Trust Manager Setup

This guide elaborates on how to set up the certificates with Trust Manager.

The default way to validate the certificates is using the TrustManager of the framework's Certificate Manager. You can also provide your own external TrustManager.

Using framework Certificate Manager (default)

There are two default implementations of the CertificateManager service for validating certificate as described below. The default one comes with the ONVIF driver:

ONVIF Driver default implementation (default)

When using the ONVIF Driver default implementation, its custom HostnameVerifier allows skipping the host name verification. By default, if there are no other settings applied, this custom ONVIF TrustManager will be used.

Java default implementation of TrustManager

When using the default Java implementation, its default HostnameVerifier will close the connection if the Device has not configured its host name in the certificate. By default mbs.onvif.https.default property is set to true for using the ONVIF Driver implementation of the TrustManager.

If you have to use the JVM TrustManager implementation, set the property to false:

System Property	Data Type	Default Value	Description
mbs.onvif.https.default	boolean	true	Used to initialize default certificate TrustManager for HTTPS connections. Value false will disable the default ONVIF TrustManager.

System Property

Data Type

Default Value

Description

mbs.onvif.https.default

boolean

true

Used to initialize default certificate TrustManager for HTTPS connections.

Value false will disable the default ONVIF TrustManager.

Using external Trust Manager provided by the user

The ONVIF Driver allows you to provide your own TrustManager implementation of the X509TrustManager interface, instead of the default CertificateManager provided by the framework. Additionally, two system properties are introduced:

mbs.onvif.trustDeviceInfo to control whether to trust the device info requests:

System Property	Data Type	Default Value	Description
mbs.onvif.trustDeviceInfo	boolean	false	Use the TrustManager for validating the initial requests to obtain the basic information about the device such as GetDeviceInformation request. The ONVIF Driver supports registering untrusted devices. If this property is set to true and the device is not trusted, it will not be registered. The property is read only once when the ONVIF Core bundle starts.

System Property

Data Type

Default Value

Description

mbs.onvif.trustDeviceInfo

boolean

false

Use the TrustManager for validating the initial requests to obtain the basic information about the device such as GetDeviceInformation request.

The ONVIF Driver supports registering untrusted devices. If this property is set to true and the device is not trusted, it will not be registered. The property is read only once when the ONVIF Core bundle starts.

mbs.onvif.trustManager for choosing which implementation to use – the provided TrustManager or the default CertificateManager:

System Property	Data Type	Default Value	Description
mbs.onvif.trustManager	boolean	false	If set to true, only the provided custom TrustManager will be used, otherwise, only the default CertificateManager will be used. The mbs.onvif.trustManager system property is not dynamic. It is read only once when the ONVIF Core bundle starts.

System Property

Data Type

Default Value

Description

mbs.onvif.trustManager

boolean

false

If set to true, only the provided custom TrustManager will be used, otherwise, only the default CertificateManager will be used.

The mbs.onvif.trustManager system property is not dynamic. It is read only once when the ONVIF Core bundle starts.

For details on all properties refer to the ONVIF System Properties.

To register TrustManager service:

Implement the javax.net.ssl.X509TrustManager interface.
Register the service with service PID provided by the ONVIF Driver API constant: com.prosyst.mbs.services.onvif.Constants.ONVIF_TRUST_MANAGER_PID.

To make the ONVIF Driver use the TrustManager service:

Set mbs.onvif.trustManager system property to true.

More information on how to create your own X509TrustManager implementation is available in Registering Trust Manager Service guide.

For downloading files from HTTPS source for firmware update, only CertificateManager is used. Providing TrustManager service will not affect the downloading of the files.