A plain connector creates a simple HTTP endpoint. The only required extra parameter is port.

1. In the timestamp.properties configuration file, add this:

   Code Block
   title Example: Plain connector
   connector.0.name=localhost connector.0.port=8879

   
   

The TLS connector type creates HTTPS connections including server authentication and will communicate through an encrypted tunnel.

To create an TLS endpoint, you need a keystore containing the server key. A connector will automatically be used for TLS if the TLS subkey exists.

1. To configure the TLS connector using PKCS#12, enter this in timestamp.properties:

   Code Block
   title Example: Configure TLS connector using PKCS#12
   connector.1.name=localhost connector.1.port=8443 connector.1.ssl.keystore=${config}/keys/sslDemo.p12 connector.1.ssl.keystore.pin=1234 connector.1.ssl.keyStorePassword=1234

   
   

TLS can be used to authenticate the user, this is called TLS client authentication. To be able to use the TLS client authentication method, a connector configured to manage client authentication is required.

1. To enable a connector to manage TLS with client authentication, configure a regular TLS connector, see above.
2. Point out a truststore. See Manage truststores in Nexus Timestamp Server for information on how to create a truststore.

3. To configure the TLS connector with client authentication enabled, enter this in timestamp.properties:
   

   Code Block
   title Example: TLS connector with client authentication enabled
   connector.2.name=localhost connector.2.port=8886 connector.2.ssl.keystore=${config}/keys/sslDemo.p12 connector.2.ssl.keystore.pin=1234 connector.2.ssl.keyStorePassword=1234 connector.2.ssl.needClientAuth=true connector.2.ssl.truststore=${config}/certs

   
   

The needClientAuth and wantClientAuth parameters are used to define if client authentication is required or if it shall be optional. If those parameters are not set, the web application can control if and when to authenticate the user, which is the case for the TLS client authentication method.

An example of how to use the Nexus Timestamp Client to send an TLS request to a connector with client authentication enabled can be found in Use Nexus Timestamp Server test client.

1. To configure the TLS connector, if the private key resides inside a PKCS#11 token, enter this in timestamp.properties:
   

   Code Block
   title Example: TLS connector with key from PKCS#11
   connector.3.name=localhost connector.3.port=8887 connector.3.ssl.keystore=${config}/keys/cs_pkcs11_R2.dll connector.3.ssl.keystore.pin=1234 # tokenlabel is the label name of the token that will be used connector.3.ssl.keystore.tokenlabel=tsa_keys # certAlias is mapped to the CKA_LABEL of the certificate and key connector.3.ssl.certAlias=tsa-cert connector.3.ssl.keyStorePassword=1234 connector.3.ssl.needClientAuth=true connector.3.ssl.truststore=${config}/certs

   
   

You can configure the protocols or cipher suites used. Note that the default configuration is completely overridden if an exclude is configured.

1. To exclude protocols or cipher suites, enter this in timestamp.properties:
   

   Code Block
   title Example: Exclude protocols or cipher suites
   # Default excluded protocols: connector.3.ssl.excludeProtocols.1=SSL connector.3.ssl.excludeProtocols.2=SSLv2 connector.3.ssl.excludeProtocols.3=SSLv2Hello connector.3.ssl.excludeProtocols.4=SSLv3 # Default excluded cipher suites: (Regular expressions or full names supported) connector.3.ssl.excludeCipherSuites.1=^.*_(MD5|SHA|SHA1)$