org.apache.cassandra.security

Class FileBasedSslContextFactory

java.lang.Object

org.apache.cassandra.security.AbstractSslContextFactory

org.apache.cassandra.security.FileBasedSslContextFactory

All Implemented Interfaces:

ISslContextFactory

Direct Known Subclasses:

DefaultSslContextFactory, PEMBasedSslContextFactory

public abstract class FileBasedSslContextFactory
extends AbstractSslContextFactory

Abstract implementation for ISslContextFactory using file based, standard keystore format with the ability to hot-reload the files upon file changes (detected by the last modified timestamp).

CAUTION: While this is a useful abstraction, please be careful if you need to modify this class given possible custom implementations out there!

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	FileBasedSslContextFactory.HotReloadableFile Helper class for hot reloading SSL Contexts

Nested classes/interfaces inherited from interface org.apache.cassandra.security.ISslContextFactory

ISslContextFactory.SocketType

Field Summary

Fields

Modifier and Type	Field and Description
protected boolean	checkedExpiry
protected java.util.List<FileBasedSslContextFactory.HotReloadableFile>	hotReloadableFiles List of files that trigger hot reloading of SSL certificates
protected java.lang.String	keystore
protected java.lang.String	keystore_password
protected java.lang.String	truststore
protected java.lang.String	truststore_password

Fields inherited from class org.apache.cassandra.security.AbstractSslContextFactory

accepted_protocols, algorithm, cipher_suites, enabled, openSslIsAvailable, optional, parameters, protocol, require_client_auth, require_endpoint_verification, store_type, TLS_PROTOCOL_SUBSTITUTION

Constructor Summary

Constructors

Constructor and Description
FileBasedSslContextFactory()
FileBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)

Method Summary

Modifier and Type	Method and Description
protected javax.net.ssl.KeyManagerFactory	buildKeyManagerFactory() Builds required KeyManagerFactory from the file based keystore.
protected javax.net.ssl.TrustManagerFactory	buildTrustManagerFactory() Builds TrustManagerFactory from the file based truststore.
protected boolean	checkExpiredCerts(java.security.KeyStore ks)
boolean	hasKeystore() Returns if this factory uses private keystore.
void	initHotReloading() Initializes hot reloading of the security keys/certs.
boolean	shouldReload() Returns if any changes require the reloading of the SSL context returned by this factory.
protected void	validatePassword(java.lang.String password) Validates the given keystore password.

Methods inherited from class org.apache.cassandra.security.AbstractSslContextFactory

createJSSESslContext, createNettySslContext, deriveIfOpenSslAvailable, getAcceptedProtocols, getBoolean, getBoolean, getCipherSuites, getSslProvider, getString, getString, getStringList

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

checkedExpiry

protected volatile boolean checkedExpiry

hotReloadableFiles

protected volatile java.util.List<FileBasedSslContextFactory.HotReloadableFile> hotReloadableFiles

List of files that trigger hot reloading of SSL certificates

keystore

protected java.lang.String keystore

keystore_password

protected java.lang.String keystore_password

truststore

protected java.lang.String truststore

truststore_password

protected java.lang.String truststore_password

Constructor Detail

FileBasedSslContextFactory

public FileBasedSslContextFactory()

FileBasedSslContextFactory

public FileBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)

Method Detail

shouldReload

public boolean shouldReload()

Description copied from interface: ISslContextFactory

Returns if any changes require the reloading of the SSL context returned by this factory. This will be called by Cassandra's periodic polling for any potential changes that will reload the SSL context. However only newer connections established after the reload will use the reloaded SSL context.

Returns:

true if SSL Context needs to be reload; false otherwise

hasKeystore

public boolean hasKeystore()

Description copied from interface: ISslContextFactory

Returns if this factory uses private keystore.

Returns:

true by default unless the implementation overrides this

initHotReloading

public void initHotReloading()

Description copied from interface: ISslContextFactory

Initializes hot reloading of the security keys/certs. The implementation must guarantee this to be thread safe.

validatePassword

protected void validatePassword(java.lang.String password)

Validates the given keystore password.

Parameters:

password - value

Throws:

java.lang.IllegalArgumentException - if the password is null

buildKeyManagerFactory

protected javax.net.ssl.KeyManagerFactory buildKeyManagerFactory()
                                                          throws javax.net.ssl.SSLException

Builds required KeyManagerFactory from the file based keystore. It also checks for the PrivateKey's certificate's expiry and logs warning for each expired PrivateKey's certitificate.

Specified by:

buildKeyManagerFactory in class AbstractSslContextFactory

Returns:

KeyManagerFactory built from the file based keystore.

Throws:

javax.net.ssl.SSLException - if any issues encountered during the build process

buildTrustManagerFactory

protected javax.net.ssl.TrustManagerFactory buildTrustManagerFactory()
                                                              throws javax.net.ssl.SSLException

Builds TrustManagerFactory from the file based truststore.

Specified by:

buildTrustManagerFactory in class AbstractSslContextFactory

Returns:

TrustManagerFactory from the file based truststore

Throws:

javax.net.ssl.SSLException - if any issues encountered during the build process

checkExpiredCerts

protected boolean checkExpiredCerts(java.security.KeyStore ks)
                             throws java.security.KeyStoreException

Throws:

java.security.KeyStoreException