SSL Support (HTTPS)

Talend ESB Mediation Developer Guide

EnrichVersion
6.2
EnrichProdName
Talend ESB
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

The Jetty component supports SSL/TLS configuration through the Camel JSSE Configuration Utility This utility greatly decreases the amount of component specific code you need to write and is configurable at the endpoint and component levels. The following examples demonstrate how to use the utility with the Jetty component.

Programmatic configuration of the component:

KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("/users/home/server/keystore.jks");
ksp.setPassword("keystorePassword");

KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("keyPassword");

SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);

JettyComponent jettyComponent = getContext().getComponent("jetty", 
   JettyComponent.class);
jettyComponent.setSslContextParameters(scp);

Spring DSL based configuration of endpoint

...
<camel:sslContextParameters id="sslContextParameters">
   <camel:keyManagers keyPassword="keyPassword">
   <camel:keyStore resource="/users/home/server/keystore.jks"
      password="keystorePassword"/>
   </camel:keyManagers>
</camel:sslContextParameters>...
...
<to uri="jetty:https://127.0.0.1/mail/?sslContextParametersRef=... \
   sslContextParameters"/>
...

You can also configure Jetty for SSL directly. In this case, simply format the URI with the https:// prefix---for example:

<from uri="jetty:https://0.0.0.0/myapp/myservice/"/>

Jetty also needs to know where to load your keystore from and what passwords to use in order to load the correct SSL certificate. Set the following JVM System Properties:

  • org.eclipse.jetty.ssl.keystore specifies the location of the Java keystore file, which contains the Jetty server's own X.509 certificate in a key entry . A key entry stores the X.509 certificate (effectively, the public key ) and also its associated private key.

  • org.eclipse.jetty.ssl.password the store password, which is required to access the keystore file (this is the same password that is supplied to the keystore command's -storepass option).

  • org.eclipse.jetty.ssl.keypassword the key password, which is used to access the certificate's key entry in the keystore (this is the same password that is supplied to the keystore command's -keypass option).

For details of how to configure SSL on a Jetty endpoint, read the Jetty documentation here.

The value you use as keys in the above map is the port you configure Jetty to listen on.

Configuring general SSL properties

Instead of a per port number specific SSL socket connector (as shown above) you can now configure general properties which applies for all SSL socket connectors (which is not explicitly configured as above with the port number as entry).

<bean id="jetty" 
   class="org.apache.camel.component.jetty.JettyHttpComponent">
   <property name="sslSocketConnectorProperties">
      <map>
         <entry name="password"value="..."/>
         <entry name="keyPassword"value="..."/>
         <entry name="keystore"value="..."/>
         <entry name="needClientAuth"value="..."/>
         <entry name="truststore"value="..."/>
      </map>
   </property>
</bean>

Configuring general HTTP properties

Instead of a per port number specific HTTP socket connector (as shown above) you can now configure general properties which applies for all HTTP socket connectors (which is not explicit configured as above with the port number as entry).

<bean id="jetty" 
   class="org.apache.camel.component.jetty.JettyHttpComponent">
   <property name="socketConnectorProperties">
      <map>
         <entry key="acceptors" value="4"/>
         <entry key="maxIdleTime" value="300000"/>
      </map>
   </property>
</bean>

Default behavior for returning HTTP status codes

The default behavior of HTTP status codes is defined by the org.apache.camel.component.http.DefaultHttpBinding class, which handles how a response is written and also sets the HTTP status code.

If the exchange was processed successfully, the 200 HTTP status code is returned. If the exchange failed with an exception, the 500 HTTP status code is returned, and the stacktrace is returned in the body. If you want to specify which HTTP status code to return, set the code in the Exchange.HTTP_RESPONSE_CODE header of the OUT message.

Jetty JMX support

Camel-jetty supports the enabling of Jetty's JMX capabilities at the component and endpoint level with the endpoint configuration taking priority. Note that JMX must be enabled within the Camel context in order to enable JMX support in this component as the component provides Jetty with a reference to the MBeanServer registered with the Camel context. Because the camel-jetty component caches and reuses Jetty resources for a given protocol/host/port pairing, this configuration option will only be evaluated during the creation of the first endpoint to use a protocol/host/port pairing.

For example, given two routes created from the following XML fragments, JMX support would remain enabled for all endpoints listening on "https://0.0.0.0".

<from uri="jetty:https://0.0.0.0/myapp/myservice1/?enableJmx=true"/>
<from uri="jetty:https://0.0.0.0/myapp/myservice2/?enableJmx=false"/>

The camel-jetty component also provides for direct configuration of the Jetty MBeanContainer. Jetty creates MBean names dynamically. If you are running another instance of Jetty outside of the Camel context and sharing the same MBeanServer between the instances, you can provide both instances with a reference to the same MBeanContainer in order to avoid name collisions when registering Jetty MBeans.