HTTP Conduit OSGi Configuration Parameters - 6.5

Talend ESB Container Administration Guide

EnrichVersion
6.5
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Administration and Monitoring
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

The configuration files described in this section are located in <TalendRuntimePath>/container/etc/ org.apache.cxf.http.conduits-<endpoint_name>.cfg in the Talend Runtime.

As an example of the syntax involved, here are the contents of the general org.apache.cxf.http.conduits-common.cfg configuration file:

url = https://localhost.*
tlsClientParameters.disableCNCheck = true
tlsClientParameters.trustManagers.keyStore.type = JKS
tlsClientParameters.trustManagers.keyStore.password = password
tlsClientParameters.trustManagers.keyStore.file = ./etc/keystore.jks
tlsClientParameters.keyManagers.keyStore.type = JKS
tlsClientParameters.keyManagers.keyStore.password = password
tlsClientParameters.keyManagers.keyStore.file = ./etc/keystore.jks
tlsClientParameters.cipherSuitesFilter.include = *_EXPORT_.*,.*_EXPORT\ 
1024_.*,.*_WITH_DES_.*,.*_WITH_AES_.*,.*_WITH_NULL_.*,.*_DH_anon_.*

The url parameter

The url parameter is one of the main parameters. In the configuration files, the url parameter defines the list of matching client endpoints for which the contained configuration parameters are applied. (The client endpoint address is retrieved using HTTPConduit.getAddress()).

url may be a full endpoint address or may be a regular expression containing wild cards - for example:

  • ".*" matches all endpoints,

  • https.* matches all client addresses starting with "https".

  • https://localhost.* matches all client addresses starting with "https" only at localhost.

Note the org.apache.cxf.http.conduits-common.cfg file above restricts access to local servers, as the configuration points to a keystore with certificates suitable for the Talend samples. This keystore does not contain the required root certificates from the public certification authorities for public servers, such as Salesforce servers, which are in the standard Java keystore.

All parameters contained in all matching configuration files are collected:

  1. in the order defined by the order parameter (see the table in The order parameter),

  2. then by an exact match,

  3. then by a configuration with a matching conduit bean name.

If a parameter is defined in multiple matching configuration files, then the last parameter definition found is the one that is used.

The order parameter

This parameter defines the order in which the parameters in configuration files are applied. Each file has a unique value of order. For example:

abc.cfg:

order = 1
url = .*
client.ReceiveTimeout = 60000;

xyz.cfg:

order = 2
url = .*busy.*
client.ReceiveTimeout = 120000;

If the endpoint address contains "busy", then both config files match as applicable, according to the rules in The url parameter.

In this case, client.ReceiveTimeout will have the longer timeout value 120000 because the order parameters stipulate that xyz.cfg is applied after abc.cfg.

Configuration properties

In this table, we look at the complete list of possible properties:

Property

Default

Description

url 

The endpoint URL - either defined as exact string or as regular expression pattern (see The url parameter)

order50

Defines the order in which parameters are applied (see The order parameter).

name  If name is defined and is equal to the conduit bean name, HTTPConduit.getBeanName(), the parameter definitions have highest priority, overwriting and extending other matching configurations.
tlsClientParameters.secureSocketProtocolTLS Protocol Name. Most common examples are "SSL", "TLS" or "TLSv1".
tlsClientParameters.sslCacheTimeoutJDK default Sets the SSL Session Cache timeout value for client sessions handled by CXF.
tlsClientParameters.jsseProvider  JSSE provider name.
tlsClientParameters.disableCNCheckfalse

Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during SOAP client requests - it fails if there is a mismatch.

If set to true (not recommended for production use), such checks will be bypassed. That will allow you, for example, to use a URL such as localhost during development.

tlsClientParameters. useHttpsURLConnectionDefaultHostname- Verifierfalse This attribute specifies if HttpsURLConnection. getDefaultHostnameVerifier() should be used to create HTTPS connections. If 'true', the 'disableCNCheck' configuration parameter is ignored.
tlsClientParameters. useHttpsURLConnectionDefaultSsl- SocketFactoryfalse

Specifies if HttpsURLConnection. getDefaultSSLSocketFactory() should be used to create HTTPS connections.

If 'true', 'jsseProvider', 'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom', 'cipherSuites' and 'cipherSuitesFilter' configuration parameters are ignored.

tlsClientParameters.certConstraints. SubjectDNConstraints.combinator  SubjectDN certificate constraints specification as combinator.
tlsClientParameters.certConstraints. SubjectDNConstraints.RegularExpression  SubjectDN certificate constraints specification as regular expression.
tlsClientParameters.certConstraints. IssuerDNConstraints.combinator  IssuerDN certificate constraints specification as combinator.
tlsClientParameters.certConstraints. IssuerDNConstraints.RegularExpression  IssuerDN certificate constraints specification as regular expression.
tlsClientParameters. secureRandomParameters.algorithmJVM default algorithm parameter of the SecureRandom specification.
tlsClientParameters. secureRandomParameters.providerJVM default provider parameter of the SecureRandom specification.
tlsClientParameters.cipherSuitesFilter.include  filters the supported CipherSuites, list of CipherSuites that will be supported and used if available.
tlsClientParameters.cipherSuitesFilter.exclude  filters the supported CipherSuites, list of CipherSuites that will be excluded.
tlsClientParameters.cipherSuitesdefault sslContext cipher suites CipherSuites that will be supported.
tlsClientParameters. trustManagers.providerJVM default Provider of the trust manager.
tlsClientParameters. trustManagers.factoryAlgorithmJVM default factory algorithm of the trust manager.
tlsClientParameters. trustManagers.keyPasswordJVM default Key password of the trust manager.
tlsClientParameters. trustManagers.keyStore.typeJVM default Keystore type of the trust manager.
tlsClientParameters. trustManagers.keyStore.passwordJVM default Keystore password of the trust manager.
tlsClientParameters. trustManagers.keyStore.providerJVM default Keystore provider of the trust manager.
tlsClientParameters. trustManagers.keyStore.urlJVM default Trust Managers URL to hold X509 certificates.
tlsClientParameters. trustManagers.keyStore.fileJVM default Trust Managers file to hold X509 certificates.
tlsClientParameters. trustManagers.keyStore.resourceJVM default Trust Managers resource to hold X509 certificates.
tlsClientParameters. keyManagers.providerJVM default Provider of the key manager.
tlsClientParameters. keyManagers.factoryAlgorithmJVM default factory algorithm of the key manager.
tlsClientParameters. keyManagers.keyPasswordJVM default Key password of the key manager.
tlsClientParameters. keyManagers.keyStore.typeJVM default Keystore type of the key manager.
tlsClientParameters. keyManagers.keyStore.passwordJVM default Keystore password of the key manager.
tlsClientParameters. keyManagers.keyStore.providerJVM default Keystore provider of the key manager.
tlsClientParameters. keyManagers.keyStore.urlJVM default Key managers URL to hold X509 certificates.
tlsClientParameters. keyManagers.keyStore.fileJVM default Key managers file to hold X509 certificates.
tlsClientParameters. keyManagers.keyStore.resourceJVM default Key managers resource to hold X509 certificates.
authorization.UserName  Specifies the UserName parameter for configuring the basic authentication method that the endpoint uses preemptively.
authorization.Password  Specifies the Password parameter for configuring the basic authentication method that the endpoint uses preemptively.
authorization.Authorization  Corresponds to the authentication specified in the SPNEGO/Kerberos login.conf.
authorization.AuthorizationType  Authorization type: "Basic", "Digest" or "Negotiation"
proxyAuthorization.UserName  Specifies the UserName parameter for configuring basic authentication against outgoing HTTP proxy servers.
proxyAuthorization.Password  Specifies the Password parameter for configuring basic authentication against outgoing HTTP proxy servers.
proxyAuthorization.Authorization  Proxy authorization type: "Basic", "Digest" or "Negotiation"
proxyAuthorization.AuthorizationType  Corresponds to the proxy authentication specified in the SPNEGO/Kerberos login.conf.
client.ConnectionTimeout30000 Specifies the amount of time, in milliseconds, that the client will attempt to establish a connection before it times out. 0 specifies that the client will continue to attempt to open a connection indefinitely.
client.ReceiveTimeout60000 Specifies the amount of time, in milliseconds, that the client will wait for a response before it times out. 0 specifies that the client will wait indefinitely.
client.AutoRedirectfalse Specifies if the client will automatically follow a server issued redirection. The default is false.
client.MaxRetransmits-1

Specifies the maximum number of times a client will retransmit a request to satisfy a redirect.

The default of -1 specifies that unlimited retransmissions are allowed.

client.AllowChunkingtrue

Specifies whether the client will send requests using chunking. The default is true which specifies that the client will use chunking when sending requests.

Chunking cannot be used if either

  • http-conf:basicAuthSupplier is configured to provide credentials preemptively or

  • AutoRedirect is set to true.

In both cases the value of AllowChunking is ignored and chunking is disallowed. See note about chunking below.

client.ChunkingThreshold4000

Specifies the threshold at which CXF will switch from non-chunking to chunking.

By default, messages less than 4K are buffered and sent non-chunked. Once this threshold is reached, the message is chunked.

client.ConnectionKeep-Alive

Specifies whether a particular connection is to be kept open or closed after each request/response dialog. There are two valid values:

  • Keep-Alive specifies that the client wants to keep its connection open after the initial request/response sequence. If the server honors it, the connection is kept open until the consumer closes it.

  • close specifies that the connection to the server is closed after each request/response sequence.

client.DecoupledEndpoint 

Specifies the URL of a decoupled endpoint for the receipt of responses over a separate server-client connection.

Warning: You must configure both the client and server to use WS-Addressing for the decoupled endpoint to work.

client.ProxyServer  Specifies the URL of the proxy server through which requests are routed.
client.ProxyServerPort  Specifies the port number of the proxy server through which requests are routed.
client.ProxyServerTypeHTTP Specifies the type of proxy server used to route requests. Valid values are: HTTP (default), SOCKS
client.NonProxyHosts a (possibly empty) list of hosts which should be connected directly and not through the proxy server; it may contain wild card expressions.