JSS Certificate Database Properties (Sun OpenSSO Enterprise 8.0 Developer's Guide)

Sun OpenSSO Enterprise 8.0 Developer's Guide

JSS Certificate Database Properties

Network Security Services for Java (JSS) is a Java interface to Network Security Services (NSS), a set of libraries designed to support cross-platform development of security-enabled client and server applications. The following properties are used to initialize the JSS SocketFactory when the web container in which the Client SDK is deployed is configured for SSL.

com.iplanet.am.admin.cli.certdb.dir identifies the directory path to the certificate database.
com.iplanet.am.admin.cli.certdb.passfile identifies the directory path to the password file for the certificate database.
com.iplanet.am.admin.cli.certdb.prefix identifies the prefix for the certificate database.

These properties identify the value for SSL ApprovalCallback. If the checkSubjectAltName or resolveIPAddress feature is enabled, you must create cert7.db and key3.db with a prefix equal to the value defined in com.iplanet.am.admin.cli.certdb.prefix and located in the directory defined in com.iplanet.am.admin.cli.certdb.dir.

com.iplanet.am.jssproxy.trustAllServerCerts, when enabled, allows OpenSSO Enterprise to ignore all certificate-related issues such as a name conflict and continue the SSL handshaking. The default value is false; to enable, true.

Caution –
To prevent a possible security risk, enable this property only for testing purposes, or when the enterprise network is tightly controlled. Avoid enabling this property if a security risk might occur (for example, if a server connects to a server in a different network).
com.iplanet.am.jssproxy.checkSubjectAltName, when enabled, includes the Subject Alternative Name (SubjectAltName) extension with a certificate, and OpenSSO Enterprise checks all name entries in the extension. If one of the names included in the SubjectAltName extension is the same as the server FQDN, OpenSSO Enterprise continues the SSL handshaking. The default value is false. To enable this property, set a comma separated list of trusted FQDNs; for example, com.iplanet.am.jssproxy.checkSubjectAltName=amserv1.example.com,amserv2.example.com.
com.iplanet.am.jssproxy.resolveIPAddress takes a value of false (by default) or true.
com.iplanet.am.jssproxy.SSLTrustHostList tells OpenSSO Enterprise to check the Platform Server list against the server host that is being accessed. If the server FQDNs of the servers in the Platform Server list match, OpenSSO Enterprise continues the SSL handshaking. Use the following syntax to set the property: com.iplanet.am.jssproxy.SSLTrustHostList=fqdn_osso_server1,fqdn_osso_server2,fqdn_osso_server3