Transport security

The Bridge supports TCP connections without transport security, and secure connections using TLSv1.1 or TLSv1.2. This support exists for both outgoing connections and incoming administrative connections.

For outgoing connections, if TLSv1.1 is requested, the Bridge usually connects as either TLSv1.1 or TLSv1.2 as selected by the server. If TLSv1.2 is requested, the Bridge connects only as TLSv1.2.

The cipher list can be selected for outgoing connections in the Connection object to allow for servers with restricted cipher support. Specify the cipher list only if required.

The Bridge defines two directories to contain certificate information. Files can be created in these directories and must be in PEM format. Private key files in the keystore can be password encrypted.

• The truststore directory contains certificates that are needed by the Bridge to verify server certificates.
• The keystore directory contains certificates and keys that are used by the administrative endpoints of the Bridge.

Hashing of the trust store is done automatically when the bridge is started, and whenever a file in the trust store is modified.

For the server certificate, any issuing Certificate Authorities (CAs) can be placed in the same file as the server certificate, or can be put in the trust store.

The trust store contains the trusted root certificates from trusted CAs. If the server produces a certificate that is signed by a trusted CA, you do not need to put the certificate into the trust store. If the server produces a self-signed certificate, the certificate or its issuing CA must be put into the trust store.