Class SecurityPolicyConfiguration
- java.lang.Object
-
- com.avaya.clientservices.common.SecurityPolicyConfiguration
-
public class SecurityPolicyConfiguration extends java.lang.Object
The Security policy class that contains the security policy settings for the client application.
-
-
Constructor Summary
Constructors Constructor Description SecurityPolicyConfiguration()
Creates an instance of security policy configuration using default values.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.util.Set<java.lang.String>
getBlackListedCipherSuites()
Returns the Black Listed Cipher Suites Set.int
getCertificateRenewalValue()
Returns a configured percentage value (of client identity certificate's age) used to start issuing notifications about client identity certificate expiration.TLSProtocolVersion
getMinimumPermittedTLSProtocolVersion()
Returns configured minimum supported TLS protocol version.int
getMinimumRSAKeyLength()
Returns the configured RSA key length value.SecurityPolicy
getRevocationCheckPolicy()
Returns the configured certificate revocation policy.TrustStoreMode
getTrustStoreMode()
Returns the trust store mode in use.boolean
isContinueOnTlsServerIdentityFailure()
Returns a configured value specifying the client application's behavior for hostname name validation failure.boolean
isFIPSModeEnabled()
Returns the FIPS mode configuration.boolean
isKeyUsageRequired()
Returns whether Key Usage extension is required to be present in server certificate.boolean
isPrivateTrustStoreEnabled()
Returns if private trust store has been enabled for this client application.void
setBlackListedCipherSuites(java.util.Set<java.lang.String> blackListedCiphers)
Sets the set of black listed cipher suites.void
setCertificateRenewalValue(int percentageValue)
Specifies the percentage value (of client identity certificate's age) to be used after which the certificate status notifications are issued.void
setContinueOnTlsServerIdentityFailure(boolean continueOnTlsServerIdentityFailure)
Specifies the action to take when server identity validation fails.void
setFIPSModeEnabled(boolean enableFIPSMode)
Enable FIPS mode for the client application.void
setKeyUsageRequired(boolean keyUsageRequired)
Specifies whether Key Usage extension is required to be present in server certificate.void
setMinimumPermittedTLSProtocolVersion(TLSProtocolVersion minVersion)
Specifies minimum allowed TLS protocol versionvoid
setMinimumRSAKeyLength(int minimumRSAKeyLength)
Specifies the minimum RSA key length value to be used for validating the certificate received from the server during TLS Handshake.void
setPrivateTrustStoreEnabled(boolean privateTrustStoreEnabled)
Set the private trust store configuration so that it can be created and used.void
setRevocationCheckPolicy(SecurityPolicy revocationCheckPolicy)
Specifies the policy for certificate revocation checking.void
setTrustStoreMode(TrustStoreMode mTrustStoreMode)
Sets the trust store mode to be used by the client application.
-
-
-
Method Detail
-
isPrivateTrustStoreEnabled
public boolean isPrivateTrustStoreEnabled()
Returns if private trust store has been enabled for this client application.- Returns:
true
If the private trust store is enabled,false
otherwise.
-
setPrivateTrustStoreEnabled
public void setPrivateTrustStoreEnabled(boolean privateTrustStoreEnabled)
Set the private trust store configuration so that it can be created and used.- Parameters:
privateTrustStoreEnabled
- Boolean indicating whether private trust store can be created and used.
-
getRevocationCheckPolicy
public SecurityPolicy getRevocationCheckPolicy()
Returns the configured certificate revocation policy.- Returns:
- the policy for certificate revocation checking.
-
setRevocationCheckPolicy
public void setRevocationCheckPolicy(SecurityPolicy revocationCheckPolicy)
Specifies the policy for certificate revocation checking.The default value of the revocation policy is
BEST_EFFORT
.Client application's trust validation behavior for various revocation policies.
-
SecurityPolicy.DISABLED
: The revocation check will not be performed during certificate trust validation. -
SecurityPolicy.BEST_EFFORT
: The revocation check will be performed but any non-conclusive errors are not treated as "fatal". -
SecurityPolicy.REQUIRED
: The revocation check will be performed and all errors are treated as "fatal".
- Parameters:
revocationCheckPolicy
- Revocation policy. Certificate revocation is supported starting Android 8.0. For older Android versions this parameter has no effect.- See Also:
SecurityPolicy
-
-
isContinueOnTlsServerIdentityFailure
public boolean isContinueOnTlsServerIdentityFailure()
Returns a configured value specifying the client application's behavior for hostname name validation failure.- Returns:
- the action to take when server identity validation fails.
true
Applications should ignore the server identity failures and continue setting up the secure connection.false
Application must terminate the secure connection as the server is not posing to be something else.
-
setContinueOnTlsServerIdentityFailure
public void setContinueOnTlsServerIdentityFailure(boolean continueOnTlsServerIdentityFailure)
Specifies the action to take when server identity validation fails. Applications that would like to ignore the server identity validation failures and continue setting up the secure connection can configure this value astrue
. However, it is highly not recommended as to avoid any man-in-the-middle attacks. In some cases, where certain certificates do not have the necessary attributes to comply with the server identity validation rules and network administrator thinks the client applications are connecting to trusted servers, can configure this settings tofalse
such that such errors are ignored.Default value is
true
- Parameters:
continueOnTlsServerIdentityFailure
- A boolean value specifying if the secure connection should be established despite of the hostname validation failure.
-
setCertificateRenewalValue
public void setCertificateRenewalValue(int percentageValue)
Specifies the percentage value (of client identity certificate's age) to be used after which the certificate status notifications are issued.Default value of this parameter is 90 percent.
- Parameters:
percentageValue
- Percentage value between 0-100.
-
getCertificateRenewalValue
public int getCertificateRenewalValue()
Returns a configured percentage value (of client identity certificate's age) used to start issuing notifications about client identity certificate expiration.- Returns:
- Configured percentage value between 0-100.
-
setMinimumPermittedTLSProtocolVersion
public void setMinimumPermittedTLSProtocolVersion(TLSProtocolVersion minVersion)
Specifies minimum allowed TLS protocol versionDefault value of this parameter is
TLS1
.Allowed TLS protocols
-
TLSProtocolVersion.TLS1
: All protocols are allowed -
TLSProtocolVersion.TLS1_1
: TLS 1.1, TLS 1.2, TLS 1.3 are allowed -
TLSProtocolVersion.TLS1_2
: TLS 1.2 and TLS 1.3 are allowed -
TLSProtocolVersion.TLS1_3
: Only TLS 1.3 is allowed
- Parameters:
minVersion
- minimum allowed TLS protocol version
-
-
getMinimumPermittedTLSProtocolVersion
public TLSProtocolVersion getMinimumPermittedTLSProtocolVersion()
Returns configured minimum supported TLS protocol version.- Returns:
- Configured minimum TLS protocol version
-
getTrustStoreMode
public TrustStoreMode getTrustStoreMode()
Returns the trust store mode in use.- Returns:
- Configured trust store mode.
-
setTrustStoreMode
public void setTrustStoreMode(TrustStoreMode mTrustStoreMode)
Sets the trust store mode to be used by the client application.Default value of this parameter is
TrustStoreMode.PRIVATE_AND_SYSTEM
.Supported trust store modes
TrustStoreMode.PRIVATE_ONLY
: Use trusted anchors from the private trust store only.TrustStoreMode.PRIVATE_AND_SYSTEM
: Use trusted anchors from both private and the system trust stores.
- Parameters:
mTrustStoreMode
- Trust store mode.
-
isFIPSModeEnabled
public boolean isFIPSModeEnabled()
Returns the FIPS mode configuration.- Returns:
- true if FIPS mode has been configured, false otherwise.
-
setFIPSModeEnabled
public void setFIPSModeEnabled(boolean enableFIPSMode)
Enable FIPS mode for the client application. Default value of this parameter is false.- Parameters:
enableFIPSMode
- The desired FIPSMode setting.
-
getBlackListedCipherSuites
public java.util.Set<java.lang.String> getBlackListedCipherSuites()
Returns the Black Listed Cipher Suites Set.- Returns:
- Black Listed Cipher Suites Set
-
setBlackListedCipherSuites
public void setBlackListedCipherSuites(java.util.Set<java.lang.String> blackListedCiphers)
Sets the set of black listed cipher suites.Sets the list of black listed cipher, which will not be included during TLS connection negotiation.
Specifies the black listed cipher suites which will not be included during TLS connection negotiation.
List of available Cipher Suites
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_DH_DSS_WITH_AES_256_GCM_SHA384
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
- TLS_DH_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_DH_RSA_WITH_AES_256_CBC_SHA256
- TLS_DH_DSS_WITH_AES_256_CBC_SHA256
- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_DH_DSS_WITH_AES_128_GCM_SHA256
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
- TLS_DH_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_DH_RSA_WITH_AES_128_CBC_SHA256
- TLS_DH_DSS_WITH_AES_128_CBC_SHA256
- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_CCM_SHA256
- TLS_AES_128_CCM_8_SHA256
Application can choose to blacklist cipher suites from the above list using this API and the blacklisted ciphers will not be included in TLS connection negotiation.
Note: If user chooses to black list all available cipher suites, the library will pick its default cipher suites for session negotiations for any HTTP/Websockets connections, however the SIP connections will not be established.
- Parameters:
blackListedCiphers
- Black listed cipher suites set
-
setMinimumRSAKeyLength
public void setMinimumRSAKeyLength(int minimumRSAKeyLength)
Specifies the minimum RSA key length value to be used for validating the certificate received from the server during TLS Handshake. Client SDK rejects the server certificate in case the configured value is greater than server certificate's key length. If the parameter is not configured by admin, keylength will default to 1024 or 2048(FIPS mode).- Parameters:
minimumRSAKeyLength
- RSA key length to be used for validation
-
getMinimumRSAKeyLength
public int getMinimumRSAKeyLength()
Returns the configured RSA key length value.- Returns:
- Configured key length value
-
isKeyUsageRequired
public boolean isKeyUsageRequired()
Returns whether Key Usage extension is required to be present in server certificate.- Returns:
- true if key usage is required, false otherwise.
-
setKeyUsageRequired
public void setKeyUsageRequired(boolean keyUsageRequired)
Specifies whether Key Usage extension is required to be present in server certificate. If set true and Key Usage is missing in server certificate, then this certificate is considered as untrusted and secure connection will be closed. Note: the actual value of Key Usage, when present, is validated by SSL library which handles SSL handshake; missing Key Usage (which means 'any usage') is considered as valid usage by default. Default value of this parameter is false.- Parameters:
keyUsageRequired
- The desired KeyUsageRequired setting.
-
-