Interface Repository

Interface CtsSecurity::SSLSessionInfo

SSLSessionInfo component provides information about a SSL session such as peer certificate, negotiated ciphersuite etc.

Table. EAServer Security - SSL properties
Property
Description
Default value
certificateLabel The label is a simple name by which  a X.509 certificate/private key is identified  in a PKCS#11 token. If it is anticipated that  the peer would request the client's certificate, this property needs to be set. If this property is not set and server requests client authentication, credentialCallback (if any set - getCertificateLabel method in the SSLCallback interface) will be invoked. If both credential callback and this property are not set, and client authentication is requested, then SSL session will fail. None.
version This is the SSL protocol version to utilize for the SSL connection. SSL v3.0
loginTimeout This is the time in seconds for which login to pkcs11 token is kept valid. If this property is set to x (say) seconds, after x seconds when the user attempts to establish a SSL session, the user is required to supply the pkcs11 pin in login callback (getPin Method in the SSLCallback Interface). This property is useful only when the login callback is set. Otherwise, it is ignored. Indefinite.
host Host name of the peer to which a SSL connection is attempted/made. N/A
port Port number of the peer to which a SSL connection is attempted/made. N/A
protocolCipher Returns ciphersuite string which also identifies the protocol (SSL/TLS) used. E.g. TLS_RSA_EXPORT_WITH_RC4_40_MD5 as opposed to SSL_RSA_EXPORT_WITH_RC4_40_MD5 which would be returned when getProperty("cipherSuite") is called. N/A
protocol Returns the protocol ("SSL" or "TLS") N/A
reuseSession This specifies if the current ssl session used use a cached SSL session ID. TRUE
cipherSuite Specifies the negotiated SSL Ciphersuite that is used by the current SSL session. This indicates the type of key exchange and algorithms used for the bulk data encryption and MAC (message authentication code). N/A
tokenName This property specifies the name of the pkcs11 or security token that holds the keys and certificates. Currently, only Sybase PKCS11 token and Entrust are supported implicitly. Sybase  PKCS#11 token is essentially the data store for the private keys, user certificates, CA certificates and trust information associated with these CA certificates. Possible values of this property are "SYBASE" and "Entrust". SYBASE
qop This essentially identifies the list of ciphersuites the client is willing to utilize while negotiating a SSL connection. Once a SSL connection has been established, the server and the client would have agreed upon one ciphersuite. There are predefined labels for lists of ciphersuites offered by the client runtime. This property specifies one of these. Refer to availableQop on how to retrieve the available qop. sybpks_domestic for domestic version and sybpks_intl for export version.
pin Specifies the PKCS11 token PIN. This is required for logging into pkcs11 token for client authentication and for retrieving trust information. If this property is not set and server requests client authentication, login callback (if any set - getPin method in SSLCallback interface) will be invoked to get the pkcs11 PIN. If both this property and login callback property are not set and pkcs11 token login is required, SSL session will fail. Can be set at application wide using the SSLServiceProvider context. Cannot be retrieved once set. None.
callbackImpl Specifies the user's SSLCallback implementation. This will be the DLL name followed by package and the component name (separated by '/') in C++ ORBs and a fully qualified class name (without .class suffix) in Java ORB.

Login Callback (getPin Method in SSLCallback interface): This callback is invoked by the SSL runtime engine to retrieve the PKCS11 token PIN or Entrust Password. Password will be required if the password wasn't supplied before by the user or the login timed out.

Certificate Label Callback (getCertificateLabel Method in SSLCallback interface): This callback is invoked by SSL runtime engine to retrieve a user certificate label if the server has requested client authentication and the certificate label wasn't set earlier.

Trust Verification Callback (trustVerify Method in SSLCallback Interface): During the SSL handshake, it is necessary to verify if the server certificate is valid and trusted. A series of checks are performed to determine if the server certificate and its signer(CA) certificates are valid and trusted. However, if the SSL runtime engine is unable to determine if the certificate is valid or not, the user can be queried whether to accept the server certificate or not. This callback is invoked by the SSL runtime engine  to ascertain the user response. If the SYBASE PKCS#11 token is utilized, trust information can be pre configured using the Security Manager for "well known" CAs. The SSL runtime engine will then retrieve the trust information from the PKCS#11 token. If this callback is not set and the trust information in the Sybase pkcs11 token indicates that server certificate chain is invalid/not trusted, SSL session will fail.

Generic Credential Attribute Callback (getCredentialAttribute Method in SSLCallback Interface): Currently, this callback will be used to get Entrust credential attributes on demand. These are Entrust Ini file and user profile name. User profile is needed only when Entrust single login feature is not available on the platform. This callback will be invoked when the useEntrustId property is set and INI file and/or Entrust User profile are/is not set.

Refer to SSLCallback Interface for details on default implementation.
cacheSize SSL session IDs are cached once a successful connection has been established. When the client reconnects to the server, the client can reuse the previously established SSL session parameters by sending the old SSL Session ID to the server. This improves performance if the client is frequently connecting and disconnecting the network connection to the same server.  The cache size is the size of this SSL Session ID cache. Can be set at application wide using the SSLServiceProvider context. 100
availableQop This is a list of Quality of Security Service labels  supported by the client runtime. Each QOSS identifies the list of ciphersuites which would be utilized during the SSL handshake. For a list of available qop and the associated ciphersuites, please refer to Security Profiles in EAServer documentation N/A
availableQopDesc This is a list of descriptions of each available quality of security service retrieved using the availableQop property. N/A
availableCertificateLabels This is a list of certificate labels available in the Sybase PKCS#11 module. N/A
availableVersions This is a list of SSL protocol versions supported by the SSL runtime engine. N/A
SessShareCount Specifies the number of concurrent SSL sessions that can use the same SSL session ID. 10
SessLingerTime Specifies in seconds the duration for which a session ID entry is kept in the SSL session cache after the last SSL connection using that session ID is terminated. 28800 (8 Hours)
userdata Specifies user data (a string). This is an optional property. Client code can set this user data during ORB initialization and access it using SSLSessionInfo::getProperty method in the SSL callback implementation. This may be useful as a mechanism to store ORB level context information that is otherwise not available through SSLSessionInfo interface. Empty string ("").
entrustReady This get-only boolean property indicates if Entrust is supported for authentication. If this property is false, it indicates that Enrust support is not available/failed to initialize. None.
entrustIniFile Specifies an Entrust INI file (path name). This is required when "useEntrustId" property is set to TRUE. None.
entrustUserProfile Specifies an Entrust user profile (a file path name). This property is optional when Entrust single login feature is available. None.
useEntrustId This boolean property specifies if Entrust ID should be used for authentication. If this property is not set to TRUE, other Entrust specific properties are ignored. FALSE
entrustPassword This null terminated string specifies password for logging into Entrust with the specified user profile. This property is optional when Entrust single login feature is available. If the password is not set, and is required (as it will be the case in environments where Entrust single logon feature is not available), getPin method in the CtsSecurity::SSLCallback will be invoked to get the Entrust password. In this case, if there is no callback or if the callback does not return a password, SSL session will fail. None.
fips140 This read-only boolean property returns true if the underlying SSL runtime is using a FIPS 140-2 certified implementation of crypto algorithms. FALSE

Operation Index

Operations


Generated by Sybase EAServer 5.0