* Certificates have a **lifetime**.
    * They **expire**.
    * And then they need to be **renewed**, **acquired again** from the third party.
* The encryption of the connection happens at the **TCP level**.
    * That's one layer **below HTTP**.
    * So, the **certificate and encryption** handling is done **before HTTP**.
* **TCP doesn't know about "domains"**. Only about IP addresses.

        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext
          message.startsWith("System property ") -> Type.Setup
          message.startsWith("Reload ") -> Type.Setup
          message == "No session to resume." -> Type.Handshake

├── collection/  # Enhanced collections (LruHashMap, CaseInsensitiveMap)
├── concurrent/  # Concurrency utilities
├── convert/     # Type conversion (*ConversionUtil)
├── crypto/      # Cipher & encryption (CachedCipher)
├── exception/   # Runtime exception wrappers
├── io/          # I/O & resource utilities
├── jar/         # JAR file utilities
├── lang/        # Reflection & language utilities

        assertEquals(invertibleCryptographer, provider.providePrimaryInvertibleCryptographer());
        assertEquals(md5, provider.providePrimaryOneWayCryptographer());
    }

    // Test encryption and decryption functionality
    @Test
    public void test_invertibleCryptography() {
        // Test that invertible cryptography works correctly

          // Consuming server Finished handshake message
          // Produced ClientHello handshake message
          //
          // Raw write
          // Raw read
          // Plaintext before ENCRYPTION
          // Plaintext after DECRYPTION
          val message = record.message
          val parameters = record.parameters

          if (parameters != null && !message.startsWith("Raw") && !message.startsWith("Plaintext")) {

- `@Secured` annotation with role array (`"admin-user"`, `"admin-user-view"`)
- Role-based query filtering via `RoleQueryHelper`
- Authentication: Local (UserService), LDAP, OIDC, SAML, SPNEGO, Entra ID
- Security features: AES encryption, SHA256 digest, LDAP injection prevention, password policy, rate limiting

## Naming Conventions

| Element | Convention | Example |
|---------|------------|---------|

  {
    "name": "ear",
    "path": "platforms/jvm/ear",
    "unitTests": true,
    "functionalTests": true,
    "crossVersionTests": false
  },
  {
    "name": "encryption-services",
    "path": "platforms/core-configuration/encryption-services",
    "unitTests": false,
    "functionalTests": false,
    "crossVersionTests": false
  },
  {
    "name": "enterprise",

 *
 *  * **A validity interval.** A certificate should not be used before its validity interval starts
 *    or after it ends.
 *
 *  * **A public key.** This cryptographic key is used for asymmetric encryption digital signatures.
 *    Note that the private key is not a part of the certificate!
 *
 *  * **A signature issued by another certificate's private key.** This mechanism allows a trusted

## Security - HTTPS { #security-https }

In the [previous chapter about HTTPS](https.md) we learned about how HTTPS provides encryption for your API.

We also saw that HTTPS is normally provided by a component **external** to your application server, a **TLS Termination Proxy**.

search_engine.password=
# Interval (ms) for heartbeat checks to the search engine.
search_engine.heartbeat_interval=10000

# Cipher algorithm used for encryption.
app.cipher.algorithm=aes
# Secret key for encryption (change this value for production).
app.cipher.key=___change__me___
# Algorithm for digest calculation.
app.digest.algorithm=sha256
# Regex pattern for properties to encrypt.