Selects a particular certificate from the key store specified by IceSSL.Keystore. The certificate identified by
alias is presented to the peer request during authentication.
Specifies the directory containing the certificates of trusted certificate authorities. The directory must be prepared in advance using the OpenSSL utility
c_rehash. The path name may be specified relative to the default directory defined by
IceSSL.DefaultDir.
If IceSSL.DefaultDir is also defined, IceSSL attempts to open the specified CA certificate file as
Resources/DefaultDir/file in the application’s resource bundle and as
DefaultDir/file in the file system.
If IceSSL.DefaultDir is not defined, IceSSL attempts to open the specified CA certificate file as
Resources/file in the application’s resource bundle and as
file in the file system.
IceSSL.CertFile=file (.NET, Ice Touch)
IceSSL.CertFile=file[:file] (C++ - Unix)
IceSSL.CertFile=file[;file] (C++ - Windows)
Specifies a file that contains the program's certificate, and may also contain the corresponding private key. The file name may be specified relative to the default directory defined by
IceSSL.DefaultDir.
If IceSSL.DefaultDir is also defined, IceSSL attempts to open the specified certificate file as
Resources/DefaultDir/file in the application’s resource bundle and as
DefaultDir/file in the file system.
If IceSSL.DefaultDir is not defined, IceSSL attempts to open the specified certificate file as
Resources/file in the application’s resource bundle and as
file in the file system.
If num is a value greater than zero, IceSSL attempts to match the server's host name as specified in the proxy endpoint against the common name component of the server certificate’s subject name. If no match is found, IceSSL attempts to match the host name against the DNS and IP address fields of the server certificate’s subject alternative name. The search does not issue any DNS queries but simply performs a case-insensitive string match. The server’s certificate is accepted if its common name or any of its DNS or IP addresses matches the host name in the proxy endpoint. IceSSL skips this validation step if the server does not supply a certificate, or if the proxy endpoint does not include a host name and
Ice.Default.Host is not defined. This property has no affect on a server’s validation of a client’s certificate. If no match is found, IceSSL aborts the connection attempt and raises an exception. If not defined, the default value is zero.
If num is a value greater than zero, IceSSL checks the certificate revocation list to determine if the peer's certificate has been revoked. If so, IceSSL aborts the connection and raises an exception.
IceSSL.Ciphers=ciphers (C++, Java)
Specifies the cipher suites that IceSSL is allowed to negotiate. A cipher suite is a set of algorithms that satisfies the four requirements for establishing a secure connection: signing and authentication, key exchange, secure hashing, and encryption. Some algorithms satisfy more than one requirement, and there are many possible combinations.
The value of this attribute is given directly to the OpenSSL library and is dependent on how OpenSSL was compiled. You can obtain a complete list of the supported cipher suites using the command
openssl ciphers. This command will likely generate a long list. To simplify the selection process, OpenSSL supports several classes of ciphers. Classes and ciphers can be excluded by prefixing them with an exclamation point. The special keyword
@STRENGTH sorts the cipher list in order of their strength, so that SSL gives preference to the more secure ciphers when negotiating a cipher suite. The
@STRENGTH keyword must be the last element in the list. The classes are:
IceSSL.DH.bits=file (C++)
Specifies a file containing Diffie Hellman parameters whose key length is
bits, as shown in the following example:
IceSSL supplies default parameters for key lengths of 512, 1024, 2048, and 4096 bits, which are used if no user-defined parameters of the desired key length are specified. The file name may be specified relative to the default directory defined by
IceSSL.DefaultDir. The parameters must be encoded using the PEM format.
IceSSL.FindCert.location.name=criteria (.NET)
Queries the certificate repository for matching certificates and adds them to the application's collection of certificates that are used for authentication. The value for
location must be
LocalMachine or
CurrentUser.
The name corresponds to the .NET enumeration
StoreName and may be one of the following values:
AddressBook,
AuthRoot,
CertificateAuthority,
Disallowed,
My,
Root,
TrustedPeople,
TrustedPublisher. It is also possible to use an arbitrary value for
name.
The value for criteria may be
*, in which case all of the certificates in the store are selected. Otherwise,
criteria must be one or more
field:value pairs separated by white space. The valid field names are described below:
The field names are case-insensitive. If multiple criteria are specified, only certificates that match all criteria are selected. Values must be enclosed in single or double quotes to preserve white space.
Multiple occurrences of the property are allowed, but only one query is possible for each location/name combination. The certificates from all queries are combined to form the certificate collection, including a certificate loaded using
IceSSL.CertFile. Here are some sample queries:
A server requires a certificate for authentication purposes, therefore IceSSL selects the first certificate in the accumulated collection. This is normally the certificate loaded via
IceSSL.CertFile, if that property was defined. Otherwise, one of the certificates from
IceSSL.FindCert is selected. Since IceSSL does not guarantee the order in which it evaluates
IceSSL.FindCert properties, it is recommended that the criteria select only one certificate.
IceSSL.ImportCert.location.name=file[;password] (.NET)
Imports the certificate in file into the specified certificate store. The value for
location must be
LocalMachine or
CurrentUser. The
name corresponds to the .NET enumeration
StoreName and may be one of the following values:
AddressBook,
AuthRoot,
CertificateAuthority,
Disallowed,
My,
Root,
TrustedPeople,
TrustedPublisher. It is also possible to use an arbitrary value for
name, which adds a new store to the repository. If you are importing a trusted CA certificate, it must be added to
AuthRoot or
Root.
The password is optional; it is only necessary if the certificate file also contains a private key or uses a secure storage format such as PFX.
The file name and password may be enclosed in single or double quotes if necessary. The file name may be specified relative to the default directory defined by
IceSSL.DefaultDir.
Importing a certificate into LocalMachine requires administrator privileges, while importing into
CurrentUser may cause the platform to prompt the user for confirmation.
IceSSL.Keychain=name (Ice Touch)
Specifies the name of keychain in which to import the certificate identified by IceSSL.CertFile. If not defined, the keychain named
login is used by default. Note that this property is only relevant for the iPhone simulator and Mac OS X targets.
Specifies the password for the keychain identified by IceSSL.Keychain. If not defined, IceSSL attempts to open the keychain without a password. Note that this property is only relevant for the iPhone simulator and Mac OS X targets.
Specifies a file containing the private key associated with the certificate identified by
IceSSL.CertFile. The file name may be specified relative to the default directory defined by
IceSSL.DefaultDir. The key must be encoded using the PEM format.
Specifies a key store file containing certificates and their private keys. If the key store contains multiple certificates, you should specify a particular one to use for authentication using
IceSSL.Alias. IceSSL first attempts to open the file as a class loader resource and then as a regular file. If the file cannot be found in the file system, IceSSL attempts to open the file relative to the directory specified by
IceSSL.DefaultDir. The format of the file is determined by
IceSSL.KeystoreType.
If this property is not defined, the application will not be able to supply a certificate during SSL handshaking. As a result, the application may not be able to negotiate a secure connection, or might be required to use an anonymous cipher suite.
Specifies the format of the key store file defined by IceSSL.Keystore. Legal values are
JKS and
PKCS12. If not defined, the JVM’s default value is used (normally
JKS).
Specifies the protocols to allow during SSL handshaking. Legal values are SSL3 and
TLS1. You may also specify both values, separate by commas or white space. If this property is not defined, the platform's default is used.
IceSSL.Random=filelist (C++, Java)
Specifies one or more files containing data to use when seeding the random number generator. The file names should be separated using the platform's path separator (a colon on Unix and a semicolon on Windows). The file names may be specified relative to the default directory defined by
IceSSL.DefaultDir.
The SSL plug‑in trace level:
Identifies trusted and untrusted peers. This family of properties provides an additional level of authentication by using the peer certificate’s distinguished name (DN) to decide whether to accept or reject a connection.
Each ENTRY in the property value consists of relative distinguished name (RDN) components, formatted according to the rules in
RFC 2253. Specifically, the components must be separated by commas, and any component that contains a comma must be escaped or enclosed in quotes. For example, the following two property definitions are equivalent:
By default, each entry represents an acceptance entry. A ! character appearing at the beginning of an entry signifies a rejection entry. The order of the entries in a property is not important.
After the SSL engine has successfully completed its authentication process, IceSSL evaluates the relevant
IceSSL.TrustOnly properties in an attempt to find an entry that matches the peer certificate's DN. For a match to be successful, the peer DN must contain an exact match for all of the RDN components in an entry. An entry may contain as many RDN components as you wish, depending on how narrowly you need to restrict access. The order of the RDN components in an entry is not important.
While testing your trust configuration, you may find it helpful to set the IceSSL.Trace.Security property to a non-zero value, which causes IceSSL to display the DN of each peer during connection establishment.
This property affects incoming and outgoing connections. IceSSL also supports similar properties that affect only incoming connections or only outgoing connections.
Identifies trusted and untrusted peers for incoming (“server”) connections. The entries defined in this property are combined with those of
IceSSL.TrustOnly. To configure trusted and untrusted peers for a particular object adapter, use
IceSSL.TrustOnly.Server.AdapterName.
Specifies a key store file containing the certificates of trusted certificate authorities. IceSSL first attempts to open the file as a class loader resource and then as a regular file. If the file cannot be found in the file system, IceSSL attempts to open the file relative to the directory specified by
IceSSL.DefaultDir. The format of the file is determined by
IceSSL.TruststoreType.
If this property is not defined, IceSSL uses the value of IceSSL.Keystore by default. If no truststore is specified and the keystore does not contain a valid certificate chain, the application will not be able to authenticate the peer's certificate during SSL handshaking. As a result, the application may not be able to negotiate a secure connection, or might be required to use an anonymous cipher suite.
Specifies the format of the key store file defined by IceSSL.Truststore. Legal values are
JKS and
PKCS12. If not defined, the default value is
JKS.
Specifies the maximum depth of a trusted peer's certificate chain, including the peer's certificate. A value of zero accepts chains of any length. If not defined, the default value is
2.
Specifies the verification requirements to use during SSL handshaking. The legal values are shown in the table below. If this property is not defined, the default value is
2.
