TlsOptions (deprecated)
This object is deprecated; use ClientTlsOptions instead. For more information, refer to the Deprecated section of the Release Notes. |
Configures connections to the TLS-protected endpoint of servers, when IG is client-side.
Usage
{
"name": string,
"type": "TlsOptions",
"config": {
"keyManager": [ Key manager reference, ...],
"trustManager": [ Trust manager reference, ...],
"sslCipherSuites": [ configuration expression<string>, ...],
"sslContextAlgorithm": configuration expression<string>,
"sslEnabledProtocols": [ configuration expression<string>, ...],
}
}
Properties
"keyManager"
: array of key manager references references, optional-
One or more of the following objects to serve the same secret key and certificate pair for TLS connections to all server names in the deployment:
Key managers are used to prove the identity of the local peer during TLS handshake, as follows:
-
When ServerTlsOptions is used in an HTTPS connector configuration (server-side), the key managers to which ServerTlsOptions refers are used to prove this IG’s identity to the remote peer (client-side). This is the usual TLS configuration setting (without mTLS).
-
When ClientTlsOptions is used in a ClientHandler or ReverseProxyHandler configuration (client-side), the key managers to which ClientTlsOptions refers are used to prove this IG’s identity to the remote peer (server-side). This configuration is used in mTLS scenarios.
Default: None
-
"trustManager"
: array of trust manager references, optional-
One or more of the following objects to manage IG’s public key certificates:
-
When the TrustManager object is configured, only certificates accessible through that TrustManager are trusted. Default and system certificates are no longer trusted.
Trust managers verify the identity of a peer by using certificates, as follows:
-
When ServerTlsOptions is used in an HTTPS connector configuration (server-side), ServerTlsOptions refers to trust managers that verify the remote peer’s identity (client-side). This configuration is used in mTLS scenarios.
-
When ClientTlsOptions is used in a ClientHandler or a ReverseProxyHandler configuration (client-side), ClientTlsOptions refers to trust managers that verify the remote peer’s identity (server-side). This is the usual TLS configuration setting (without mTLS).
If
trustManager
is not configured, IG uses the default Java truststore to verify the remote peer’s identity. The default Java truststore depends on the Java environment. For example,$JAVA_HOME/lib/security/cacerts
.Default: No
trustManager
is set, and IG uses the default and system certificates "sslCipherSuites"
: array of configuration expression<strings>, optional-
Array of cipher suite names, used to restrict the cipher suites allowed when negotiating transport layer security for an HTTPS connection.
For information about the available cipher suite names, see the documentation for the Java virtual machine (JVM) where you run IG. For Oracle Java, refer to the list of JSSE Cipher Suite Names.
Default: Allow any cipher suite supported by the JVM.
"sslContextAlgorithm"
: configuration expression<string>, optional-
The
SSLContext
algorithm name, as listed in the table of SSLContext Algorithms for the Java Virtual Machine (JVM).Default:
TLS
"sslEnabledProtocols"
: array of configuration expression<strings>, optional-
Array of protocol names, used to restrict the protocols allowed when negotiating transport layer security for an HTTPS connection.
For information about the available protocol names, refer to the documentation for the Java Virtual Machine (JVM). For Oracle Java, refer to the list of Additional JSSE Standard Names.
Follow these protocol recommendations:
-
Use TLS 1.3 when it is supported by available libraries, otherwise use TLS 1.2.
-
If TLS 1.1 or TLS 1.0 is required for backwards compatibility, use it only with express approval from enterprise security.
-
Do use deprecated versions SSL 3 or SSL 2.
Default: TLS 1.3, TLS 1.2
-