Creating Secure Sessions

Clients can optionally create secure Sessions that require trusted server certificates to establish a TLS/SSL-encrypted client connection to a Solace PubSub+ event broker. When a secure Session is created, SMF information is transported using TLS/SSL over TCP instead of plain text over TCP.

To create a secure Session, a number of TLS/SSL-specific Session properties must be specified as discussed below. In addition, the event broker that the secure Session will connect to must be properly configured, and the appropriate server certificate must be in place. For information on configuring an event broker to allow for secure connections, refer to TLS/SSL Service.

Related Samples

For an example of how to create and connect secure Sessions, refer to the SecureSession sample for the appropriate messaging API. Also, you can use secure Sessions on other samples by prepending “tcps:” to the hostname used in the sample (refer to Host).

TLS/SSL-Specific Properties

To create a secure Session, the following Session properties must configured.

The JavaScript API is configured through the browser where it runs, and doesn't support these configurations through session properties.

TLS/SSL Secure Session Properties

Property

Description

Host

Each host entry for a TLS/SSL connection requires an appropriate TLS/SSL protocol, and a specific TLS/SSL port number can optionally be specified. If no port number is specified, the default port of 55443 is used.

For information on configuring hosts, refer to Host.

SSL Excluded Protocols

A comma-separated list of encryption protocols that may not be used for secure connections. Possible values are:

  • SSLv3.0 (SSLv3)
  • TLS v1.0 (TLSv1)
  • TLS v1.1 (TLSv1.1)
  • TLS v1.2 (TLSv1.2)

The default list is empty, meaning that any encryption protocol can be used (no protocols are excluded).

As of Solace PubSub+ 7.1, this property has replaced the deprecated property SSL Protocol. Solace recommends switching to the new property as soon as possible. You may not use both SSL Excluded Protocols and SSL Protocol.

SSL Validate Certificate

Indicates whether the API should validate server certificates with the trusted certificates in the trust store. For the JCSMP, a JKS or PKCS12 certificate file is used for the trust store. For the C and .NET APIs, the trust store is a directory on a server that contains the trusted certificates. The default value for this property is True.

SSL Validate Certificate Date

Indicates whether the Session connection should fail when an expired certificate or a certificate not yet in use is received. The default is True.

SSL Cipher Suites

A comma-separated list of cipher suites, listed in order of importance, to use to negotiate with the event broker.

A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection.

For a listing of the supported cipher suites in order of preference, refer to Solace Messaging APIs for the appropriate messaging API. By default, no cipher suites are listed, which indicates that all supported ciphers should be considered.

SSL Trusted Common Name List

A list of up to 16 comma-separated common names trusted by the client. The list should include the common names of all of the event brokers the client can connect to.

By default, no common names are provided; this means that there is no common name verification and all common names are acceptable.

No common name validation is performed if SSL Validate Certificate is set to false.

SSL Trusted Store Directory

(Java RTO, C, and .NET APIs only) The network directory where the trusted certificates are stored.

For iOS applications, the OpenSSL trusted store directory must be included in the application’s bundle and the SSL Trusted Store Directory property set to the path of this directory. For an example, refer to the iOS SecureSession sample.

For instructions on running the SecureSession sample for iOS, see the README file in the ex/certs directory in the location where the iOS API is installed.

SSL Trust Stores

(Node.js only) The trusted certificated files (in path format) to use. This property is mandatory if the SSL Validate Certificate property is set to True.

SSL Trust Store

(JCSMP only) The trust store file (in URL or path format) to use. This property is mandatory if the SSL Validate Certificate property is set to True.

SSL Trust Store

(.NET API only) The trusted certificates (in X509CertificateCollection format) to use. This property is mandatory if the SSL Validate Certificate property is set to True. Note that this property cannot be used in conjunction with "SSL Trusted Store Directory".

SSL Trust Store Password

(JCSMP only) The trust store password for the trust store provided for the SSL Trust Store property. This property is mandatory if the SSL Validate Certificate property is set to True.

SSL Trust Store Format

(JCSMP only) Indicates the format used by the trust store provided for the SSL Trust Store property. Supported truststore formats are JKS (the default) and PKCS12.

SSL Connection Downgrade To

Indicates that the SSL connection should be downgraded following client authentication. Allowed transport protocols for SSL downgrade are: "PLAIN_TEXT". This property is optional.