SSLSessionInfo component provides information about a SSL session such as peer certificate, negotiated ciphersuite etc.
|
|
|
|
| certificateLabel | The label is a simple name by which a X.509 certificate/private key is identified in a PKCS#11 token. If it is anticipated that the peer would request the client's certificate, this property needs to be set. If this property is not set and server requests client authentication, credentialCallback (if any set - getCertificateLabel method in the SSLCallback interface) will be invoked. If both credential callback and this property are not set, and client authentication is requested, then SSL session will fail. | None. |
| version | This is the SSL protocol version to utilize for the SSL connection. | SSL v3.0 |
| host | Host name of the peer to which a SSL connection is attempted/made. | N/A |
| port | Port number of the peer to which a SSL connection is attempted/made. | N/A |
| protocolCipher | Returns ciphersuite string which also identifies the protocol
(SSL/TLS) used. E.g. TLS_RSA_EXPORT_WITH_RC4_40_MD5 as opposed to
SSL_RSA_EXPORT_WITH_RC4_40_MD5 which would be returned when
getProperty("cipherSuite") is called. |
N/A |
| protocol | Returns the protocol ("SSL" or "TLS") | N/A |
| reuseSession | This specifies if the current ssl session used use a cached SSL session ID. | TRUE |
| cipherSuite | Specifies the negotiated SSL Ciphersuite that is used by the current SSL session. This indicates the type of key exchange and algorithms used for the bulk data encryption and MAC (message authentication code). | N/A |
| qop | This essentially identifies the list of ciphersuites the client is willing to utilize while negotiating a SSL connection. Once a SSL connection has been established, the server and the client would have agreed upon one ciphersuite. There are predefined labels for lists of ciphersuites offered by the client runtime. This property specifies one of these. Refer to availableQop on how to retrieve the available qop. | sybpks_domestic for domestic version and sybpks_intl for export version. |
| pin | Specifies the PKCS11 token PIN. This is required for logging into pkcs11 token for client authentication and for retrieving trust information. If this property is not set and server requests client authentication, login callback (if any set - getPin method in SSLCallback interface) will be invoked to get the pkcs11 PIN. If both this property and login callback property are not set and pkcs11 token login is required, SSL session will fail. Can be set at application wide using the SSLServiceProvider context. Cannot be retrieved once set. | None. |
| callbackImpl | Specifies the user's SSLCallback
implementation. This will be the DLL name followed by package and the component
name (separated by '/') in C++ ORBs and a fully qualified class name
(without .class suffix) in Java ORB.
Login Callback (getPin Method in SSLCallback interface): This callback is invoked by the SSL runtime engine to retrieve the PKCS11 token PIN or Entrust Password. Password will be required if the password wasn't supplied before by the user or the login timed out.
Certificate Label Callback (getCertificateLabel Method in SSLCallback interface): This callback is invoked by SSL runtime engine to retrieve a user certificate label if the server has requested client authentication and the certificate label wasn't set earlier.
Trust Verification Callback (trustVerify Method in SSLCallback Interface): During the SSL handshake, it is necessary to verify if the server certificate is valid and trusted. A series of checks are performed to determine if the server certificate and its signer(CA) certificates are valid and trusted. However, if the SSL runtime engine is unable to determine if the certificate is valid or not, the user can be queried whether to accept the server certificate or not. This callback is invoked by the SSL runtime engine to ascertain the user response. If the SYBASE PKCS#11 token is utilized, trust information can be pre configured using the Security Manager for "well known" CAs. The SSL runtime engine will then retrieve the trust information from the PKCS#11 token. If this callback is not set and the trust information in the Sybase pkcs11 token indicates that server certificate chain is invalid/not trusted, SSL session will fail.
Generic Credential Attribute Callback (getCredentialAttribute Method in SSLCallback Interface): Currently, this callback will be used to get Entrust credential attributes on demand. These are Entrust Ini file and user profile name. User profile is needed only when Entrust single login feature is not available on the platform. This callback will be invoked when the useEntrustId property is set and INI file and/or Entrust User profile are/is not set. |
Refer to SSLCallback Interface for details on default implementation. |
| userdata | Specifies user data (a string). This is an optional property. Client code can set this user data during ORB initialization and access it using SSLSessionInfo::getProperty method in the SSL callback implementation. This may be useful as a mechanism to store ORB level context information that is otherwise not available through SSLSessionInfo interface. | Empty string (""). |
Returns self certificate used in establishing the SSL session.
CtsSecurity::X509Certificate getCertificate
(
)
raises (CtsSecurity::NoCertificateException);
Returns "self" certificate chain used in establishing the SSL session. The certificate chain is ordered with the "self" certificate first and the root CA last.
CtsSecurity::X509CertificateChain getCertificateChain
(
)
raises (CtsSecurity::NoCertificateException);
Returns peer certificate (if any). If peer certificate is returned, peer has been SSL authenticated and its distinguished name can be obtained from its certificate.
CtsSecurity::X509Certificate getPeerCertificate
(
)
raises (CtsSecurity::NoCertificateException);
Returns peer certificate chain (if any). If peer certificate chain is returned, peer has been SSL authenticated and its distinguished name can be obtained from its certificate. The certificate chain is ordered with the peer certificate first and the root CA last.
CtsSecurity::X509CertificateChain getPeerCertificateChain
(
)
raises (CtsSecurity::NoCertificateException);
This method allows the user to retrieve the value of the specified SSL session property. Following properties are supported (refer to Table. EAServer Security - SSL Properties for detailed descriptions).
| Property |
|---|
| certificateLabel |
| cipherSuite |
| entrustIniFile |
| entrustUserProfile |
| useEntrustId |
| host |
| loginTimeout |
| port |
| protocol |
| protocolAndCipher |
| reuseSession |
| tokenName |
| userdata |
| version |
string getProperty
(
in string property
)
raises (CtsSecurity::InvalidPropertyException);