Package org.apache.cassandra.security
Class PEMBasedSslContextFactory
- java.lang.Object
-
- org.apache.cassandra.security.AbstractSslContextFactory
-
- org.apache.cassandra.security.FileBasedSslContextFactory
-
- org.apache.cassandra.security.PEMBasedSslContextFactory
-
- All Implemented Interfaces:
ISslContextFactory
public final class PEMBasedSslContextFactory extends FileBasedSslContextFactory
SslContextFactory for the PEM standard encoded PKCS#8 private keys and X509 certificates/public-keys. It parses the key material based on the standard defined in the RFC 7468. It creates PKCS# 8 based private key and X509 certificate(s) for the public key to build the required keystore and the truststore managers that are used for the SSL context creation. Internally it builds JavaKeyStorewith PKCS# 12 store type to be used for keystore and the truststore managers.This factory also supports 'hot reloading' of the key material, the same way as defined by
FileBasedSslContextFactory, if it is file based. This factory ignores the existing 'store_type' configuration used for other file based store types like JKS.You can configure this factory with either inline PEM data or with the files having the required PEM data as shown below, Configuration: PEM keys/certs defined inline (mind the spaces in the YAML!)
client/server_encryption_options: ssl_context_factory: class_name: org.apache.cassandra.security.PEMBasedSslContextFactory parameters: private_key: | -----BEGIN ENCRYPTED PRIVATE KEY----- OR -----BEGIN PRIVATE KEY-----Configuration: PEM keys/certs defined in files-----END ENCRYPTED PRIVATE KEY----- OR -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- private_key_password: " " trusted_certificates: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- client/server_encryption_options: ssl_context_factory: class_name: org.apache.cassandra.security.PEMBasedSslContextFactory keystore:keystore_password: " " truststore:
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classPEMBasedSslContextFactory.ConfigKey-
Nested classes/interfaces inherited from class org.apache.cassandra.security.FileBasedSslContextFactory
FileBasedSslContextFactory.HotReloadableFile
-
Nested classes/interfaces inherited from interface org.apache.cassandra.security.ISslContextFactory
ISslContextFactory.SocketType
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.StringDEFAULT_TARGET_STORETYPE-
Fields inherited from class org.apache.cassandra.security.FileBasedSslContextFactory
checkedExpiry, hotReloadableFiles, keystore, keystore_password, truststore, truststore_password
-
Fields inherited from class org.apache.cassandra.security.AbstractSslContextFactory
accepted_protocols, algorithm, cipher_suites, enabled, openSslIsAvailable, optional, parameters, protocol, require_client_auth, require_endpoint_verification, store_type, TLS_PROTOCOL_SUBSTITUTION
-
-
Constructor Summary
Constructors Constructor Description PEMBasedSslContextFactory()PEMBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected javax.net.ssl.KeyManagerFactorybuildKeyManagerFactory()Builds required KeyManagerFactory from the PEM based keystore.protected javax.net.ssl.TrustManagerFactorybuildTrustManagerFactory()Builds TrustManagerFactory from the PEM based truststore.booleanhasKeystore()Decides if this factory has a keystore defined - key material specified in files or inline to the configuration.voidinitHotReloading()This enables 'hot' reloading of the key/trust stores based on the last updated timestamps if they are file based.-
Methods inherited from class org.apache.cassandra.security.FileBasedSslContextFactory
checkExpiredCerts, shouldReload, validatePassword
-
Methods inherited from class org.apache.cassandra.security.AbstractSslContextFactory
createJSSESslContext, createNettySslContext, deriveIfOpenSslAvailable, getAcceptedProtocols, getBoolean, getBoolean, getCipherSuites, getSslProvider, getString, getString, getStringList
-
-
-
-
Field Detail
-
DEFAULT_TARGET_STORETYPE
public static final java.lang.String DEFAULT_TARGET_STORETYPE
- See Also:
- Constant Field Values
-
-
Method Detail
-
hasKeystore
public boolean hasKeystore()
Decides if this factory has a keystore defined - key material specified in files or inline to the configuration.- Specified by:
hasKeystorein interfaceISslContextFactory- Overrides:
hasKeystorein classFileBasedSslContextFactory- Returns:
trueif there is a keystore defined;falseotherwise
-
initHotReloading
public void initHotReloading()
This enables 'hot' reloading of the key/trust stores based on the last updated timestamps if they are file based.- Specified by:
initHotReloadingin interfaceISslContextFactory- Overrides:
initHotReloadingin classFileBasedSslContextFactory
-
buildKeyManagerFactory
protected javax.net.ssl.KeyManagerFactory buildKeyManagerFactory() throws javax.net.ssl.SSLExceptionBuilds required KeyManagerFactory from the PEM based keystore. It also checks for the PrivateKey's certificate's expiry and logswarningfor each expired PrivateKey's certitificate.- Overrides:
buildKeyManagerFactoryin classFileBasedSslContextFactory- Returns:
- KeyManagerFactory built from the PEM based keystore.
- Throws:
javax.net.ssl.SSLException- if any issues encountered during the build process
-
buildTrustManagerFactory
protected javax.net.ssl.TrustManagerFactory buildTrustManagerFactory() throws javax.net.ssl.SSLExceptionBuilds TrustManagerFactory from the PEM based truststore.- Overrides:
buildTrustManagerFactoryin classFileBasedSslContextFactory- Returns:
- TrustManagerFactory from the PEM based truststore
- Throws:
javax.net.ssl.SSLException- if any issues encountered during the build process
-
-