Verastream SDK for Airlines
Setting up the SDK for Secure Connections

You can set up your application to connect without security or through a secure connection using Secure Sockets Layer /Transport Layer Security (SSL/TLS). If you don't need to make a secure connection, you can skip this section.

The Verastream SDK uses the FIPS 140-2 validated BCJFA 1.0.0 package from The Legion of the Bouncy Castle to establish secure sessions using the SSL/TLS protocol. The packages are validated for use with Java versions 1.7 and higher. They require that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files be installed in the JRE. Their operation also requires that you set up a keystore file for use in authentication.

Note

Unisys and Airlines 5.0 SP1 Update 1 has been upgraded to use the bc-fips-1.0.1 and bctls-fips-1.0.3 jar files to address security vulnerability CVE-2017-13098. This will require updating the classpath for applications using secure connections. (Version 5.0 SP1 (without the update) uses the bc-fips-1.0.0 and bctls-fips-1.0.1 jar files.)

The default mode of operation for a secure connection is Federal Information Processing Standards (FIPS) 140 mode. This can be disabled by specifying FIPS140=false in the session XML (see Defining an XML Configuration) for ALL secure sessions. Mixed FIPS and non-FIPS sessions are not supported.

Note

If you need to set up more than one client certificate (for example, when you are connecting to more than one host), you will need to set up a separate keystore file for each certificate. (You cannot select from multiple certificates in one keystore.)

Upgrading From Previous Releases

The use of the Bouncy Castle packages (new in this release) has introduced a few new requirements for applications. If your application uses secure connections  in FIPS140 mode, you will need to modify your solution to meet the following requirements: 

  • If FIPS140 mode is used for any connection, it must be used for all secure connections. The mixing of FIPS140 and non-FIPS140 sessions is no longer supported.
  • The only acceptable Keystore format in FIPS140 mode is the BCFKS format. Any other format results in connection errors.  Existing keystores must be converted to (or recreated in) BCFKS format. 

Applications which do not use FIPS140 mode should not require any changes (though SSL 3.0 is no longer supported).

Use the following procedures to set up your application to connect with security.

Install the Java Unlimited Strength Jurisdiction Policy Files

To install the Java unlimited strength jurisdiction policy files
  1. Make sure that the system on which you are installing the SDK has an Oracle 1.7 JRE or greater with the appropriate Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files installed.        

  2. If these files are not installed, they can be downloaded from http://www.oracle.com/technetwork/java/index.html and copied into place. 
                           

Set up the Keystore File

To set up the keystore file:
  1. Acquire the Certificate Authority (CA) certificate (and all of the required intermediate certificates) that issued the certificate on the host you want to access.

  2. On the system you installed the SDK on, create a keystore and add the CA certifcate (and all intermediate certificates) to the keystore (using a tool such as the Java JDK Keytool).

  3. If the host you connect to does not require client authentication, set up the session parameters as shown in  Define an XML Configuration.
Note The Verastream SDK supports JKS, BCFKS, and PKCS12 keystore formats, but a session in FIPS mode may only use BCFKS format.

Set up For Client Authentication

To set up for client authentication:
  1. Request a private certificate and private key from a CA that is trusted on the host. (You can use Keytool to generate and export the request, and then to import the signed certificate.)

    The following example shows how to list the contents of a keystore. For information about exporting requests and importing signed certificates, see the Keytool documentation.        
    List Contents of a BCFKS keystore
    Copy Code
    keytool -providername BCFIPS –providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.0.jar -storetype BCFKS –keystore yourfile.bcfks -storepass "secret" -list
    
                           
  2. Add this private certificate and private key to the keystore that you created when you set up server authentication.

    The keystore must contain the trusted certificates required by the server for server authentication and the private certifcate and private key required for client authentication.
  3. Set up the session parameters as shown in  Define an XML Configuration.

Troubleshooting

  • If secure connections are rejected, you can enable the tracelog by specifying TraceError=true.   (See Tracing and Debugging.)

  • If the error message “Illegal Key Size” is displayed, the Unlimited Jurisdiction Policy Files may not be properly installed.