Package org.apache.cassandra.security
Class FileBasedSslContextFactory
- java.lang.Object
-
- org.apache.cassandra.security.AbstractSslContextFactory
-
- org.apache.cassandra.security.FileBasedSslContextFactory
-
- All Implemented Interfaces:
ISslContextFactory
- Direct Known Subclasses:
DefaultSslContextFactory,PEMBasedSslContextFactory
public abstract class FileBasedSslContextFactory extends AbstractSslContextFactory
Abstract implementation forISslContextFactoryusing file based, standard keystore format with the ability to hot-reload the files upon file changes (detected by thelast modified timestamp).CAUTION:While this is a useful abstraction, please be careful if you need to modify this class given possible custom implementations out there!
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static classFileBasedSslContextFactory.HotReloadableFileHelper class for hot reloading SSL Contexts-
Nested classes/interfaces inherited from interface org.apache.cassandra.security.ISslContextFactory
ISslContextFactory.SocketType
-
-
Field Summary
Fields Modifier and Type Field Description protected booleancheckedExpiryprotected java.util.List<FileBasedSslContextFactory.HotReloadableFile>hotReloadableFilesList of files that trigger hot reloading of SSL certificatesprotected java.lang.Stringkeystoreprotected java.lang.Stringkeystore_passwordprotected java.lang.Stringtruststoreprotected java.lang.Stringtruststore_password-
Fields inherited from class org.apache.cassandra.security.AbstractSslContextFactory
accepted_protocols, algorithm, cipher_suites, enabled, openSslIsAvailable, optional, parameters, protocol, require_client_auth, require_endpoint_verification, store_type, TLS_PROTOCOL_SUBSTITUTION
-
-
Constructor Summary
Constructors Constructor Description FileBasedSslContextFactory()FileBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected javax.net.ssl.KeyManagerFactorybuildKeyManagerFactory()Builds required KeyManagerFactory from the file based keystore.protected javax.net.ssl.TrustManagerFactorybuildTrustManagerFactory()Builds TrustManagerFactory from the file based truststore.protected booleancheckExpiredCerts(java.security.KeyStore ks)booleanhasKeystore()Returns if this factory uses private keystore.voidinitHotReloading()Initializes hot reloading of the security keys/certs.booleanshouldReload()Returns if any changes require the reloading of the SSL context returned by this factory.protected voidvalidatePassword(java.lang.String password)Validates the given keystore password.-
Methods inherited from class org.apache.cassandra.security.AbstractSslContextFactory
createJSSESslContext, createNettySslContext, deriveIfOpenSslAvailable, getAcceptedProtocols, getBoolean, getBoolean, getCipherSuites, getSslProvider, getString, getString, getStringList
-
-
-
-
Field Detail
-
checkedExpiry
protected volatile boolean checkedExpiry
-
hotReloadableFiles
protected volatile java.util.List<FileBasedSslContextFactory.HotReloadableFile> hotReloadableFiles
List of files that trigger hot reloading of SSL certificates
-
keystore
protected java.lang.String keystore
-
keystore_password
protected java.lang.String keystore_password
-
truststore
protected java.lang.String truststore
-
truststore_password
protected java.lang.String truststore_password
-
-
Method Detail
-
shouldReload
public boolean shouldReload()
Description copied from interface:ISslContextFactoryReturns if any changes require the reloading of the SSL context returned by this factory. This will be called by Cassandra's periodic polling for any potential changes that will reload the SSL context. However only newer connections established after the reload will use the reloaded SSL context.- Returns:
trueif SSL Context needs to be reload;falseotherwise
-
hasKeystore
public boolean hasKeystore()
Description copied from interface:ISslContextFactoryReturns if this factory uses private keystore.- Returns:
trueby default unless the implementation overrides this
-
initHotReloading
public void initHotReloading()
Description copied from interface:ISslContextFactoryInitializes hot reloading of the security keys/certs. The implementation must guarantee this to be thread safe.
-
validatePassword
protected void validatePassword(java.lang.String password)
Validates the given keystore password.- Parameters:
password- value- Throws:
java.lang.IllegalArgumentException- if thepasswordis null
-
buildKeyManagerFactory
protected javax.net.ssl.KeyManagerFactory buildKeyManagerFactory() throws javax.net.ssl.SSLExceptionBuilds required KeyManagerFactory from the file based keystore. It also checks for the PrivateKey's certificate's expiry and logswarningfor each expired PrivateKey's certitificate.- Specified by:
buildKeyManagerFactoryin classAbstractSslContextFactory- Returns:
- KeyManagerFactory built from the file based keystore.
- Throws:
javax.net.ssl.SSLException- if any issues encountered during the build process
-
buildTrustManagerFactory
protected javax.net.ssl.TrustManagerFactory buildTrustManagerFactory() throws javax.net.ssl.SSLExceptionBuilds TrustManagerFactory from the file based truststore.- Specified by:
buildTrustManagerFactoryin classAbstractSslContextFactory- Returns:
- TrustManagerFactory from the file based truststore
- Throws:
javax.net.ssl.SSLException- if any issues encountered during the build process
-
checkExpiredCerts
protected boolean checkExpiredCerts(java.security.KeyStore ks) throws java.security.KeyStoreException- Throws:
java.security.KeyStoreException
-
-