certificates are valid and trusted. However, if the SSL runtime engine is unable to determine if the certificate is valid or not, the user can be queried whether to accept the server certificate or not. This callback is invoked by the SSL runtime engine to ascertain the user response. If the SYBASE PKCS#11 token is utilized, trust information can be pre configured using the Security Manager for "well known" CAs. The SSL runtime engine will then retrieve the trust information from the PKCS#11 token. If this callback is not set and the trust information in the Sybase pkcs11 token indicates that server certificate chain is invalid/not trusted, SSL session will fail.
Generic Credential Attribute Callback (getCredentialAttribute Method in SSLCallback Interface): Currently, this callback will be used to get Entrust credential attributes on demand. These are Entrust Ini file and user profile name. User profile is needed only when Entrust single login feature is not available on the platform. This callback will be invoked when the useEntrustId property is set and INI file and/or Entrust User profile are/is not set. |
Refer to SSLCallback Interface for details on default implementation. |
cacheSize | SSL session IDs are cached once a successful connection has been established. When the client reconnects to the server, the client can reuse the previously established SSL session parameters by sending the old SSL Session ID to the server. This improves performance if the client is frequently connecting and disconnecting the network connection to the same server. The cache size is the size of this SSL Session ID cache. Can be set at application wide using the SSLServiceProvider context. | 100 |
availableQop | This is a list of Quality of Security Service labels supported by the client runtime. Each QOSS identifies the list of ciphersuites which would be utilized during the SSL handshake. For a list of available qop and the associated ciphersuites, please refer to Security Profiles in Jaguar CTS v3.0 documentation | N/A |
availableQopDesc | This is a list of descriptions of each available quality of security service retrieved using the availableQop property. | N/A | availableCertificateLabels | This is a list of certificate labels available in the Sybase PKCS#11 module. | N/A |
availableVersions | This is a list of SSL protocol versions supported by the SSL runtime engine. | N/A |
SessShareCount | Specifies the number of concurrent SSL sessions that can use the same SSL session ID. | 10 |
SessLingerTime | Specifies in seconds the duration for which a session ID entry is kept in the SSL session cache after the last SSL connection using that session ID is terminated. | 28800 (8 Hours) |
userdata | Specifies user data (a string). This is an optional property. Client code can set this user data during ORB initialization and access it using SSLSessionInfo::getProperty method in the SSL callback implementation. This may be useful as a mechanism to store ORB level context information that is otherwise not available through SSLSessionInfo interface. | Empty string (""). |
entrustReady | This get-only boolean property indicates if Entrust is supported for authentication. If this property is false, it indicates that Enrust support is not available/failed to initialize. | None. |
entrustIniFile | Specifies an Entrust INI file (path name). This is required when "useEntrustId" property is set to TRUE. | None. |
entrustUserProfile | Specifies an Entrust user profile (a file path name). This property is optional when Entrust single login feature is available. | None. |
useEntrustId | This boolean property specifies if Entrust ID should be used for authentication. If this property is not set to TRUE, other Entrust specific properties are ignored. | FALSE |
entrustPassword | This null terminated string specifies password for logging into Entrust with the specified user profile. This property is optional when Entrust single login feature is available. If the password is not set, and is required (as it will be the case in environments where Entrust single logon feature is not available), getPin method in the CtsSecurity::SSLCallback will be invoked to get the Entrust password. In this case, if there is no callback or if the callback does not return a password, SSL session will fail. | None. |
Returns self certificate used in establishing the SSL session.
CtsSecurity::X509Certificate getCertificate ( ) raises (CtsSecurity::NoCertificateException);
Returns "self" certificate chain used in establishing the SSL session. The certificate chain is ordered with the "self" certificate first and the root CA last.
CtsSecurity::X509CertificateChain getCertificateChain ( ) raises (CtsSecurity::NoCertificateException);
Returns peer certificate (if any). If peer certificate is returned, peer has been SSL authenticated and its distinguished name can be obtained from its certificate.
CtsSecurity::X509Certificate getPeerCertificate ( ) raises (CtsSecurity::NoCertificateException);
Returns peer certificate chain (if any). If peer certificate chain is returned, peer has been SSL authenticated and its distinguished name can be obtained from its certificate. The certificate chain is ordered with the peer certificate first and the root CA last.
CtsSecurity::X509CertificateChain getPeerCertificateChain ( ) raises (CtsSecurity::NoCertificateException);
This method allows the user to retrieve the value of the specified SSL session property. Following properties are supported (refer to Table. Jaguar Security - SSL Properties for detailed descriptions).
Property |
---|
certificateLabel |
version |
loginTimeout |
host |
port |
reuseSession |
cipherSuite |
tokenName |
userdata |
entrustIniFile |
entrustUserProfile |
useEntrustId |
string getProperty ( in string property ) raises (CtsSecurity::InvalidPropertyException);