Maven Command Line Options. Using Advanced Reactor Options. Maven Command Line Options. The following sections detail Maven’s command line options. To define a property use the following option on the command line: This is the option most frequently used to customized the behavior of Maven plugins. Some examples of using the -D command line. JvmProperties= property = value. Java system property to be passed to the VM when the application is run. Any property that’s valid for the -D option of the java command can be used. Specify both the property name and the value for the property. To pass more than one property, use multiple instances of the -B option, as shown in the following.

IntroductionData that travels across a network can easily be accessed bysomeone who is not the intended recipient. When the data includesprivate information, such as passwords and credit card numbers,steps must be taken to make the data unintelligible to unauthorizedparties. It is also important to ensure the data has not beenmodified, either intentionally or unintentionally, duringtransport. The Secure Sockets Layer (SSL) and Transport LayerSecurity (TLS) protocols were designed to help protect the privacyand integrity of data while it is transferred across a network.The Java Secure Socket Extension (JSSE) enables secure Internetcommunications.

It provides a framework and an implementation for aJava version of the SSL and TLS protocols and includesfunctionality for data encryption, server authentication, messageintegrity, and optional client authentication. Using JSSE,developers can provide for the secure passage of data between aclient and a server running any application protocol, such asHypertext Transfer Protocol (HTTP), Telnet, or FTP, over TCP/IP.(For an introduction to SSL, see.)By abstracting the complex underlying security algorithms and'handshaking' mechanisms, JSSE minimizes the risk of creatingsubtle, but dangerous security vulnerabilities. Furthermore, itsimplifies application development by serving as a building blockwhich developers can integrate directly into theirapplications.JSSE was previously an optional package to the Java 2 SDK,Standard Edition (J2SDK), v 1.3. JSSE was integrated into the JavaStandard Edition Development Kit starting with J2SDK 1.4.JSSE provides both an application programming interface (API)framework and an implementation of that API. The JSSE APIsupplements the 'core' network and cryptographic services definedby the java.security and java.netpackages by providing extended networking socket classes, trustmanagers, key managers, SSLContexts, and a socket factory frameworkfor encapsulating socket creation behavior. Because the socket APIswere based on a blocking I/O model, in JDK 5.0, a nonblockingSSLEngineAPI was introduced to allow implementationsto choose their own I/O methods.The JSSE API is capable of supporting SSL versions 2.0 and 3.0and Transport Layer Security (TLS) 1.0.

Terms and DefinitionsThere are several terms relating to cryptography that are usedwithin this document. This section defines some of these terms. Authentication Authentication is the process of confirming the identity ofa party with whom one is communicating.A cipher suite is a combination of cryptographic parametersthat define the security algorithms and key sizes used forauthentication, key agreement, encryption, and integrityprotection.CertificateA certificate is a digitally signed statement vouching forthe identity and public key of an entity (person, company, etc.).Certificates can either be self-signed or issued by a CertificationAuthority (CA).

Certification Authorities are entities that aretrusted to issue valid certificates for other entities. Well-knownCAs include VeriSign, Entrust, and GTE CyberTrust. X509 is a commoncertificate format, and they can be managed by the JDK's keytool.Cryptographic Hash FunctionA cryptographic hash function is similar to a checksum. Datais processed with an algorithm that produces a relatively smallstring of bits called a hash. A cryptographic hash function hasthree primary characteristics: it is a one-way function, meaningthat it is not possible to produce the original data from the hash;a small change in the original data produces a large change in theresulting hash; and it does not require a cryptographic key.Cryptographic Service ProviderIn the JCA, implementations for various cryptographic algorithmsare provided by cryptographic service providers, or ' forshort. Providers are essentially packages that implement one ormore engine classes for specific algorithms.

An engine classdefines a cryptographic service in an abstract fashion without aconcrete implementation.Digital SignatureA digital signature is the digital equivalent of ahandwritten signature. It is used to ensure that data transmittedover a network was sent by whoever claims to have sent it and thatthe data has not been modified in transit.

For example, anRSA-based digital signature is calculated by first computing acryptographic hash of the data and then encrypting the hash withthe sender's private key.Encryption and Decryption Encryption is the process of using a complex algorithm toconvert an original message, or cleartext, to an encodedmessage, called ciphertext, that is unintelligible unless itis decrypted. Decryption is the inverse process of producingcleartext from ciphertext. The algorithms used to encrypt anddecrypt data typically come in two categories: secret key(symmetric) cryptography and public key (asymmetric) cryptography.Handshake ProtocolThe negotiation phase during which the two socket peers agree touse a new or existing session. The handshake protocol is aseries of messages exchanged over the record protocol.

At the endof the handshake new connection-specific encryption and integrityprotection keys are generated based on the key agreement secrets inthe session.Key Agreement Key agreement is a method by which two parties cooperate toestablish a common key. Each side generates some data which isexchanged. These two pieces of data are then combined to generate akey. Only those holding the proper private initialization data willbe able to obtain the final key. Diffie-Hellman (DH) is the mostcommon example of a key agreement algorithm.Key ExchangeOne side generates a symmetric key and encrypts it using the peer'spublic key (typically RSA). The data is then transmitted to thepeer, who then decrypts the key using its corresponding privatekey.Key Managers and Trust ManagersKey managers and trust managers use keystores fortheir key material. A key manager manages a keystore and suppliespublic keys to others as needed, e.g., for use in authenticatingthe user to others.

A trust manager makes decisions about who totrust based on information in the truststore it manages. Keystores and TruststoresA keystore is a database of key material. Key material isused for a variety of purposes, including authentication and dataintegrity. There are various types of keystores available,including 'PKCS12' and Oracle's 'JKS.'

Generally speaking, keystore information can be grouped into twodifferent categories: key entries and trusted certificate entries.A key entry consists of an entity's identity and its private key,and can be used for a variety of cryptographic purposes. Incontrast, a trusted certificate entry only contains a public key inaddition to the entity's identity.

Thus, a trusted certificateentry can not be used where a private key is required, such as in ajavax.net.ssl.KeyManager. In the JDK implementation of'JKS', a keystore may contain both key entries and trustedcertificate entries.A truststore is a keystore which is used when makingdecisions about what to trust. If you receive some data from anentity that you already trust, and if you can verify that theentity is the one it claims to be, then you can assume that thedata really came from that entity.An entry should only be added to a truststore if the user makesa decision to trust that entity. By either generating a keypair orby importing a certificate, the user has given trust to that entry,and thus any entry in the keystore is considered a trustedentry.It may be useful to have two different keystore files: onecontaining just your key entries, and the other containing yourtrusted certificate entries, including Certification Authority (CA)certificates. The former contains private information, while thelatter does not. Using two different files instead of a singlekeystore file provides for a cleaner separation of the logicaldistinction between your own certificates (and correspondingprivate keys) and others' certificates.

You could provide moreprotection for your private keys if you store them in a keystorewith restricted access, while providing the trusted certificates ina more publicly accessible keystore if needed. Message Authentication CodeA Message Authentication Code (MAC) provides a way to checkthe integrity of information transmitted over or stored in anunreliable medium, based on a secret key. Typically, MACs are usedbetween two parties that share a secret key in order to validateinformation transmitted between these parties.A MAC mechanism that is based on cryptographic hash functions isreferred to as HMAC. HMAC can be used with any cryptographic hashfunction, such as Secure Hash Algorithm(SHA-256), in combination with a secret shared key. HMAC is specifiedin RFC 2104.

Public Key Cryptography Public key cryptography uses an encryption algorithm inwhich two keys are produced. One key is made public while the otheris kept private. The public key and the private key arecryptographic inverses; what one key encrypts only the other keycan decrypt.

Public key cryptography is also called asymmetriccryptography.Record ProtocolThe record protocol packages all data whetherapplication-level or as part of the handshake process into discreterecords of data much like a TCP stream socket converts anapplication byte stream into network packets. The individualrecords are then protected by the current encryption and integrityprotection keys.Secret Key Cryptography Secret key cryptography uses an encryption algorithm inwhich the same key is used both to encrypt and decrypt the data.Secret key cryptography is also called symmetric cryptography.SessionA session is a named collection of state informationincluding authenticated peer identity, cipher suite, and keyagreement secrets which are negotiated through a secure sockethandshake and which can be shared among multiple secure socketinstances.Trust ManagersSee.TruststoreSee. Secure Sockets Layer (SSL) Protocol OverviewSecure Sockets Layer (SSL) is the most widely used protocol forimplementing cryptography on the Web. SSL uses a combination ofcryptographic processes to provide secure communication over anetwork. This section provides an introduction to SSL and thecryptographic processes it uses.SSL provides a secure enhancement to the standard TCP/IP socketsprotocol used for Internet communications. As shown in thefollowing table, 'TCP/IP Protocol Stack with SSL,' the securesockets layer is added between the transport layer and theapplication layer in the standard TCP/IP protocol stack.

Theapplication most commonly used with SSL is Hypertext TransferProtocol (HTTP), the protocol for Internet Web pages. Otherapplications, such as Net News Transfer Protocol (NNTP), Telnet,Lightweight Directory Access Protocol (LDAP), Interactive MessageAccess Protocol (IMAP), and File Transfer Protocol (FTP), can beused with SSL as well.Note: There is currently no standard for secure FTP. TCP/IP Protocol Stack with SSL TCP/IP LayerProtocolApplication LayerHTTP, NNTP, Telnet, FTP, etc.Secure Sockets LayerSSLTransport LayerTCPInternet LayerIPSSL was developed by Netscape in 1994, and with input from theInternet community, has evolved to become a standard. It is nowunder the control of the international standards organization, theInternet Engineering Task Force (IETF). The IETF has renamed SSL toTransport Layer Security (TLS), and released the firstspecification, version 1.0, in January 1999.

TLS 1.0 is a modestupgrade to the most recent version of SSL, version 3.0. Thedifferences between SSL 3.0 and TLS 1.0 are minor. Why Use SSL?Transferring sensitive information over a network can be risky dueto the following three issues:. You cannot always be sure that the entity with whom you arecommunicating is really who you think it is.

Network data can be intercepted, so it is possible that it canbe read by an unauthorized third party, sometimes known as anattacker. If an attacker can intercept the data, the attacker may be ableto modify the data before sending it on to the receiver.SSL addresses each of these issues. It addresses the first issueby optionally allowing each of two communicating parties to ensurethe identity of the other party in a process called authentication.Once the parties are authenticated, SSL provides an encryptedconnection between the two parties for secure message transmission.Encrypting the communication between the two parties providesprivacy and therefore addresses the second issue. The encryptionalgorithms used with SSL include a secure hash function, which issimilar to a checksum. This ensures that data is not modified intransit. The secure hash function addresses the third issue of dataintegrity.Note, both authentication and encryption are optional, anddepend on the the negotiated cipher suites between the twoentities.The most obvious example of when you would use SSL is in ane-commerce transaction.

In an e-commerce transaction, it would befoolish to assume that you can guarantee the identity of the serverwith whom you are communicating. It would be easy enough forsomeone to create a phony Web site promising great services if onlyyou enter your credit card number. SSL allows you, the client, toauthenticate the identity of the server.

It also allows the serverto authenticate the identity of the client, although in Internettransactions, this is seldom done.Once the client and the server are comfortable with each other'sidentity, SSL provides privacy and data integrity through theencryption algorithms it uses. This allows sensitive information,such as credit card numbers, to be transmitted securely over theInternet.While SSL provides authentication, privacy, and data integrity,it does not provide non-repudiation services. Non-repudiation meansthat an entity that sends a message cannot later deny that theysent it. When the digital equivalent of a signature is associatedwith a message, the communication can later be proved. SSL alonedoes not provide non-repudiation. How SSL WorksOne of the reasons SSL is effective is that it uses severaldifferent cryptographic processes. SSL uses public key cryptographyto provide authentication, and secret key cryptography and digitalsignatures to provide for privacy and data integrity.

Before youcan understand SSL, it is helpful to understand these cryptographicprocesses.Cryptographic ProcessesThe primary purpose of cryptography is to make it difficult for anunauthorized third party to access and understand privatecommunication between two parties. It is not always possible torestrict all unauthorized access to data, but private data can bemade unintelligible to unauthorized parties through the process ofencryption. Encryption uses complex algorithms to convert theoriginal message, or cleartext, to an encoded message, calledciphertext. The algorithms used to encrypt and decrypt data that istransferred over a network typically come in two categories: secretkey cryptography and public key cryptography. These forms ofcryptography are explained in the following subsections.Both secret key cryptography and public key cryptography dependon the use of an agreed-upon cryptographic key or pair of keys. Akey is a string of bits that is used by the cryptographic algorithmor algorithms during the process of encrypting and decrypting thedata. A cryptographic key is like a key for a lock: only with theright key can you open the lock.Safely transmitting a key between two communicating parties isnot a trivial matter.

A public key certificate allows a party tosafely transmit its public key, while ensuring the receiver of theauthenticity of the public key. Public key certificates aredescribed in a later section.In the descriptions of the cryptographic processes that follow,we use the conventions used by the security community: we label thetwo communicating parties with the names Alice and Bob.

We call theunauthorized third party, also known as the attacker, Charlie. Secret Key CryptographyWith secret key cryptography, both communicating parties, Aliceand Bob, use the same key to encrypt and decrypt the messages.Before any encrypted data can be sent over the network, both Aliceand Bob must have the key and must agree on the cryptographicalgorithm that they will use for encryption and decryption.One of the major problems with secret key cryptography is thelogistical issue of how to get the key from one party to the otherwithout allowing access to an attacker. If Alice and Bob aresecuring their data with secret key cryptography, and if Charliegains access to their key, Charlie can understand any secretmessages he intercepts between Alice and Bob. Download komfort travel trailer owners manual software. Not only can Charliedecrypt Alice's and Bob's messages, but he can also pretend that heis Alice and send encrypted data to Bob.

Bob will not know that themessage came from Charlie, not Alice.Once the problem of secret key distribution is solved, secretkey cryptography can be a valuable tool. The algorithms provideexcellent security and encrypt data relatively quickly. Themajority of the sensitive data sent in an SSL session is sent usingsecret key cryptography.Secret key cryptography is also called symmetriccryptography because the same key is used to both encrypt anddecrypt the data. Well-known secret key cryptographic algorithmsincludeAdvanced Encryption Standard (AES), Triple Data Encryption Standard (3DES),and Rivest Cipher 4 (RC4). Public Key CryptographyPublic key cryptography solves the logistical problem of keydistribution by using both a public key and a private key. Thepublic key can be sent openly through the network while the privatekey is kept private by one of the communicating parties.

The publicand the private keys are cryptographic inverses of each other; whatone key encrypts, the other key will decrypt.Assume that Bob wants to send a secret message to Alice usingpublic key cryptography. Alice has both a public key and a privatekey, so she keeps her private key in a safe place and sends herpublic key to Bob. Bob encrypts the secret message to Alice usingAlice's public key.

Alice can later decrypt the message with herprivate key.If Alice encrypts a message using her private key and sends theencrypted message to Bob, Bob can be sure that the data he receivescomes from Alice; if Bob can decrypt the data with Alice's publickey, the message must have been encrypted by Alice with her privatekey, and only Alice has Alice's private key. The problem is thatanybody else can read the message as well because Alice's publickey is public. While this scenario does not allow for secure datacommunication, it does provide the basis for digital signatures. Adigital signature is one of the components of a public keycertificate, and is used in SSL to authenticate a client or aserver. Public key certificates and digital signatures aredescribed in later sections.Public key cryptography is also called asymmetriccryptography because different keys are used to encrypt anddecrypt the data.

Have a program for MAC to see be able to see NWD like Autodesk Navisworks Freedom. Where I can find Navisworks® for Mac. At this time there is no Navisworks® on Mac. Only available software dedicated for Mac Platform is listed - MAC-COMPATIBLE SOFTWARE It's possible to run Navisworks® on Mac but it's necessary to install Parallels Desktop. Autodesk provides full support for a number of products when used on the Mac in virtualized environments including Parallels Desktop. Then, view these files with Navisworks ® Freedom viewer software. NWD files viewed with Navisworks Freedom give stakeholders equal access to explore and experience whole projects. The Navisworks Freedom free download creates compressed, more secure, NWD format files. Navisworks for mac. Then, view these files with Navisworks® Freedom viewer software. NWD files viewed with Navisworks Freedom give stakeholders equal access to explore and experience whole projects. The Navisworks Freedom free download creates compressed, more secure, NWD format files. Download anatomy viewer for free. Education downloads - BioDigital Human by BioDigital, Inc. And many more programs are available for instant and free download.

A well known public key cryptographic algorithmoften used with SSL is the Rivest Shamir Adleman (RSA) algorithm.Another public key algorithm used with SSL that is designedspecifically for secret key exchange is the Diffie-Hellman (DH)algorithm. Public key cryptography requires extensive computations,making it very slow. It is therefore typically used only forencrypting small pieces of data, such as secret keys, rather thanfor the bulk of encrypted data communications. A Comparison Between Secret Key and Public KeyCryptographyBoth secret key cryptography and public key cryptography havestrengths and weaknesses. With secret key cryptography, data can beencrypted and decrypted quickly, but because both communicatingparties must share the same secret key information, the logisticsof exchanging the key can be a problem. With public keycryptography, key exchange is not a problem because the public keydoes not need to be kept secret, but the algorithms used to encryptand decrypt data require extensive computations, and are thereforevery slow.

Public Key CertificatesA public key certificate provides a safe way for an entity topass on its public key to be used in asymmetric cryptography. Thepublic key certificate avoids the following situation: if Charliecreates his own public key and private key, he can claim that he isAlice and send his public key to Bob. Bob will be able tocommunicate with Charlie, but Bob will think that he is sending hisdata to Alice.A public key certificate can be thought of as the digitalequivalent of a passport.

It is issued by a trusted organizationand provides identification for the bearer. A trusted organizationthat issues public key certificates is known as a certificateauthority (CA). The CA can be likened to a notary public.

To obtaina certificate from a CA, one must provide proof of identity. Oncethe CA is confident that the applicant represents the organizationit says it represents, the CA signs the certificate attesting tothe validity of the information contained within thecertificate.A public key certificate contains several fields, including:. Issuer - The issuer is the CA that issued the certificate. If auser trusts the CA that issues a certificate, and if thecertificate is valid, the user can trust the certificate. Period of validity - A certificate has an expiration date, andthis date is one piece of information that should be checked whenverifying the validity of a certificate.

Subject - The subject field includes information about theentity that the certificate represents. Subject's public key - The primary piece of information thatthe certificate provides is the subject's public key. All the otherfields are provided to ensure the validity of this key. Signature - The certificate is digitally signed by the CA thatissued the certificate. The signature is created using the CA'sprivate key and ensures the validity of the certificate. Becauseonly the certificate is signed, not the data sent in the SSLtransaction, SSL does not provide for non-repudiation.If Bob only accepts Alice's public key as valid when she sendsit in a public key certificate, Bob will not be fooled into sendingsecret information to Charlie when Charlie masquerades asAlice.Multiple certificates may be linked in a certificate chain.

Whena certificate chain is used, the first certificate is always thatof the sender. The next is the certificate of the entity thatissued the sender's certificate. If there are more certificates inthe chain, each is that of the authority that issued the previouscertificate. The final certificate in the chain is the certificatefor a root CA. A root CA is a public certificate authority that iswidely trusted. Information for several root CAs is typicallystored in the client's Internet browser.

This information includesthe CA's public key. Well-known CAs include VeriSign, Entrust, andGTE CyberTrust. Cryptographic Hash FunctionsWhen sending encrypted data, SSL typically uses a cryptographichash function to ensure data integrity. The hash function preventsCharlie from tampering with data that Alice sends to Bob.A cryptographic hash function is similar to a checksum.

The maindifference is that while a checksum is designed to detectaccidental alterations in data, a cryptographic hash function isdesigned to detect deliberate alterations. When data is processedby a cryptographic hash function, a small string of bits, known asa hash, is generated. The slightest change to the message typicallymakes a large change in the resulting hash.

A cryptographic hashfunction does not require a cryptographic key.A hash function often used with SSL is Secure Hash Algorithm (SHA).SHA was proposed by the. Message Authentication CodeA message authentication code (MAC) is similar to a cryptographichash, except that it is based on a secret key. When secret keyinformation is included with the data that is processed by acryptographic hash function, the resulting hash is known as anHMAC.If Alice wants to be sure that Charlie does not tamper with hermessage to Bob, she can calculate an HMAC for her message andappend the HMAC to her original message. She can then encrypt themessage plus the HMAC using a secret key she shares with Bob. WhenBob decrypts the message and calculates the HMAC, he will be ableto tell if the message was modified in transit. With SSL, an HMACis used with the transmission of secure data. Digital SignaturesOnce a cryptographic hash is created for a message, the hash isencrypted with the sender's private key.

This encrypted hash iscalled a digital signature. The SSL ProcessCommunication using SSL begins with an exchange of informationbetween the client and the server. This exchange of information iscalled the SSL handshake.The three main purposes of the SSL handshake are:. Negotiate the cipher suite. Authenticate identity (optional). Establish information security by agreeing on encryptionmechanismsNegotiating the Cipher SuiteThe SSL session begins with a negotiation between the client andthe server as to which cipher suite they will use. A cipher suiteis a set of cryptographic algorithms and key sizes that a computercan use to encrypt data.

The cipher suite includes informationabout the public key exchange algorithms or key agreementalgorithms, and cryptographic hash functions. The client tells theserver which cipher suites it has available, and the server choosesthe best mutually acceptable cipher suite.

Authenticating the ServerIn SSL, the authentication step is optional, but in the exampleof an e-commerce transaction over the Web, the client willgenerally want to authenticate the server. Authenticating theserver allows the client to be sure that the server represents theentity that the client believes the server represents.To prove that a server belongs to the organization that itclaims to represent, the server presents its public key certificateto the client. If this certificate is valid, the client can be sureof the identity of the server.The client and server exchange information that allows them toagree on the same secret key. For example, with RSA, the clientuses the server's public key, obtained from the public keycertificate, to encrypt the secret key information. The clientsends the encrypted secret key information to the server. Only theserver can decrypt this message because the server's private key isrequired for this decryption.

Sending the Encrypted DataBoth the client and the server now have access to the samesecret key. With each message, they use the cryptographic hashfunction, chosen in the first step of this process, and sharedsecret information, to compute an HMAC that they append to themessage. They then use the secret key and the secret key algorithmnegotiated in the first step of this process to encrypt the securedata and the HMAC. The client and server can now communicatesecurely using their encrypted and hashed data. The SSL ProtocolThe previous section provides a high-level description of theSSL handshake, which is the exchange of information between theclient and the server prior to sending the encrypted message. Thissection provides more detail.The 'SSL Messages' figure that follows shows the sequence ofmessages that are exchanged in the SSL handshake. Messages that aresent only in certain situations are noted as optional.

Each of theSSL messages is described in the following figure:The SSL messages are sent in the following order:. Client hello - The client sends the server informationincluding the highest version of SSL it supports and a list of thecipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.) Thecipher suite information includes cryptographic algorithms and keysizes. Server hello - The server chooses the highest version ofSSL and the best cipher suite that both the client and serversupport and sends this information to the client. Certificate - The server sends the client a certificateor a certificate chain. A certificate chain typically begins withthe server's public key certificate and ends with the certificateauthority's root certificate. This message is optional, but is usedwhenever server authentication is required.

Certificate request - If the server needs toauthenticate the client, it sends the client a certificate request.In Internet applications, this message is rarely sent. Server key exchange - The server sends the client aserver key exchange message when the public key information sent inmessage 3 above is not sufficient for key exchange. For example, inciphersuites based on Diffie-Hellman, this message contains theserver's DH public key.

Server hello done - The server tells the client that itis finished with its initial negotiation messages. Certificate - If the server requests a certificate fromthe client in message 4, the client sends its certificate chain,just as the server did in message 3.Note: Only a few Internet server applications ask for acertificate from the client. Client key exchange - The client generates informationused to create a key to use for symmetric encryption. For RSA, theclient then encrypts this key information with the server's publickey and sends it to the server. For ciphersuites based onDiffie-Hellman, this message contains the client's DH publickey.

Certificate verify - This message is sent when a clientpresents a certificate as previously explained. Its purpose is toallow the server to complete the process of authenticating theclient. When this message is used, the client sends informationthat it digitally signs using a cryptographic hash function. Whenthe server decrypts this information with the client's public key,the server is able to authenticate the client.

Change cipher spec - The client sends a message tellingthe server to change to encrypted mode. Finished - The client tells the server that it is readyfor secure data communication to begin. Change cipher spec - The server sends a message tellingthe client to change to encrypted mode. Finished - The server tells the client that it is readyfor secure data communication to begin.

This is the end of the SSLhandshake. Encrypted data - The client and the server communicateusing the symmetric encryption algorithm and the cryptographic hashfunction negotiated in messages 1 and 2, and using the secret keythat the client sent to the server in Message 8.

The handshake canbe renegotiated at this time. See the next section fordetails. Close Messages - At the end of the connection, each sidewill send a closenotify message to inform the peerthat the connection is closed.If the parameters generated during an SSL session are saved,these parameters can sometimes be reused for future SSL sessions.Saving SSL session parameters allows encrypted communication tobegin much more quickly.Handshaking Again (Renegotiation)Once the initial handshake has been finished and applicationdata is flowing, either side is free to initiate a new handshake atany time.

An application might like to use a stronger cipher suitefor especially critical operations, or a server application mightwant to require client authentication.Regardless of the reason, the new handshake takes place over theexisting encrypted session, and application data and handshakemessages are interleaved until a new session is established.Your application can initiate a new handshake using one of thefollowing methods:. SSLSocket.startHandshake. SSLEngine.beginHandshakeNote that a protocol flaw related to renegotiation was found in2009.

The protocol and the Java SE implementation have both beenfixed. For more information, see. Cipher Suite Choice and Remote Entity VerificationThe define a specificseries of steps to ensure a 'protected' connection.

However, thechoice of cipher suite will directly impact the type of securitythe connection enjoys. For example, if an anonymous cipher suite isselected, the application will have no way to verify the remotepeer's identity. If a suite with no encryption is selected, thenthe privacy of the data can not be protected. Additionally, theSSL/TLS protocols do not specify that the credentials received mustmatch those that peer might be expected to send. If the connectionwere somehow redirected to a rogue peer, but the rogue'scredentials presented were acceptable based on the current trustmaterial, the connection would be considered valid.When using raw SSLSockets/SSLEngines you shouldalways check the peer's credentials before sending any data. TheSSLSocket and SSLEngine classes do notautomatically verify that the hostname in a URL matches thehostname in the peer's credentials. An application could beexploited with URL spoofing if the hostname is not verified.Protocols such as do requirehostname verification.

Applications can use tooverride the default HTTPS hostname rules. See formore information.SSL and TLS ReferencesFor a list of resources containing more information about SSL,see. Transport Layer Security (TLS) Renegotiation Issue IntroductionIn the Fall of 2009, a flaw was discovered in the SSL/TLSprotocols. A fix to the protocol was developed by the IETF TLSWorking Group, and current versions of the JDK contain this fix.This section describes the situation in much more detail, alongwith interoperability issues when communicating with the olderimplementations which to not contain this protocol fix.The vulnerability allowed for Man-In-The-Middle (MITM) typeattacks where chosen plain text could be injected as a prefix to aTLS connection. Additional Keystore Formats (PKCS12)The specifies aportable format for storage and/or transport of a user's privatekeys, certificates, miscellaneous secrets, and other items. TheSunJSSE provider supplies a complete implementation ofthe PKCS12 java.security.KeyStore format for readingand write pkcs12 files. This format is also supported by othertoolkits and applications for importing and exporting keys andcertificates, such as Netscape/Mozilla, Microsoft's InternetExplorer, and OpenSSL.

For example, these implementations canexport client certificates and keys into a file using the '.p12'filename extension.With the SunJSSE provider, you can access PKCS12keys through the KeyStore API with a keystore type of 'pkcs12' (or'PKCS12', the name is case-insensitive). In addition, you can listthe installed keys and associated certificates using thekeytool command with the -storetype option setto pkcs12. (See forinformation about keytool.).

Troubleshooting Configuration Problems CertificateException: (while handshaking)Problem: When negotiating an SSL connection, the clientor server throws a CertificateException.Cause 1: This is generally caused by the remote sidesending a certificate that is unknown to the local side.Solution 1: The best way to debug this type of problem isto turn on debugging (see )and watch as certificates are loaded and when certificates arereceived via the network connection. Most likely, the receivedcertificate is unknown to the trust mechanism because the wrongtrust file was loaded. Refer the following sections for moreinformation:.Cause 2: The system clock is not set correctly.Solution 2: If the clock is not set correctly, theperceived time may be outside the validity period on one of thecertificates, and unless the certificate can be replaced with avalid one from a truststore, the system must assume that thecertificate is invalid, and therefore throw the exception. Java.security.KeyStoreException: TrustedCertEntry notsupportedProblem: Attempt to store trusted certificates in PKCS12keystore throws java.security.KeyStoreException:TrustedCertEntry not supported.Cause 1: We do not support storing trusted certificatesin pkcs12 keystore. PKCS12 is mainly used to deliver private keyswith the associated cert chains. It does not have any notion of'trusted' certificates. Note that in terms of interoperability,other pkcs12 vendors have the same restriction.

Browsers such asMozilla and Internet Explorer do not accept a pkcs12 file with onlytrusted certs.Solution 1: Use JKS (or JCEKS) keystore for storingtrusted certificates. Runtime Exception: SSL Service Not AvailableProblem: When running a program that uses JSSE, anexception occurs indicating that an SSL service is not available.For example, an exception similar to one of the followingoccurs:Exception in thread 'main'java.net.SocketException: no SSL Server SocketsException in thread 'main':SSL implementation not availableCause: There was a problem with SSLContextinitialization, for example due to an incorrect password on akeystore or a corrupted keystore. (Note: A JDK vendor once shippeda keystore in an unknown format, and that caused this type oferror.)Solution: Check initialization parameters. Ensure anykeystores specified are valid and that the passwords specified arecorrect. (One way you can check these things is by trying to usethe toexamine the keystore(s) and the relevant contents.) Exception, 'No available certificate corresponding to the SSLcipher suites which are enabled'Problem: When I try to run a simple SSL Server program,the following exception is thrown:Exception in thread 'main' javax.net.ssl.SSLException:No available certificate corresponding to the SSLcipher suites which are enabled.Cause: Various cipher suites require certain types of keymaterial.

For example, if an RSA cipher suite is enabled, an RSAkeyEntry must be available in the keystore. If no suchkey is available, this cipher suite cannot be used. If there are noavailable key entries for all of the cipher suites enabled, thisexception is thrown.Solution: Create key entries for the various cipher suitetypes, or use an anonymous suite. (Be aware that anonymousciphersuites are inherently dangerous because they are vulnerableto 'man-in-the-middle' attacks, see.) Refer to the following sections to learn how to pass thecorrect keystore and certificates:.Runtime Exception: No Cipher Suites in CommonProblem 1: When handshaking, the client and/or serverthrow this exception.Cause 1: Both sides of an SSL connection must agree on acommon ciphersuite. If the intersection of the client's ciphersuiteset with the server's ciphersuite set is empty, then you will seethis exception.Solution 1: Configure the enabled cipher suites toinclude common ciphersuites, and be sure to provide an appropriatekeyEntry for asymmetric ciphersuites.

(See inthis section.)Problem 2: When using Netscape Navigator or MicrosoftInternet Explorer (IE) to access files on a server that only hasDSA-based certificates, a runtime exception occurs indicating thatthere are no cipher suites in common.Cause 2: By default, keyEntries created withkeytool use DSA public keys. If only DSA keyEntriesexist in the keystore, only DSA-based ciphersuites can be used. Bydefault, Navigator and IE send only RSA-based ciphersuites.

Sincethe intersection of client and server ciphersuite sets is empty,this exception is thrown.Solution 2: To interact with Navigator or IE, you shouldcreate certificates that use RSA-based keys.