public interface ISslContextFactory
ssl_context_factory
as part of client_encryption_options
/server_encryption_options
and provide a custom class-name implementing this
interface with parameters to be used to plugin a your own way to load the SSLContext.
Implementation of this interface must have a constructor with argument of type Map<String,Object>
to allow
custom parameters, needed by the implementation, to be passed from the yaml configuration. Common SSL
configurations like protocol, algorithm, cipher_suites, accepted_protocols, require_client_auth,
require_endpoint_verification, enabled, optional
will also be passed to that map by Cassanddra.
Since on top of Netty, Cassandra is internally using JSSE SSLContext also for certain use-cases- this interface has methods for both.
Below is an example of how to configure a custom implementation with parameters
ssl_context_factory: class_name: org.apache.cassandra.security.YourSslContextFactoryImpl parameters: key1: "value1" key2: "value2" key3: "value3"
Modifier and Type | Interface and Description |
---|---|
static class |
ISslContextFactory.SocketType
Indicates if the process holds the inbound/listening (Server) end of the socket or the outbound side (Client).
|
Modifier and Type | Method and Description |
---|---|
javax.net.ssl.SSLContext |
createJSSESslContext(boolean verifyPeerCertificate)
Creates JSSE SSLContext.
|
io.netty.handler.ssl.SslContext |
createNettySslContext(boolean verifyPeerCertificate,
ISslContextFactory.SocketType socketType,
io.netty.handler.ssl.CipherSuiteFilter cipherFilter)
Creates Netty's SslContext object.
|
java.util.List<java.lang.String> |
getAcceptedProtocols()
Returns the prepared list of accepted protocols.
|
java.util.List<java.lang.String> |
getCipherSuites()
Returns the list of cipher suites supported by the implementation.
|
default boolean |
hasKeystore()
Returns if this factory uses private keystore.
|
void |
initHotReloading()
Initializes hot reloading of the security keys/certs.
|
boolean |
shouldReload()
Returns if any changes require the reloading of the SSL context returned by this factory.
|
javax.net.ssl.SSLContext createJSSESslContext(boolean verifyPeerCertificate) throws javax.net.ssl.SSLException
verifyPeerCertificate
- true
if SSL peer's certificate needs to be verified; false
otherwiseSSLContext
javax.net.ssl.SSLException
- in case the Ssl Context creation fails for some reasonio.netty.handler.ssl.SslContext createNettySslContext(boolean verifyPeerCertificate, ISslContextFactory.SocketType socketType, io.netty.handler.ssl.CipherSuiteFilter cipherFilter) throws javax.net.ssl.SSLException
verifyPeerCertificate
- true
if SSL peer's certificate needs to be verified; false
otherwisesocketType
- ISslContextFactory.SocketType
for Netty's Inbound or Outbound channelscipherFilter
- to allow Netty's cipher suite filtering, e.g.
SslContextBuilder.ciphers(Iterable, CipherSuiteFilter)
SslContext
javax.net.ssl.SSLException
- in case the Ssl Context creation fails for some reasonvoid initHotReloading() throws javax.net.ssl.SSLException
javax.net.ssl.SSLException
boolean shouldReload()
true
if SSL Context needs to be reload; false
otherwisedefault boolean hasKeystore()
true
by default unless the implementation overrides thisjava.util.List<java.lang.String> getAcceptedProtocols()
java.util.List<java.lang.String> getCipherSuites()
Copyright © 2009-2022 The Apache Software Foundation