Customizing the Default Key and Trust Managers

As noted in Customizing the Default Key and Trust Stores, Store Types, and Store Passwords, whenever a default SSLSocketFactory or SSLServerSocketFactory is created, and this default SSLSocketFactory (or SSLServerSocketFactory) comes from the JSSE reference implementation, a default SSLContext is associated with the socket factory.

This default SSLContext is initialized with a KeyManager and a TrustManager. The KeyManager or TrustManager or both, supplied to the default SSLContext will be a KeyManager or TrustManager implementation for managing the specified keystore or truststore, as described in the aforementioned section.

The KeyManager implementation selected is determined by first examining the security property:

ssl.KeyManagerFactory.algorithm

If such a property value is specified, a KeyManagerFactory implementation for the specified algorithm is searched for. The implementation from the first provider that supplies an implementation is used. Its getKeyManagers method is called to determine the KeyManager to supply to the default SSLContext. (Technically, getKeyManagers returns an array of KeyManagers, one KeyManager for each type of key material.) If there is no such security property value specified, the default value of IbmX509 is used to perform the search.

Note: A KeyManagerFactory implementation for the IbmX509 algorithm is supplied by the IBMJSSE2 provider. The KeyManager it specifies is a javax.net.ssl.X509KeyManager implementation.

Similarly, the TrustManager implementation chosen is determined by first examining the security property:

ssl.TrustManagerFactory.algorithm

If such a property value is specified, a TrustManagerFactory implementation for the specified algorithm is searched for. The implementation from the first provider that supplies an implementation is used. Its getTrustManagers method is called to determine the TrustManager to supply to the default SSLContext. (Technically, getTrustManagers returns an array of TrustManagers, one TrustManager for each type of trust material.) If there is no such security property value specified, the default value of PKIX is used to perform the search.

Note: A TrustManagerFactory implementation for the PKIX algorithm is supplied by the IBMJSSE2 provider. The TrustManager it specifies is a javax.net.ssl.X509TrustManager implementation.

Important: This section describes the current JSSE reference implementation behavior. The system properties described in this section are not guaranteed to continue to have the same names and types (system or security) or even to exist at all in future releases. They also might not be examined and used by any other JSSE implementations. If they are examined by an implementation, that implementation should handle them in the same manner as the JSSE reference implementation does, as described herein.