20.2.3. Configuring Netty Secure Sockets Layer (SSL)

Netty TCP is a simple unencrypted TCP sockets based transport. Netty SSL is similar to Netty TCP but it provides enhanced security by encrypting TCP connections using the Secure Sockets Layer (SSL).

Warning

Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all affected packages.
The following example shows Netty configuration for one way SSL:

Note

Most of the following parameters can be used with acceptors as well as connectors. However some parameters work only with acceptors. The parameter description explains the difference between using these parameters in connectors and acceptors.
<acceptors>
 <netty-acceptor name="netty" socket-binding="messaging"/>
   <param key="ssl-enabled" value="true"/>
   <param key="key-store-password" value="[keystore password]"/>
   <param key="key-store-path" value="[path to keystore file]"/>
 </netty-acceptor>
</acceptors>

Table 20.2. Netty SSL Configuration Properties

Property Name Default Description
ssl-enabled true This enables SSL
key-store-password [keystore password] When used on an acceptor this is the password for the server side keystore. When used on a connector this is the password for the client-side keystore. This is only relevant for a connector if you are using two way SSL (mutual authentication). This value can be configured on the server, but it is downloaded and used by the client
key-store-path [path to keystore file] When used on an acceptor this is the path to the server side SSL key store that holds the keys of all the clients that the server trusts. This is only relevant for an acceptor if you are using two way SSL (i.e. mutual authentication). When used on a connector this is the path to the client-side SSL key store which holds the public keys of all the servers which the client trusts. When used on a connector this is the password for the client-side truststore. This path is configured on the server, but it is downloaded and used by the client
If you are configuring Netty for two way SSL (mutual authentication between server and client), there are three additional parameters in addition to the ones described in the above example for one way SSL:
  • need-client-auth: This specifies the need for two way (mutual authentication) for client connections.
  • trust-store-password: When used on an acceptor this is the password for the server side trust store. When used on a connector this is the password for the client side truststore. This is relevant for a connector for both one way and two way SSL. This value can be configured on the server, but it is downloaded and used by the client
  • trust-store-path: When used on an acceptor this is the path to the server side SSL key store that holds the keys of all the clients that the server trusts. When used on a connector this is the path to the client side SSL key store which holds the public keys of all the servers that the client trusts. This is relevant for a connector for both one way and two way SSL. This path can be configured on the server, but it is downloaded and used by the client