此内容没有您所选择的语言版本。

4.8. SSL Connector Reference

JBoss Web connectors may include the following SSL configuration attributes. The CLI commands provided are designed for a managed domain using profile default. Change the profile name to the one you wish to configure, for a managed domain, or omit the /profile=default portion of the command, for a standalone server.

Note

Before using the write-attribute CLI command listed in the table, you need to add ssl=configuration.

Table 4.4. SSL Connector Attributes
Attribute	Description	CLI Command
name	The display name of the SSL connector.	Attribute `name` is read-only.
verify-client	The possible values of `verify-client` differ, based upon whether the HTTP/HTTPS connector is used, or the native APR connector is used. HTTP/HTTPS Connector Possible values are `true`, `false`, or `want`. Set to `true` to require a valid certificate chain from the client before accepting a connection. Set to `want` if you want the SSL stack to request a client Certificate, but not fail if one is not presented. Set to `false` (the default) to not require a certificate chain unless the client requests a resource protected by a security constraint that uses `CLIENT-CERT` authentication. Before using the `write-attribute` CLI command, you need to add the APR connector. Native APR Connector Possible values are `optional`, `require`, `optionalNoCA`, and `none` (or any other string, which will have the same effect as `none`). These values determine whether a certification is optional, required, optional without a Certificate Authority, or not required at all. The default is `none`, meaning the client will not have the opportunity to submit a certificate.	The first example command uses the HTTPS connector. /profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=verify-client,value=want) The second example command uses the APR connector. /profile=default/subsystem=web/connector=APR/ssl=configuration/:write-attribute(name=verify-client,value=require)
verify-depth	The maximum number of intermediate certificate issuers checked before deciding that the clients do not have a valid certificate. The default value is `10`.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=verify-depth,value=10)
certificate-key-file	The full file path and file name of the keystore file where the signed server certificate is stored. With JSSE encryption, this certificate file will be the only one, while OpenSSL uses several files. The default value is the `.keystore` file in the home directory of the user running JBoss EAP 6. If your `keystoreType` does not use a file, set the parameter to an empty string.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=certificate-key-file,value=../domain/configuration/server.keystore)
certificate-file	If you use OpenSSL encryption, set the value of this parameter to the path to the file containing the server certificate.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=certificate-file,value=server.crt)
password	The password for both the truststore and keystore. In the following example, replace PASSWORD with your own password.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=password,value=PASSWORD)
protocol	The version of the SSL protocol to use. Supported values depend on the underlying SSL implementation (whether JSSE or OpenSSL). Refer to the Java SSE Documentation. You can also specify a combination of protocols, which is comma separated. For example, TLSv1, TLSv1.1,TLSv1.2. Warning Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all affected packages.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=protocol,value=ALL) /profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=protocol,value="TLSv1, TLSv1.1,TLSv1.2")
cipher-suite	A list of the encryption ciphers which are allowed. For JSSE syntax, it must be a comma-separated list. For OpenSSL syntax, it must be a colon-separated list. Ensure that you only use one syntax. The default is `HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5`. The example only lists two possible ciphers, but real-world examples will likely use more. Important Using weak ciphers is a significant security risk. See http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295 for NIST recommendations on cipher suites. For a list of available OpenSSL ciphers, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. Note that the following are not supported: `@SECLEVEL`, `SUITEB128`, `SUITEB128ONLY`, `SUITEB192`.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=cipher-suite, value="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA")
key-alias	The alias used to for the server certificate in the keystore. In the following example, replace KEY_ALIAS with your certificate's alias.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=key-alias,value=KEY_ALIAS)
truststore-type	The type of the truststore. Various types of truststores are available, including `PKCS12` and Java's standard `JKS`.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=truststore-type,value=jks)
keystore-type	The type of the keystore, Various types of keystores are available, including `PKCS12` and Java's standard `JKS`.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=keystore-type,value=jks)
ca-certificate-file	The file containing the CA certificates. This is the `truststoreFile`, in the case of JSSE, and uses the same password as the keystore. The `ca-certificate-file` file is used to validate client certificates.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=certificate-file,value=ca.crt)
ca-certificate-password	The Certificate password for the `ca-certificate-file`. In the following example, replace the MASKED_PASSWORD with your own masked password.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=ca-certificate-password,value=MASKED_PASSWORD)
ca-revocation-url	A file or URL which contains the revocation list. It refers to the `crlFile` for JSSE or the `SSLCARevocationFile` for SSL.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=ca-revocation-url,value=ca.crl)
session-cache-size	The size of the SSLSession cache. This attribute applies only to JSSE connectors. The default is `0`, which specifies an unlimited cache size.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=session-cache-size,value=100)
session-timeout	The number of seconds before a cached SSLSession expires. This attribute applies only to JSSE connectors. The default is `86400` seconds, which is 24 hours.	/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=session-timeout,value=43200)

Note

For performance testing, you must set one explicit cipher and protocol.

Report a bug

此内容没有您所选择的语言版本。

4.8. SSL Connector Reference

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Red Hat legal and privacy links

Red Hat legal and privacy links