Package com.avaya.clientservices.common

Class SecurityPolicyConfiguration

  • public class SecurityPolicyConfiguration
extends java.lang.Object
    The Security policy class that contains the security policy settings for the client application.

    • Constructor Detail

      • SecurityPolicyConfiguration

        public SecurityPolicyConfiguration()
        Creates an instance of security policy configuration using default values.

    • Method Detail

      • isPrivateTrustStoreEnabled

        public boolean isPrivateTrustStoreEnabled()
        Returns if private trust store has been enabled for this client application.
        Returns:
        true If the private trust store is enabled, false otherwise.

      • setPrivateTrustStoreEnabled

        public void setPrivateTrustStoreEnabled​(boolean privateTrustStoreEnabled)
        Set the private trust store configuration so that it can be created and used.
        Parameters:
        privateTrustStoreEnabled - Boolean indicating whether private trust store can be created and used.

      • getRevocationCheckPolicy

        public SecurityPolicy getRevocationCheckPolicy()
        Returns the configured certificate revocation policy.
        Returns:
        the policy for certificate revocation checking.

      • setRevocationCheckPolicy

        public void setRevocationCheckPolicy​(SecurityPolicy revocationCheckPolicy)
        Specifies the policy for certificate revocation checking.

        The default value of the revocation policy is BEST_EFFORT.

        Client application's trust validation behavior for various revocation policies.

        Parameters:
        revocationCheckPolicy - Revocation policy. Certificate revocation is supported starting Android 8.0. For older Android versions this parameter has no effect.
        See Also:
        SecurityPolicy

      • isContinueOnTlsServerIdentityFailure

        public boolean isContinueOnTlsServerIdentityFailure()
        Returns a configured value specifying the client application's behavior for hostname name validation failure.
        Returns:
        the action to take when server identity validation fails. true Applications should ignore the server identity failures and continue setting up the secure connection. false Application must terminate the secure connection as the server is not posing to be something else.

      • setContinueOnTlsServerIdentityFailure

        public void setContinueOnTlsServerIdentityFailure​(boolean continueOnTlsServerIdentityFailure)
        Specifies the action to take when server identity validation fails. Applications that would like to ignore the server identity validation failures and continue setting up the secure connection can configure this value as true. However, it is highly not recommended as to avoid any man-in-the-middle attacks. In some cases, where certain certificates do not have the necessary attributes to comply with the server identity validation rules and network administrator thinks the client applications are connecting to trusted servers, can configure this settings to false such that such errors are ignored.

        Default value is true

        Parameters:
        continueOnTlsServerIdentityFailure - A boolean value specifying if the secure connection should be established despite of the hostname validation failure.

      • setCertificateRenewalValue

        public void setCertificateRenewalValue​(int percentageValue)
        Specifies the percentage value (of client identity certificate's age) to be used after which the certificate status notifications are issued.

        Default value of this parameter is 90 percent.

        Parameters:
        percentageValue - Percentage value between 0-100.

      • getCertificateRenewalValue

        public int getCertificateRenewalValue()
        Returns a configured percentage value (of client identity certificate's age) used to start issuing notifications about client identity certificate expiration.
        Returns:
        Configured percentage value between 0-100.

      • getMinimumPermittedTLSProtocolVersion

        public TLSProtocolVersion getMinimumPermittedTLSProtocolVersion()
        Returns configured minimum supported TLS protocol version.
        Returns:
        Configured minimum TLS protocol version

      • getTrustStoreMode

        public TrustStoreMode getTrustStoreMode()
        Returns the trust store mode in use.
        Returns:
        Configured trust store mode.

      • isFIPSModeEnabled

        public boolean isFIPSModeEnabled()
        Returns the FIPS mode configuration.
        Returns:
        true if FIPS mode has been configured, false otherwise.

      • setFIPSModeEnabled

        public void setFIPSModeEnabled​(boolean enableFIPSMode)
        Enable FIPS mode for the client application. Default value of this parameter is false.
        Parameters:
        enableFIPSMode - The desired FIPSMode setting.

      • getBlackListedCipherSuites

        public java.util.Set<java.lang.String> getBlackListedCipherSuites()
        Returns the Black Listed Cipher Suites Set.
        Returns:
        Black Listed Cipher Suites Set

      • setBlackListedCipherSuites

        public void setBlackListedCipherSuites​(java.util.Set<java.lang.String> blackListedCiphers)
        Sets the set of black listed cipher suites.

        Sets the list of black listed cipher, which will not be included during TLS connection negotiation.

        Specifies the black listed cipher suites which will not be included during TLS connection negotiation.

        List of available Cipher Suites

        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        • TLS_DH_DSS_WITH_AES_256_GCM_SHA384
        • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
        • TLS_DH_RSA_WITH_AES_256_GCM_SHA384
        • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
        • TLS_DH_RSA_WITH_AES_256_CBC_SHA256
        • TLS_DH_DSS_WITH_AES_256_CBC_SHA256
        • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
        • TLS_RSA_WITH_AES_256_GCM_SHA384
        • TLS_RSA_WITH_AES_256_CBC_SHA256
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        • TLS_DH_DSS_WITH_AES_128_GCM_SHA256
        • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
        • TLS_DH_RSA_WITH_AES_128_GCM_SHA256
        • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
        • TLS_DH_RSA_WITH_AES_128_CBC_SHA256
        • TLS_DH_DSS_WITH_AES_128_CBC_SHA256
        • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • TLS_AES_128_GCM_SHA256
        • TLS_AES_256_GCM_SHA384
        • TLS_CHACHA20_POLY1305_SHA256
        • TLS_AES_128_CCM_SHA256
        • TLS_AES_128_CCM_8_SHA256

        Application can choose to blacklist cipher suites from the above list using this API and the blacklisted ciphers will not be included in TLS connection negotiation.

        Note: If user chooses to black list all available cipher suites, the library will pick its default cipher suites for session negotiations for any HTTP/Websockets connections, however the SIP connections will not be established.

        Parameters:
        blackListedCiphers - Black listed cipher suites set

      • setMinimumRSAKeyLength

        public void setMinimumRSAKeyLength​(int minimumRSAKeyLength)
        Specifies the minimum RSA key length value to be used for validating the certificate received from the server during TLS Handshake. Client SDK rejects the server certificate in case the configured value is greater than server certificate's key length. If the parameter is not configured by admin, keylength will default to 1024 or 2048(FIPS mode).
        Parameters:
        minimumRSAKeyLength - RSA key length to be used for validation

      • getMinimumRSAKeyLength

        public int getMinimumRSAKeyLength()
        Returns the configured RSA key length value.
        Returns:
        Configured key length value

      • isKeyUsageRequired

        public boolean isKeyUsageRequired()
        Returns whether Key Usage extension is required to be present in server certificate.
        Returns:
        true if key usage is required, false otherwise.

      • setKeyUsageRequired

        public void setKeyUsageRequired​(boolean keyUsageRequired)
        Specifies whether Key Usage extension is required to be present in server certificate. If set true and Key Usage is missing in server certificate, then this certificate is considered as untrusted and secure connection will be closed. Note: the actual value of Key Usage, when present, is validated by SSL library which handles SSL handshake; missing Key Usage (which means 'any usage') is considered as valid usage by default. Default value of this parameter is false.
        Parameters:
        keyUsageRequired - The desired KeyUsageRequired setting.