This class centralizes all security properties and common security methods. One of its primary uses is to manage providers. Provider: This class represents a provider for the Java Security API, where a provider implements some or all parts of Java Security, including: • Algorithms such as DSA, RSA, MD5 or SHA-1. • Key generation, conversion, and management facilities such as for algorithm-specific keys. Each provider has a name and a version number and is configured in each runtime in which it is installed. That is, Security is basically a set of static methods, such as addProvider , which allow Java code to easily access various cryptographic algorithms, each of which is encapsulated within an instance of Provider . Given these classes, the way the SSL factories work is simple: they coordinate the SSL handshake and use the ciphersuites that have been installed with Security . Therefore, in order to use SSL, you must install at least one instance of Provider . Fortunately, JSSE comes with a subclass of Provider , com.sun.net.ssl.internal.SSLProvider , which implements a wide selection of cryptographic algorithms. The following code installs the provider by creating an instance of com.sun.net.ssl.internal.SSLProvider and calling java.security.Security s addProvider method. It then lists the supported ciphersuites. java.security.Security.addProvidernew com.sun.net.ssl.internal.ssl.Provider ; SSLServerSocketFactory socketFactory = SSLServerSocketFactory SSLServerSocketFactory.getDefault ; String[] suites = socketFactory.getSupportedCipherSuites ; System.out.printlnSupported cipher suites:; for int counter = 0; counter suites.length; counter ++ { System.out.println\t + suites[counter]; } The Javasoft implementation of SSL is what Sun Microsystems, Inc. calls a reference implementation. That is, the Javasoft implementation of SSL is intended to define correct behavior for the interfaces and classes associated with SSL implementations, and is explicitly not intend ed for production use. In particular, the implementations of cryptographic algorithms are rather slow. In a production environment, youd probably want to purchase faster providers.

2.6.2.2 Configuring SSLServerSocket

Once youve installed a provider on the server side, the next step is to create and configure an instance of SSLServerSocket . In addition to being a subclass of ServerSocket , SSLServerSocket defines the following nine methods: public String[] getSupportedCipherSuites public String[] getEnabledCipherSuites public void setEnabledCipherSuitesString[] suites public void setEnableSessionCreationboolean flag public boolean getEnableSessionCreation public void setNeedClientAuthboolean flag public boolean getNeedClientAuth public void setUseClientModeboolean flag public boolean getUseClientMode While the precise details of these methods are beyond the scope of this book, there are three that are particularly useful: setEnabledCipherSuites This method allows you to choose which ciphersuites the instance of SSLServerSocket will support. setEnableSessionCreation The enableSessionCreation property defaults to true . If enableSessionCreation is set to false , new sessions e.g., new SSL connections cannot be created. setNeedClientAuth Using this method with an argument of false explicitly disables client authentication, even for cryptographic algorithms that usually require client authentication. To create and configure an instance of SSLServerSocket , you first obtain an instance of SSLServerSocketFactory . Next, create an instance of SSLServerSocket , and then call the appropriate methods. The following code creates an instance of SSLServerSocket , which uses a single, anonymous ciphersuite: public static String ANON_CIPHER = SSL_DH_anon_WITH_RC4_128_MD5; public static String[] CIPHERS = {ANON_CIPHER}; public SSLServerSocket createServerSocketint port { try { java.security.Security.addProvidernew com.sun.net.ssl.internal.ssl. Provider ; SSLServerSocketFactory socketFactory = SSLServerSocketFactory SSLServerSocketFactory.getDefault ; SSLServerSocket returnValue = SSLServerSocket socketFactory. createServerSocketport; returnValue.setEnabledCipherSuitesCIPHERS; returnValue.setEnableSessionCreationtrue; return returnValue; } ..... } After this code executes, the instance of SSLServerSocket returned by createServer is ready to be used just like any other instance of ServerSocket . That is, the accept method can be called, and when an instance of SSLSocket successfully completes the SSL handshake with it, accept will return an instance of SSLSocket , which can be used for secure two-way communication.

2.6.2.3 Configuring SSLSocket