Using SSL in Java applications  Using Java Secure Socket Extension classes

Chapter 5: Using SSL in Java Clients

Creating HTTP and HTTPS connections in Java applications

You can create HTTP connections in Java applications using the HTTP protocol handling code built in to the Java Developer’s Kit, and HTTPS connections using the HTTPS protocol handler provided with EAServer.

HTTP connections

The standard Java virtual machine provides HTTP connectivity with these classes in package:

For details on these classes, see the JDK documentation. The following code shows a typical example. This code opens a connection, retrieves the data (text is assumed), and prints it:

URL url = new URL("");
URLConnection conn = url.openConnection();
InputStreamReader content 
    = new InputStreamReader(conn.getInputStream());
for (int i=0; i != -1; i =
    System.out.print((char) i);  

HTTPS connections

The procedure for creating HTTPS connections is similar to that for HTTP connections, except that you must install EAServer’s HTTPS protocol handler in the Java virtual machine and configure SSL parameters before opening a connection.

NoteSystem requirements EAServer’s HTTPS protocol handler uses the same SSL implementation as used by Java and C++ IIOP clients and requires a full client runtime install. For information on system requirements, see “Requirements”.

Installing the HTTPS protocol handler

The EAServer HTTPS protocol handler can be installed two ways:

Configuring the default protocol handlers

The java.protocol.handler.pkgs Java system property configures the Java virtual machine default URL protocol handlers. To use the EAServer handlers, you must add to the list. For more information on this property, see the documentation for in JDK 1.2.

In a client application, specify this property on the command line; for example:

jre ...

For an EAServer, set the JVM options property using the Advanced tab in the Server Properties dialog box:



If not already set, set to:

If already set, verify that the value includes this option. JVM options must be separated with a comma.

You can specify more than one package by separating package names with a | (pipe) character, but you can configure only one handler per protocol.

Specifying protocol handlers at runtime

If you must use more than one HTTPS protocol handler in one EAServer or in one client application, you must call one of the constructors that takes a as a parameter. The specified instance overrides the default handler for the protocol specified by the URL. For example, to specify the EAServer HTTPS handler, use code like this:



String url_string = "https://localhost:8081/index.html";

// The URL stream handler factory is required to create a stream
// handler.
JagURLStreamHandlerFactory fact = new JagURLStreamHandlerFactory();

// Extract the protocol from the front of the URL string
String protocol = url_string.substring(0, url_string.indexOf(":"));

// If the protocol is HTTPS, use the EAServer HTTPS handler. Otherwise,
// use the default handler url;
if (protocol.equals("https"))
    url = new URL((URL)null, url_string,
} else
    url = new URL(url_string);

EAServer’s HttpsURLConnection class

EAServer provides the class to support HTTPS connectivity. This class extends and implements all methods of HttpsURLConnection provides these additional methods specifically for SSL support:

StepsCreating HTTPS connections

  1. Configure or install the EAServer HTTPS protocol handler as described in “Installing the HTTPS protocol handler”.

  2. Create URL and URLConnection instances. If connecting to an EAServer, specify the address of an HTTPS listener that supports the desired level of security. For example:

    URL url = new URL("https://myhost:8081/index.html");
    URLConnection conn = url.openConnection();
  3. Verify that the object returned by URL.openConnection is of class, then set SSL properties for the connection. “SSL properties” describes the SSL properties that can be set. At a minimum, you must specify the qop and pin properties, as well as the certificateLabel property if using mutual authentication. For example:

    if (conn instanceof HttpsURLConnection)
      HttpsURLConnection https_conn =     (HttpsURLConnection) conn;
        https_conn.setSSLProperty( "qop","sybpks_intl" ); 
        https_conn.setSSLProperty( "pin", "secret");
               "certificateLabel", "John Smith");
      catch ( CtsSecurity.InvalidPropertyException ipe )
        System.err.println( ipe );
      catch ( CtsSecurity.InvalidValueException ive )
        System.err.println( ive );
  4. Open the connection, for example:


Once the connection is open, you can perform any valid operation for a connection that uses You can also call the getSessionInfo method to retrieve a CtsSecurity.SSLSessionInfo instance that allows you to verify the SSL connection parameters. For example: conn;
... deleted code that constructed URLConnection ...
if (conn instanceof HttpsURLConnection)
  HttpsURLConnection https_conn =     (HttpsURLConnection) conn;
  CtsSecurity.SSLSessionInfo sessInfo = 

The SSLSessionInfo methods allow you to determine the SSL session properties, such as the server’s address, the client certificate in use, the server certificate in use, and so forth. For more information, see the Interface Repository documentation for the CtsSecurity::SSLSessionInfo interface.

SSL properties

Table 5-2 lists the properties that can be set and retrieved with the HttpsURLConnection getSSLProperty, getGlobalProperty, setSSLProperty, and setGlobalProperty methods. Global properties are set and read with the getGlobalProperty and setGlobalProperty methods. Global properties affect all HTTPS connections, not just the HttpsUrlConnection instance on which they are set. The right column in Table 5-2 lists which methods are valid for each property.

Some properties, if not set or set incorrectly, cause the connection to invoke an SSL callback method. You can install a callback to respond to these cases with the callbackImpl global property. If you do not install an SSL callback, the default callback implementation aborts the connection attempt.

Table 5-2: HTTPS Properties

Property name


Valid for methods


Always required when using SSL.

Specifies the PKCS #11 token PIN. This is required for logging in to a PKCS #11 token for client authentication and for retrieving trust information.

This property cannot be retrieved.

If not set, set to “any”, or set incorrectly, the connection invokes the getPin callback method.

setSSLProperty setGlobalProperty


Required when using mutual authentication.

Specifies the client certificate to use if the connection requires mutual authentication. The label is a simple name that identifies an X.509 certificate/private key in a PKCS #11 token. If the property is not set and the connection requires mutual authentication, the connection invokes the getCertificateLabel callback method, passing an array of available certificate names as an input parameter.

setSSLProperty getSSLProperty setGlobalProperty getGlobalProperty


Always required when using SSL.

Specifies the name of a security characteristic to use. See “Choosing a security characteristic” for more information.

setSSLProperty getSSLProperty setGlobalProperty getGlobalProperty


Specifies user data (String datatype). This is an optional property. Client code can set user data during connection initialization and access it using SSLSessionInfo::getProperty method in the SSL callback implementation. This may be useful as a mechanism to store connection-level context information that is otherwise not available through the SSLSessionInfo interface.

setSSLProperty getSSLProperty setGlobalProperty getGlobalProperty


Specifies whether to use the Entrust ID or the Sybase PKCS #11 token for authentication. This is a Boolean (true or false) property. If this property is set to false, Sybase PKCS #11 token properties are valid and Entrust-specific properties are ignored. If this property is set to true, Entrust-specific properties are valid and Sybase PKCS #11 token properties are ignored.

setSSLProperty getSSLProperty setGlobalProperty getGlobalProperty


Specifies the full path to the file containing an Entrust user profile. This property is optional when the Entrust single-login feature is available and required when this feature is not available. If not set, the connection invokes the getCredentialAttribute callback method.

setSSLProperty getSSLProperty setGlobalProperty getGlobalProperty


Specifies the password for logging in to Entrust with the specified user profile. This property is optional when the Entrust single-login feature is available and required when this feature is not available. If the password is required but not set or set incorrectly, the connection invokes the getPin callback method.

This property cannot be retrieved.

setSSLProperty setGlobalProperty


Specifies the path name for the Entrust INI file that provides information on how to access Entrust. This is required when the useEntrustid property is set to true.

If not set, the connection invokes the getCredentialAttribute callback method.

setSSLProperty getSSLProperty setGlobalProperty getGlobalProperty


Specifies the name of a Java class that implements the CtsSecurity.SSLCallbackIntf interface. For example:


See “Implementing an SSL callback” for more information.

setGlobalProperty getGlobalProperty


Retrieve only. A list of available security characteristics. The qop property can be set only to values that appear in this list.



Retrieve only. A list of descriptions for the available security characteristics, in the same order as listed in the value of the availableQop property.



Retrieve only. Returns true if Entrust PKI software is available on the client, false otherwise.


Choosing a security characteristic

To use SSL, you must specify the name of an available security characteristic as the value for the qop property. The characteristic describes the CipherSuites the client uses when negotiating an SSL connection. When connecting, the client sends the list of CipherSuites that it uses to the server, and the server selects a cipher suite from that list. The server chooses the first cipher suite in the list that it can use. If the server cannot use any of the available CipherSuites, the connection fails.

Chapter 13, “Security Configuration Tasks” describes the security characteristics that are provided with EAServer. At runtime, you can retrieve a list of characteristics and their descriptions by retrieving the availableQop and availableQopDesc properties.

Copyright © 2005. Sybase Inc. All rights reserved. Using Java Secure Socket Extension classes