Creating Secure Sessions in the PubSub+ JCSMP API

Clients using the PubSub+ JCSMP API can optionally create secure sessions that require trusted server certificates to establish a TLS/SSL-encrypted client connection to a PubSub+ event broker. When a secure session is created, SMF information is transported using TLS/SSL over TCP instead of plain-text over TCP.

To create a secure session, a number of TLS/SSL-specific session properties must be specified as discussed below. In addition, the event broker that the secure session will connect to must be properly configured, and the appropriate server certificate must be in place. For information on configuring an event broker to allow for secure connections, refer to TLS / SSL Service Configuration.

Related Samples

For an example of how to create and connect secure sessions, see the SecureSession sample on the Solace Developer Hub. Also, you can use secure sessions on other samples by prepending “tcps:” to the hostname used in the sample (refer to Host).

TLS/SSL-Specific Properties

To create a secure session, the following session properties must configured.

**TLS/SSL Secure Session Properties**
Property	Use	Description
Host	`JCSMPProperties.HOST`	Each host entry for a TLS/SSL connection requires an appropriate TLS/SSL protocol, and a specific TLS/SSL port number can optionally be specified. If no port number is specified, the default port of 55443 is used. For information on configuring hosts, refer to Host.
SSL Excluded Protocols	`JCSMPProperties.SSL_EXCLUDED_PROTOCOLS`	A comma-separated list of encryption protocols that may not be used for secure connections. Possible values are: SSLv3.0 (`SSLv3`) TLS v1.0 (`TLSv1`) TLS v1.1 (`TLSv1.1`) TLS v1.2 (`TLSv1.2`) See the preference for the specific values for SSL v3.0, TLS v1.0, TLS, v1.1, TLS V1.2. The default list is empty, meaning that any encryption protocol can be used (no protocols are excluded). As of Solace PubSub+ 7.1, this property has replaced the deprecated property SSL Protocol. Solace recommends switching to the new property as soon as possible. You may not use SSL Exclude Protocols and SSL Protocol together.
SSL Certificate Validation	`JCSMPProperties.SSL_VALIDATE_CERTIFICATE`	Indicates that whether the API should validate server certificates with the trusted certificates in the trust store. For the PubSub+ JCSMP API, a JKS or PKCS12 certificate file is used for the trust store.
SSL Certificate Date Validation	`JCSMPProperties.SSL_VALIDATE_CERTIFICATE_DATE`	Indicates whether the session connection should fail when an expired certificate or a certificate not yet in use is received. The default is `True`. No certificate date validation is performed if the SSL Certificate Validation property is set to `False`.
SSL Certificate Host Validation (SSL Server Certificate Validation Using Subject-Alternative Name )	`JCSMPProperties.SSL_VALIDATE_CERTIFICATE_HOST`	Indicates if the session connection validates the subject alternative name in the X.509 certificate. If the X.509 certificate does not contain the subject alternative name section, the Common Name in the Subject field of the X.509 certificate is verified against the HOST property. The default and recommended setting is `True`. No certificate host validation is performed if the SSL Certificate Validation property is set to `False`.
SSL Cipher Suites	`JCSMPProperties.SSL_CIPHER_SUITES`	A comma-separated list of cipher suites, listed in order of importance, to use to negotiate with the event broker. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. For a listing of the supported cipher suites in order of preference, refer to PubSub+ Messaging APIs for the appropriate messaging API. By default, no cipher suites are listed, which indicates that all supported ciphers should be considered.
SSL Trusted Store Directory	N/A	The directory where trusted certificates are stored.
SSL Trust Store (file-based)	`JCSMPProperties.SSL_TRUST_STORE`	The trust store files to use. For the PubSub+ JCSMP API, the trust store file (in URL or path format) to use. This property is mandatory if the `SSL_VALIDATE_CERTIFICATE` property is set to `True`.
SSL Trust Store (in-memory)	`JCSMPProperties.SSL_IN_MEMORY_TRUST_STORE`	Indicates the trusted certificates that are available as in-memory trust store. For the PubSub+ JCSMP API, the in-memory store in a `java.security.KeyStore` format. The `SSL_TRUST_STORE_PASSWORD` property is not required when using this property . Only use `SSL_TRUST_STORE` or `SSL_IN_MEMORY_TRUST_STORE`. You cannot mix in-memory and file-based (for example, URLs or filepaths) usage for the SSL trust store property. It's important to remember when using in-memory trust store that the `Keystore` object is considered immutable after its passed the PubSub+ Messaging API for JCSMP.
SSL Trust Store Password	`SessionHandle.PROPERTIES.SSL_TRUST_STORE_PASSWORD`	Specifies the password of the trust store. For the PubSub+ JCSMP API, the trust store password for the trust store provided for the `SSL_TRUST_STORE_PASSWORD` property. This property is mandatory if the `SSL_VALIDATE_CERTIFICATE` property is set to `True`.
SSL Trust Store Format	`JCSMPProperties.SSL_TRUST_STORE_FORMAT`	Indicates the format used by the trust store provided for the SSL Trust Store property. For the PubSub+ JCSMP API, supported trust store formats are `JKS` (the default) and `PKCS12`.
SSL Connection Downgrade To	`SessionHandle.PROPERTIES.SSL_CONNECTION_DOWNGRADE_TO`	Indicates that the SSL connection should be downgraded following client authentication. Allowed transport protocols for SSL Connection Downgrade To property are: "PLAIN_TEXT". This property is optional.

Provide feedback