Main Content

Customize Security Configuration

The MWSSLConfig object provides information to configure HTTPS. The Java® client API provides a default MWSSLConfig implementation, MWSSLDefaultConfig, which it uses when no SSL configuration is passed to the MWHttpClient constructor. The MWSSLDefaultConfig object is implemented such that:

  • getSSLContext() returns the default SSLContext object created by the JRE.

  • getHostnameVerifier() returns a HostnameVerifier implementation that always returns false. If the HTTPS hostname verification fails, this does not override the decision.

  • getServerAuthorizer() returns a MWSSLServerAuthorizer implementation that authorizes all MATLAB® Production Server™ instances.

You extend the MWSSLDefaultConfig class to:

  • specify the security protocols the client can use

  • customize how the client verifies hostnames

  • specify additional server authentication logic

The MWSSLDefaultConfig class has three methods:

  • getSSLContext() — Returns the SSLContext object

  • getHostnameVerifier() — Returns a HostnameVerifier object to use if HTTPS hostname verification fails

  • getServerAuthorizer() — Returns a MWSSLServerAuthorizer object to perform server authorization based on the server certificate

Specify Enabled Encryption Protocols

MATLAB Production Server supports the following encryption protocols:

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

By default, all protocols are enabled. If you want to control which protocols are enabled, you override the getSSLContext() method to return an instance of MWCustomSSLContext with a list of enabled protocols. Protocols not on the list are not enabled. For example, to avoid the POODLE vulnerability by disabling SSL protocols, you enable the TLS protocols.

import javax.net.ssl.SSLContext;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import com.mathworks.mps.client.*;

public class MySSLConfig extends MWSSLDefaultConfig 
{
  public SSLContext getSSLContext()
  {
    try 
    {
      final SSLContext context = MWCustomSSLContext.getInstance("TLSv1", "TLSv1.1", "TLSv1.2");
      context.init(null,null,null);
      return context;
    }
    catch (NoSuchAlgorithmException e)
    {
      return null;
    } 
    catch (KeyManagementException e) 
    {
      return null;
    }
  }
}

Override Default Hostname Verification

As part of the SSL handshake, the HTTPS layer attempts to match the hostname in the provided URL to the hostname provided in the server certificate. If the two hostnames do not match, the HTTPS layer calls the HostnameVerifier.verify() method as an additional check. The return value of the HostnameVerifier.verify() method determines if the hostname is verified.

The implementation of the HostnameVerifier.verify() method provided by the MWSSLDefaultConfig object always returns false. The result is that if the hostname in the URL and the hostname in the server certificate do not match, the HTTPS handshake fails.

For a more robust hostname verification scheme, extend the MWSSLDefaultConfig class to return an implementation of HostnameVerifier.verify() that uses custom logic. For example, if you only wanted to generate one certificate for all of the servers on which MATLAB Production Server instances run, you could specify MPS for the certificate’s hostname. Then your implementation of HostnameVerifier.verify() returns true if the hostname stored in the certificate is MPS.

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import com.mathworks.mps.client.*;

public class MySSLConfig extends MWSSLDefaultConfig
{
  public HostnameVerifier getHostnameVerifier() 
  {
    return new HostNameVerifier() 
    {
      public boolean verify(String s, SSLSession sslSession) 
      {
        if (sslSession.getPeerHost().equals("MPS"))
          return true;
        else
          return false;
      }
    }
  }
}

For more information on HostnameVerify see Oracle's Java Documentation.

For information on disabling hostname verification, see Work with Self-signed Certificate.

Use Additional Server Authentication

After the HTTPS layer establishes a secure connection, a client can perform an additional authentication step before sending requests to a server. An implementation of the MWSSLServerAuthorizer interface performs this additional authentication. An MWSSLSServerAuthorizer implementation performs two checks to authorize a server:

  • isCertificateRequired() determines if servers must present a certificate for authorization. If this returns true and the server has not provided a certificate, the client does not authorize the server.

  • authorize(Certificate serverCert) uses the server's certificate to determine if the client authorizes the server to process requests.

The MWSSLSServerAuthorizer implementation returned by the MWSSLDefaultConfig object authorizes all servers without performing any checks.

To use server authentication, extend the MWSSLDefaultConfig class and override the implementation of getServerAuthorizer() to return a MWSSLSServerAuthorizer implementation that does perform authorization checks.

Related Topics