Package com.couchbase.client.core.env

Class SecurityConfig

java.lang.Object
com.couchbase.client.core.env.SecurityConfig
public class SecurityConfig
extends Object
The SecurityConfig allows to enable transport encryption between the client and the servers.

  • Method Details

    • builder

      public static SecurityConfig.Builder builder()
      Creates a builder to customize the SecurityConfig configuration.
      Returns:
      the builder to customize.

    • create

      public static SecurityConfig create()
      Creates a SecurityConfig with the default configuration.
      Returns:
      the default security config.

    • enableTls

      public static SecurityConfig.Builder enableTls​(boolean tlsEnabled)
      Enables TLS for all client/server communication (disabled by default).
      Parameters:
      tlsEnabled - true if enabled, false otherwise.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • enableHostnameVerification

      public static SecurityConfig.Builder enableHostnameVerification​(boolean hostnameVerificationEnabled)
      Allows to enable or disable hostname verification (enabled by default).

      Note that disabling hostname verification will cause the TLS connection to not verify that the hostname/ip is actually part of the certificate and as a result not detect certain kinds of attacks. Only disable if you understand the impact and risks!

      Parameters:
      hostnameVerificationEnabled - set to true if it should be enabled, false for disabled.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • enableNativeTls

      public static SecurityConfig.Builder enableNativeTls​(boolean nativeTlsEnabled)
      Enables/disables native TLS (enabled by default).
      Parameters:
      nativeTlsEnabled - true if it should be enabled, false otherwise.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • trustCertificates

      public static SecurityConfig.Builder trustCertificates​(List<X509Certificate> certificates)
      Loads the given list of X.509 certificates into the trust store.
      Parameters:
      certificates - the list of certificates to load.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • trustCertificate

      public static SecurityConfig.Builder trustCertificate​(Path certificatePath)
      Loads a X.509 trust certificate from the given path and uses it.
      Parameters:
      certificatePath - the path to load the certificate from.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • trustStore

      public static SecurityConfig.Builder trustStore​(KeyStore trustStore)
      Initializes the TrustManagerFactory with the given trust store.
      Parameters:
      trustStore - the loaded trust store to use.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • trustStore

      public static SecurityConfig.Builder trustStore​(Path trustStorePath, String trustStorePassword, Optional<String> trustStoreType)
      Loads a trust store from a file path and password and initializes the TrustManagerFactory.
      Parameters:
      trustStorePath - the path to the truststore.
      trustStorePassword - the password (can be null if not password protected).
      trustStoreType - the type of the trust store. If empty, the KeyStore.getDefaultType() will be used.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • trustManagerFactory

      public static SecurityConfig.Builder trustManagerFactory​(TrustManagerFactory trustManagerFactory)
      Allows to provide a trust manager factory directly for maximum flexibility.

      While providing the most flexibility, most users will find the other overloads more convenient, like passing in a trustStore(KeyStore) directly or via filepath trustStore(Path, String, Optional).

      Parameters:
      trustManagerFactory - the trust manager factory to use.
      Returns:
      this SecurityConfig.Builder for chaining purposes.

    • tlsEnabled

      public boolean tlsEnabled()
      True if TLS is enabled, false otherwise.
      Returns:
      a boolean if tls/transport encryption is enabled.

    • hostnameVerificationEnabled

      public boolean hostnameVerificationEnabled()
      True if TLS hostname verification is enabled, false otherwise.

    • trustCertificates

      public List<X509Certificate> trustCertificates()
      The list of trust certificates that should be used, if present.
      Returns:
      the list of certificates.

    • trustManagerFactory

      public TrustManagerFactory trustManagerFactory()
      The currently configured trust manager factory, if present.
      Returns:
      the trust manager factory.

    • nativeTlsEnabled

      public boolean nativeTlsEnabled()
      Returns whether native TLS is enabled.
      Returns:
      true if enabled, false otherwise.

    • decodeCertificates

      public static List<X509Certificate> decodeCertificates​(List<String> certificates)
      Helper method to decode string-encoded certificates into their x.509 format.
      Parameters:
      certificates - the string-encoded certificates.
      Returns:
      the decoded certs in x.509 format.