* Certificates have a **lifetime**.
    * They **expire**.
    * And then they need to be **renewed**, **acquired again** from the third party.
* The encryption of the connection happens at the **TCP level**.
    * That's one layer **below HTTP**.
    * So, the **certificate and encryption** handling is done **before HTTP**.
* **TCP doesn't know about "domains"**. Only about IP addresses.

      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext
          message.startsWith("System property ") -> Type.Setup
          message.startsWith("Reload ") -> Type.Setup

├── collection/  # Enhanced collections (LruHashMap, CaseInsensitiveMap)
├── concurrent/  # Concurrency utilities
├── convert/     # Type conversion (*ConversionUtil)
├── crypto/      # Cipher & encryption (CachedCipher)
├── exception/   # Runtime exception wrappers
├── io/          # I/O & resource utilities
├── jar/         # JAR file utilities
├── lang/        # Reflection & language utilities

- `@Secured` annotation with role array (`"admin-user"`, `"admin-user-view"`)
- Role-based query filtering via `RoleQueryHelper`
- Authentication: Local (UserService), LDAP, OIDC, SAML, SPNEGO, Entra ID
- Security features: AES encryption, SHA256 digest, LDAP injection prevention, password policy, rate limiting

## Naming Conventions

| Element | Convention | Example |
|---------|------------|---------|

        assertEquals(invertibleCryptographer, provider.providePrimaryInvertibleCryptographer());
        assertEquals(md5, provider.providePrimaryOneWayCryptographer());
    }

    // Test encryption and decryption functionality
    @Test
    public void test_invertibleCryptography() {
        // Test that invertible cryptography works correctly

          // Consuming server Finished handshake message
          // Produced ClientHello handshake message
          //
          // Raw write
          // Raw read
          // Plaintext before ENCRYPTION
          // Plaintext after DECRYPTION
          val message = record.message
          val parameters = record.parameters

  {
    "name": "ear",
    "path": "platforms/jvm/ear",
    "unitTests": true,
    "functionalTests": true,
    "crossVersionTests": false
  },
  {
    "name": "encryption-services",
    "path": "platforms/core-configuration/encryption-services",
    "unitTests": false,
    "functionalTests": false,
    "crossVersionTests": false
  },
  {
    "name": "enterprise",

 *
 *  * **A validity interval.** A certificate should not be used before its validity interval starts
 *    or after it ends.
 *
 *  * **A public key.** This cryptographic key is used for asymmetric encryption digital signatures.
 *    Note that the private key is not a part of the certificate!
 *
 *  * **A signature issued by another certificate's private key.** This mechanism allows a trusted

        assertTrue("Result should contain password={cipher}, but was: " + result, result.contains("password={cipher}"));

        // Test with empty encryption target
        value = "password=";
        result = ParameterUtil.encrypt(value);
        assertTrue(result.contains("password={cipher}"));

        // Test with only whitespace value

            <option value="$PROJECT_DIR$/platforms/core-configuration/dependency-management-serialization-codecs" />
            <option value="$PROJECT_DIR$/platforms/core-configuration/encryption-services" />
            <option value="$PROJECT_DIR$/platforms/core-configuration/file-collections" />
            <option value="$PROJECT_DIR$/platforms/core-configuration/file-operations" />