HttpsConnectorServlet
You can use all configuration attributes of the HttpConnectorServlet for the HttpsConnectorServlet as well. The additional TLS attributes must be configured.
Classname:
ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet
Library:
libHttpConnectorServlet.so.1
Configuration
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| SSLCACertificateFile | string; optional, basic connectivity | Specifies the file containing the CA certificate(s) that are used to check whether the peer’s node certificate is trusted. All the certificates in the file will be verified. PEM encoded files are supported. Nevis PKCS#11 URLs are not supported. If the SSLCACertificateFile attribute is not specified, the peer certificate will be trusted automatically. Mandatory to set if SSLCheckPeerHostname is enabled. |
| SSLClientCertificateFile | string; optional, basic feature | The X509 node certificate that is sent to the application server if requested by a SSL/TLS CertificateRequest message. PEM encoded files, and Nevis PKCS#11 URLs are supported. For more information on how to use the GemEngine within the HttpsConnectorServlet, see chapter: "Gemalto GemEngine Support for the HttpsConnectorServlet". Client certificates do not work with TLSv1.3. If you intent to set up a two-way TLS connection, use TLSv1.2. |
| SSLClientKeyFile | string; optional, basic feature | The key for an TLS client certificate may be provided either in the same file as the certificate (SSLClientCertificateFile), or it may be provided in a separate file specified with SSLClientKeyFile. Configure only SSLClientCertificate if both the certificate and the key are contained in the same file. See chapter: "Gemalto Gemengine Support for the HttpsConnectorServlet" for more information on how to use the Gemengine within the HttpsConnectorServlet. |
| SSLCache | enum: on, session, off; optional, advanced; default: on | This attribute configures the client-side TLS cache. You can set it to one of the following values: - on: One TLS session to the content provider is established and used for all requests. - session: For every session, an individual TLS session to the content provider is established. That session is used only for requests that are associated with that session. If you are using the SSLCache in session mode, the TCP connection pooling configured by the KeepAlive attribute either has to be set false or set to be true, with KeepAlive.ByClient set to true as well. - off: For every request sent to the content provider, a new TLS session is established. |
| SSLCipherSuites | string required, troubleshooting default:!aNULL:!aDSS:!MD5:kEDH+AES:RSA+AES:kEDH+3DES:RSA+3DESsecure default: TLSv1.2:!NULL:!DSS:!kDH:!ADH:!kRSA:!kECDH:!aECDSA | You can set all ciphers which are supported by OpenSSL.Recommended valueThe recommended cipher configuration is "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256". |
| SslConnectTimeout | integer; optional | Timeout in milliseconds to open the TLS connection after a successfully opened TCP-connection. The timeouts are related like this: - ConnectTimeout: The timeout to connect to the TCP-connection. - SslConnectTimeout: The timeout to connect to the TLS-connection once the TCP-connection has been established. - RequestTimeout: The timeout for a response from the server once the TLS-connection has been established. |
| CrlFile | string; optional | The path to a Crl file (pem format). It will be automatically reloaded if the file is replaced by a newer one. The file modification will be checked in the interval configured under periodicity in the Timer section in the file navajo.xml. |
| SSLCheckPeerHostname | boolean: true, false; optional, security/troubleshooting; default: false, secure default: true | If set to "true", the DNS name will be checked against the CommonName and the Subject Alternative Name in the certificate subject. |
| SSLCheckPeerHostname.AllowWildcards | boolean: true, false optional default: false | If set to "true", the system will also accept certificates containing wildcards. This parameter is only evaluated if the attribute SSLCheckPeerHostname is set to "true". For security reasons, never set this parameter to "true" in production! |
| SSLProtocol | enum: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3; required, troubleshooting; default: all-SSLv2, secure default: -all +TLSv1.2 | Syntax: No sign means +. Note: Separate each entry in the SSL protocol list by a blank. TLSv1 may be required with some JSSE implementations (e.g. some BEA WLS versions). Setting this version sends a SSL version of 3.1 in the SSL/TLS client hello and enforces TLS 1.0. TLSV1.1 sends a TLS 1.1 client hello. There may be backends that do not understand TLSv1.1 and are not able to tell the proxy to downgrade. TLSV1.2 sends a TLS 1.2 client hello. There may be backends that do not understand TLSv1.2 and are not able to tell the proxy to downgrade. TLSV1.3 sends a TLS 1.3 client hello. This is only supported if you use OpenSSL 1.1.1. (currently el7 package only). Note: Some backends may not understand TLSv1.3 and thus will not be able to tell the proxy to downgrade. Support of TLSv1.3 is experimental. SSLv2.3 sends an SSL 2.0 compatible client hello and lets the server select the protocol. It therefore supports all of the three protocol versions above. SSLv2 is not recommended and should only be used for legacy integration. Deprecated SSLv3 is deprecated and should only be used for legacy integration. SSLv3 sends a SSL version of 3.0 in the SSL/TLS client hello and enforces SSL 3.0. Example: +TLSv1 +TLSv1.2Recommended valueThe recommended protocol configuration is "-all +TLSv1.2".The default "all-SSLv2" is a fixed (artificial) provider name and allows all of the above protocols except for SSLv2. Note that in this case there comes no blank in between "all" and "-SSLv2"! |
| SSLDynamicClientCertificate | boolean: true, false; optional, advanced; default: false | If set to true, the client certificate used in the TLS handshake will be retrieved from the user session. Consult Enabling dynamic x.509 certificates on how to configure nevisAuth and nevisProxy for use with dynamic client certificates. Due to the fact that the client certificate is session-bound and not statically configured, the following configuration constraints apply: SSLCache must be set to either "off" or "session". - KeepAlive must be set to "false" or KeepAlive.ByClient must be true. - SSLClientCertificateFile must not be configured. |
| UseSSL | boolean; optional; default: true | If set to false, the servlet will behave like a HttpConnectorServlet. |
| SSLSNISupport | boolean; optional; default: true | Enables SNI support for this servlet. In case the backend has multiple name-based virtual servers configured with different certificates, the servlet can securely indicate, as part of the TLS handshake, to which one it intends to connect to. This indication happens at the beginning of the connection and (depending on the backend) it is continuously checked. Therefore, if you set up KeepAlive and dynamic HostNames it will most probably not work because the HostName might change when the connection is re-used. |
| ConnectionRetries | integer; optional; default: 0 | Sometimes a TLS connection fails because of some unknown problem (network, etc.). With this parameter you can configure how many times the servlet should try to connect before giving up. |
The behavior of many web servers depends on the protocol version and the HTTP header field UserAgent. Therefore, if connection-oriented problems occur, you have to adjust the HttpsConnectorServlet to the behavior of the content provider, which usually uses the attributes SSLProtocol, KeepAlive, Protocol and UserAgent.