public final class PEMBasedSslContextFactory extends FileBasedSslContextFactory
KeyStore with PKCS# 12 store type
to be used for keystore and the truststore managers.
This factory also supports 'hot reloading' of the key material, the same way as defined by FileBasedSslContextFactory,
if it is file based. This factory ignores the existing 'store_type' configuration used for other file based store
types like JKS.
You can configure this factory with either inline PEM data or with the files having the required PEM data as shown below, Configuration: PEM keys/certs defined inline (mind the spaces in the YAML!)
client/server_encryption_options:
ssl_context_factory:
class_name: org.apache.cassandra.security.PEMBasedSslContextFactory
parameters:
private_key: |
-----BEGIN ENCRYPTED PRIVATE KEY----- OR -----BEGIN PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY----- OR -----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
private_key_password: ""
trusted_certificates: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Configuration: PEM keys/certs defined in files
client/server_encryption_options:
ssl_context_factory:
class_name: org.apache.cassandra.security.PEMBasedSslContextFactory
keystore:
keystore_password: ""
truststore:
| Modifier and Type | Class and Description |
|---|---|
static class |
PEMBasedSslContextFactory.ConfigKey |
FileBasedSslContextFactory.HotReloadableFileISslContextFactory.SocketType| Modifier and Type | Field and Description |
|---|---|
static java.lang.String |
DEFAULT_TARGET_STORETYPE |
checkedExpiry, hotReloadableFiles, keystore, keystore_password, truststore, truststore_passwordaccepted_protocols, algorithm, cipher_suites, enabled, openSslIsAvailable, optional, parameters, protocol, require_client_auth, require_endpoint_verification, store_type, TLS_PROTOCOL_SUBSTITUTION| Constructor and Description |
|---|
PEMBasedSslContextFactory() |
PEMBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters) |
| Modifier and Type | Method and Description |
|---|---|
protected javax.net.ssl.KeyManagerFactory |
buildKeyManagerFactory()
Builds required KeyManagerFactory from the PEM based keystore.
|
protected javax.net.ssl.TrustManagerFactory |
buildTrustManagerFactory()
Builds TrustManagerFactory from the PEM based truststore.
|
boolean |
hasKeystore()
Decides if this factory has a keystore defined - key material specified in files or inline to the configuration.
|
void |
initHotReloading()
This enables 'hot' reloading of the key/trust stores based on the last updated timestamps if they are file based.
|
checkExpiredCerts, shouldReload, validatePasswordcreateJSSESslContext, createNettySslContext, deriveIfOpenSslAvailable, getAcceptedProtocols, getBoolean, getBoolean, getCipherSuites, getSslProvider, getString, getString, getStringListpublic static final java.lang.String DEFAULT_TARGET_STORETYPE
public PEMBasedSslContextFactory()
public PEMBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)
public boolean hasKeystore()
hasKeystore in interface ISslContextFactoryhasKeystore in class FileBasedSslContextFactorytrue if there is a keystore defined; false otherwisepublic void initHotReloading()
initHotReloading in interface ISslContextFactoryinitHotReloading in class FileBasedSslContextFactoryprotected javax.net.ssl.KeyManagerFactory buildKeyManagerFactory()
throws javax.net.ssl.SSLException
warning for each expired PrivateKey's certitificate.buildKeyManagerFactory in class FileBasedSslContextFactoryjavax.net.ssl.SSLException - if any issues encountered during the build processprotected javax.net.ssl.TrustManagerFactory buildTrustManagerFactory()
throws javax.net.ssl.SSLException
buildTrustManagerFactory in class FileBasedSslContextFactoryjavax.net.ssl.SSLException - if any issues encountered during the build processCopyright © 2009- The Apache Software Foundation