1. Library Control Interface (SCI) Reference Guide
  2. Secure Development Guide
  3. Transport Layer Security

Transport Layer Security

Transport layer security provides privacy during data transmission by encrypting the message when the server sends it and then decrypting it when the client receives it. Both the client and the server have the contents of the message in clear text. The library uses the HTTPS protocol to provide transport layer security.

During initial installation, the library uses a default certificate (a pre-defined, self-signed x509 certificate) for HTTPS. During the library "hand off" process, you can choose to replace the default certificate with a library-specific, self-signed certificate or provide a third-party signed certificate. See the following for more information:

For the inbound SCI interface, HTTPS is required. The library implements authentication using username password tokens. The user id and password appear in clear text, therefore HTTPS is required to avoid an eavesdropper on the network from reading the id and password from the messages in flight.

For the outbound SCI interface, HTTPS is optional. Oracle recommends using authentication and HTTPS on the outbound interface, however not all environments may require authentication. Creating an outbound SCI server (remember, the library is the client) without authentication does open the server up to numerous attacks.

Supported cipher suites are:

  • tls1_1: ECDHE-RSA-AES128-SHA
  • tls1_1: DHE-RSA-AES128-SHA
  • tls1_1: ECDHE-RSA-DES-CBC3-SHA
  • tls1_1: EDH-RSA-DES-CBC3-SHA
  • tls1_1: AES128-SHA
  • tls1_1: DES-CBC3-SHA
  • tls1_2: ECDHE-RSA-AES128-GCM-SHA256
  • tls1_2: ECDHE-RSA-AES128-SHA256
  • tls1_2: ECDHE-RSA-AES128-SHA
  • tls1_2: DHE-RSA-AES128-GCM-SHA256
  • tls1_2: DHE-RSA-AES128-SHA256
  • tls1_2: DHE-RSA-AES128-SHA
  • tls1_2: ECDHE-RSA-DES-CBC3-SHA
  • tls1_2: EDH-RSA-DES-CBC3-SHA
  • tls1_2: AES128-GCM-SHA256
  • tls1_2: AES128-SHA256
  • tls1_2: AES128-SHA
  • tls1_2: DES-CBC3-SHA