To enable TLS for Diameter peer connections, you must use configuration properties to specify a certificate key store, certificate key store password, trust key store, and trust key store password.

TLS Configuration Properties

Property What it specifies Values Default

CertificateKeyStore

file to load certificate key store from

filename on the local file system, or URL

Note

May contain system properties in Ant style, for example ${rhino.dir.home} to refer to the Rhino home directory.

By default, the resource adaptors have permission to read files from ${rhino.dir.home}/keystores.

CertificateKeyStorePassword

password for certificate key store

any string

TrustKeyStore

file to load trust key store from

filename on the local file system, or URL

Note

May contain system properties in Ant style, for example ${rhino.dir.home} to refer to the Rhino home directory.

By default, the resource adaptors have permission to read files from ${rhino.dir.home}/keystores.

TrustKeyStorePassword

password for trust key store

any string

CipherSuites

comma-separated list of TLS cipher suites to be enabled for use when establishing TLS handshake

any values supported by virtual machine vendor;
if empty, uses default cipher suites

SSLSessionTimeout

time after which TLS session should be invalidated and new session will be established
(cipher keys change)

number of seconds;
0 = sessions do not time out

0

AllowTLSDowngradeToRFC3588

is downgrade to TLS support in accordance with RFC 3588 allowed.

if true allow secure connections to use TLS as specified in either RFC 6733 or RFC 3588;
if false require secure connections to use TLS as specified in RFC 6733

Note

If set to true affects behaviour controlled by ConnectTimeout property.

Half of time allotted by ConnectTimeout is used as time limit for establishing a TLS secure connection as specified in RFC 6733. If that attempt fails the remaining time is used to retry a connection using TLS as specified in RFC 3588.

false

Key stores

For information about creating a key store, please see the Java Virtual Machine vendor documentation: Sun/Oracle keytool documentation and Sun/Oracle general information about TLS support in the JSSE Reference Guide.

Peer configuration

To use TLS as a client: configure the key stores as above; and enable TLS, either with a aaas:// URI in the PeerTable XML configuration, or the UseTLS attribute in the simple peer table configuration.

When the Diameter resource adaptor is acting as server, incoming connections must be from peers listed in the peer table; they cannot be added dynamically when they connect (as non-secure peers can). Even if allowUnknownPeers is set to true and the client tries to initiate TLS on a connection, the server will treat the connection as not using TLS.

Previous page Next page