In some environments, particularly those requiring enhanced security or Federal Information Processing Standards (FIPS) compliance, you may need to use a certificate store type or cryptographic provider other than the default. Java Open Client supports this by allowing you to configure custom certificate store types and Java Cryptography Extension (JCE) providers. This flexibility enables applications to meet specific security requirements by specifying the certificate store type, provider, and password, and by registering a custom JCE provider either through the java.security file or programmatically.

If you are using a certificate store type other than the default, or working in a FIPS-compliant environment, configuration steps are required:

  1. Configure Open Client properties to specify the certificate store type, provider, and password.
    Note: These settings only apply to HTTPS connections. If using HTTP, they have no effect.
  2. Set the classpath to include the required Java Cryptography Extension (JCE) module, if it is not already bundled with your JVM.
  3. Update the java.security file or use the appropriate Java API to register your JCE provider, ensuring it is recognized by the JVM at runtime.

These steps are especially important when using custom, or FIPS-validated, cryptographic providers. They allow your Java Open Client application to operate securely and in alignment with organizational or regulatory requirements.

Configure certificate store and SecureRandom properties

The certificate store and SecureRandom properties of the com.progress.open4gl.javaproxy.Connection API give administrators and developers greater control over the cryptographic behavior of Java Open Client applications. These properties allow you to specify the type, provider, and password for the certificate store used during TLS handshakes, ensuring compatibility with custom, or FIPS-compliant, certificate stores. Additionally, the ability to configure the SecureRandom provider and implementation enables applications to use a cryptographically strong source of randomness that meets organizational or regulatory requirements. Together, these settings support secure, standards-aligned communication and provide the flexibility needed to integrate with enterprise-grade security infrastructures.

Properties and their corresponding methods

  • PROGRESS.Session.certificateStoreType
    • setCertificateStoreType—Set the certificate store type. For example, BCFKS.
    • getCertificateStoreType—Get the certificate store type. If one is not set, null is returned.
  • PROGRESS.Session.certificateStoreProvider
    • setCertificateStoreProvider—Set the certificate store provider. For example, BCFIPS.
    • getCertificateStoreProvider—Get the certificate provider type. If one is not set, null is returned.
  • PROGRESS.Session.certificateStorePassword
    • setCertificateStorePassword—Set the certificate store password. This is the password that was used to build the certificate store.
    • getCertificateStorePassword—Get the certificate store password. If one is not set, null is returned.
  • PROGRESS.Session.secureRandomImplementation
    • setSecureRandomImplementation—Set the SecureRandom implementation to be used when setting up SSL connections. For example, DEFAULT.
    • getSecureRandomImplementationName—Get the SecureRandom implementation used when setting up SSL connections. If one is not set, null is returned.
  • PROGRESS.Session.secureRandomProvider
    • setSecureRandomProvider—Set the SecureRandom provider to be used when setting up SSL connections. For example, BCFIPS.
    • getSecureRandomProvider—Get the SecureRandom provider used when setting up SSL connections. If one is not set, null is returned.

The following example demonstrates how to set these properties when initializing a connection object:

import com.progress.open4gl.javaproxy.Connection;

public class Example 
{
    public static void main(String[] args) throws Exception
    {  
        Connection connection = new Connection(
            "https://example:8080/apsv", "", "", "");

        connection.setCertificateStore("/path/to/certstore.bckfs");

        /* API to configure certificate store */
        connection.setCertificateStorePassword("Example-Password");
        connection.setCertificateStoreType("BCFKS");
        connection.setCertificateStoreProvider("BCFIPS");

        /* API to configure SecureRandom */
        connection.setSecureRandomImplementation("DEFAULT");
        connection.setSecureRandomProvider("BCFIPS");    
    }
}

The following command-line example demonstrates how to set these properties at startup:

java <other options> -classpath /path/to/fips/bcprovider.jar;... \
    -DPROGRESS.Session.certificateStoreType=BCFKS \
    -DPROGRESS.Session.certificateStoreProvider=BCFIPS \
    -DPROGRESS.Session.certificateStorePassword=Example-Password \
    -DPROGRESS.Session.secureRandomImplementation=DEFAULT \
    -DPROGRESS.Session.secureRandomProvider=BCFIPS \
    -Djava.security.properties==custom_java.security