To enable TLS for Diameter peer connections, you must use configuration properties to specify a certificate key store, certificate key store password, trust key store, and trust key store password.
TLS Configuration Properties
Property | What it specifies | Values | Default | ||
---|---|---|---|---|---|
|
file to load certificate key store from |
filename on the local file system, or URL
|
|||
|
password for certificate key store |
any string |
|||
|
file to load trust key store from |
filename on the local file system, or URL
|
|||
|
password for trust key store |
any string |
|||
|
comma-separated list of TLS cipher suites to be enabled for use when establishing TLS handshake |
any values supported by virtual machine vendor; |
|||
|
time after which TLS session should be invalidated and new session will be established |
number of seconds; |
|
||
|
is downgrade to TLS support in accordance with RFC 3588 allowed. |
if
|
|
Key stores
For information about creating a key store, please see the Java Virtual Machine vendor documentation: Java SE keytool documentation and Sun/Oracle general information about TLS support in the JSSE Reference Guide.
Peer configuration
To use TLS as a client: configure the key stores as above; and enable TLS, either with a aaas://
URI in the PeerTable XML configuration, or the UseTLS
attribute in the simple peer table configuration.
When the Diameter resource adaptor is acting as server, incoming connections must be from peers listed in the peer table; they cannot be added dynamically when they connect (as non-secure peers can). Even if allowUnknownPeers
is set to true and the client tries to initiate TLS on a connection, the server will treat the connection as not using TLS.