Skip to main content

Transport Layer Security (TLS)

The Contrast Java agent uses a secure TLS connection to communicate with Contrast.

For hosted customers, Contrast uses strong TLSv1.2 connections and certificates signed by industry standard certificate authorities (CAs). However, on-premises customers may need to configure the Java agent to use enterprise CAs, and may want the Java agent to send client certificates in the TLS handshake.

The Contrast Java agent uses the standard Java Cryptography Architecture for configuring TLS. Specifically, the Java agent uses the system's "TLS"  javax.net.ssl.SSLContext. For most users, this means that you can adjust the certificates trusted by the agent using the standard javax.net.ssl.trustStore system properties. You can also adjust the certificate the agent sends when the TLS server requests a client certificate using the standard javax.net.ssl.keyStore system properties.

This example configures the Java agent to use a custom key store and trust store:

java \
  -javaagent:contrast.jar \
  -Djavax.net.ssl.trustStore=/etc/pki/tls/my-enterprise-truststore.p12 \
  -Djavax.net.ssl.trustStorePassword=changeit \
  -Djavax.net.ssl.trustStoreType=PKCS12 \
  -Djavax.net.ssl.keyStore=/etc/pki/tls/server-client-certificate.p12 \
  -Djavax.net.ssl.keyStorePassword=password \
  -Djavax.net.ssl.keyStoreType=PKCS12 \
  -jar my-server.jar