Package org.apache.cassandra.security
Interface ISslContextFactory
-
- All Known Implementing Classes:
AbstractSslContextFactory,DefaultSslContextFactory,DisableSslContextFactory,FileBasedSslContextFactory,PEMBasedSslContextFactory
public interface ISslContextFactoryThe purpose of this interface is to provide pluggable mechanism for creating custom JSSE and Netty SSLContext objects. Please use the Cassandra configuration keyssl_context_factoryas part ofclient_encryption_options/server_encryption_optionsand provide a custom class-name implementing this interface with parameters to be used to plugin a your own way to load the SSLContext.Implementation of this interface must have a constructor with argument of type
Map<String,Object>to allow custom parameters, needed by the implementation, to be passed from the yaml configuration. Common SSL configurations likeprotocol, algorithm, cipher_suites, accepted_protocols, require_client_auth, require_endpoint_verification, enabled, optionalwill also be passed to that map by Cassanddra.Since on top of Netty, Cassandra is internally using JSSE SSLContext also for certain use-cases- this interface has methods for both.
Below is an example of how to configure a custom implementation with parameters
ssl_context_factory: class_name: org.apache.cassandra.security.YourSslContextFactoryImpl parameters: key1: "value1" key2: "value2" key3: "value3"
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static classISslContextFactory.SocketTypeIndicates if the process holds the inbound/listening (Server) end of the socket or the outbound side (Client).
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description javax.net.ssl.SSLContextcreateJSSESslContext(boolean verifyPeerCertificate)Creates JSSE SSLContext.io.netty.handler.ssl.SslContextcreateNettySslContext(boolean verifyPeerCertificate, ISslContextFactory.SocketType socketType, io.netty.handler.ssl.CipherSuiteFilter cipherFilter)Creates Netty's SslContext object.java.util.List<java.lang.String>getAcceptedProtocols()Returns the prepared list of accepted protocols.java.util.List<java.lang.String>getCipherSuites()Returns the list of cipher suites supported by the implementation.default booleanhasKeystore()Returns if this factory uses private keystore.voidinitHotReloading()Initializes hot reloading of the security keys/certs.booleanshouldReload()Returns if any changes require the reloading of the SSL context returned by this factory.
-
-
-
Method Detail
-
createJSSESslContext
javax.net.ssl.SSLContext createJSSESslContext(boolean verifyPeerCertificate) throws javax.net.ssl.SSLExceptionCreates JSSE SSLContext.- Parameters:
verifyPeerCertificate-trueif SSL peer's certificate needs to be verified;falseotherwise- Returns:
- JSSE's
SSLContext - Throws:
javax.net.ssl.SSLException- in case the Ssl Context creation fails for some reason
-
createNettySslContext
io.netty.handler.ssl.SslContext createNettySslContext(boolean verifyPeerCertificate, ISslContextFactory.SocketType socketType, io.netty.handler.ssl.CipherSuiteFilter cipherFilter) throws javax.net.ssl.SSLExceptionCreates Netty's SslContext object.- Parameters:
verifyPeerCertificate-trueif SSL peer's certificate needs to be verified;falseotherwisesocketType-ISslContextFactory.SocketTypefor Netty's Inbound or Outbound channelscipherFilter- to allow Netty's cipher suite filtering, e.g.SslContextBuilder.ciphers(Iterable, CipherSuiteFilter)- Returns:
- Netty's
SslContext - Throws:
javax.net.ssl.SSLException- in case the Ssl Context creation fails for some reason
-
initHotReloading
void initHotReloading() throws javax.net.ssl.SSLExceptionInitializes hot reloading of the security keys/certs. The implementation must guarantee this to be thread safe.- Throws:
javax.net.ssl.SSLException
-
shouldReload
boolean shouldReload()
Returns if any changes require the reloading of the SSL context returned by this factory. This will be called by Cassandra's periodic polling for any potential changes that will reload the SSL context. However only newer connections established after the reload will use the reloaded SSL context.- Returns:
trueif SSL Context needs to be reload;falseotherwise
-
hasKeystore
default boolean hasKeystore()
Returns if this factory uses private keystore.- Returns:
trueby default unless the implementation overrides this
-
getAcceptedProtocols
java.util.List<java.lang.String> getAcceptedProtocols()
Returns the prepared list of accepted protocols.- Returns:
- array of protocol names suitable for passing to Netty's SslContextBuilder.protocols, or null if the default
-
getCipherSuites
java.util.List<java.lang.String> getCipherSuites()
Returns the list of cipher suites supported by the implementation.- Returns:
- List of supported cipher suites
-
-