Package org.apache.cassandra.security

Class FileBasedSslContextFactory

java.lang.Object

org.apache.cassandra.security.AbstractSslContextFactory

org.apache.cassandra.security.FileBasedSslContextFactory

All Implemented Interfaces:

ISslContextFactory

Direct Known Subclasses:

DefaultSslContextFactory, PEMBasedSslContextFactory

public abstract class FileBasedSslContextFactory
extends AbstractSslContextFactory

Abstract implementation for ISslContextFactory using file based, standard keystore format with the ability to hot-reload the files upon file changes (detected by the last modified timestamp).

CAUTION: While this is a useful abstraction, please be careful if you need to modify this class given possible custom implementations out there!

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	FileBasedSslContextFactory.FileBasedStoreContext
protected static class	FileBasedSslContextFactory.HotReloadableFile	Helper class for hot reloading SSL Contexts

Nested classes/interfaces inherited from interface org.apache.cassandra.security.ISslContextFactory

ISslContextFactory.SocketType

Field Summary

Fields

Modifier and Type	Field	Description
protected java.util.List<FileBasedSslContextFactory.HotReloadableFile>	hotReloadableFiles	List of files that trigger hot reloading of SSL certificates
protected FileBasedSslContextFactory.FileBasedStoreContext	keystoreContext
protected FileBasedSslContextFactory.FileBasedStoreContext	outboundKeystoreContext
protected FileBasedSslContextFactory.FileBasedStoreContext	trustStoreContext

Fields inherited from class org.apache.cassandra.security.AbstractSslContextFactory

accepted_protocols, algorithm, cipher_suites, enabled, openSslIsAvailable, optional, parameters, protocol, require_client_auth, require_endpoint_verification, store_type, TLS_PROTOCOL_SUBSTITUTION

Constructor Summary

Constructors

Constructor	Description
FileBasedSslContextFactory()
FileBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)

Method Summary

Modifier and Type	Method	Description
protected javax.net.ssl.KeyManagerFactory	buildKeyManagerFactory()	Builds required KeyManagerFactory from the file based keystore.
protected javax.net.ssl.KeyManagerFactory	buildOutboundKeyManagerFactory()	Create a KeyManagerFactory for outbound connections.
protected javax.net.ssl.TrustManagerFactory	buildTrustManagerFactory()	Builds TrustManagerFactory from the file based truststore.
protected boolean	checkExpiredCerts(java.security.KeyStore ks)
boolean	hasKeystore()	Returns if this factory uses private keystore.
boolean	hasOutboundKeystore()	Returns if this factory uses outbound keystore.
void	initHotReloading()	Initializes hot reloading of the security keys/certs.
boolean	shouldReload()	Returns if any changes require the reloading of the SSL context returned by this factory.
protected void	validatePassword(boolean isOutboundKeystore, java.lang.String password)	Validates the given keystore password.

Methods inherited from class org.apache.cassandra.security.AbstractSslContextFactory

createJSSESslContext, createNettySslContext, deriveIfOpenSslAvailable, getAcceptedProtocols, getBoolean, getBoolean, getCipherSuites, getSslProvider, getString, getString, getStringList

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

keystoreContext

protected FileBasedSslContextFactory.FileBasedStoreContext keystoreContext

outboundKeystoreContext

protected FileBasedSslContextFactory.FileBasedStoreContext outboundKeystoreContext

trustStoreContext

protected FileBasedSslContextFactory.FileBasedStoreContext trustStoreContext

hotReloadableFiles

protected volatile java.util.List<FileBasedSslContextFactory.HotReloadableFile> hotReloadableFiles

List of files that trigger hot reloading of SSL certificates

Constructor Detail

FileBasedSslContextFactory

public FileBasedSslContextFactory()

FileBasedSslContextFactory

public FileBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)

Method Detail

shouldReload

public boolean shouldReload()

Description copied from interface: ISslContextFactory

Returns if any changes require the reloading of the SSL context returned by this factory. This will be called by Cassandra's periodic polling for any potential changes that will reload the SSL context. However only newer connections established after the reload will use the reloaded SSL context.

Returns:

true if SSL Context needs to be reload; false otherwise

hasKeystore

public boolean hasKeystore()

Description copied from interface: ISslContextFactory

Returns if this factory uses private keystore.

Returns:

true by default unless the implementation overrides this

hasOutboundKeystore

public boolean hasOutboundKeystore()

Description copied from interface: ISslContextFactory

Returns if this factory uses outbound keystore.

Returns:

true by default unless the implementation overrides this

initHotReloading

public void initHotReloading()

Description copied from interface: ISslContextFactory

Initializes hot reloading of the security keys/certs. The implementation must guarantee this to be thread safe.

validatePassword

protected void validatePassword(boolean isOutboundKeystore,
                                java.lang.String password)

Validates the given keystore password.

Parameters:

isOutboundKeystore - true for the outbound_keystore_password;false otherwise

password - value

Throws:

java.lang.IllegalArgumentException - if the password is null

buildKeyManagerFactory

protected javax.net.ssl.KeyManagerFactory buildKeyManagerFactory()
                                                          throws javax.net.ssl.SSLException

Builds required KeyManagerFactory from the file based keystore. It also checks for the PrivateKey's certificate's expiry and logs warning for each expired PrivateKey's certitificate.

Specified by:

buildKeyManagerFactory in class AbstractSslContextFactory

Returns:

KeyManagerFactory built from the file based keystore.

Throws:

javax.net.ssl.SSLException - if any issues encountered during the build process

java.lang.IllegalArgumentException - if the validation for the keystore_password fails

See Also:

validatePassword(boolean, String)

buildOutboundKeyManagerFactory

protected javax.net.ssl.KeyManagerFactory buildOutboundKeyManagerFactory()
                                                                  throws javax.net.ssl.SSLException

Description copied from class: AbstractSslContextFactory

Create a KeyManagerFactory for outbound connections. It provides a seperate keystore for internode mTLS outbound connections.

Specified by:

buildOutboundKeyManagerFactory in class AbstractSslContextFactory

Returns:

KeyManagerFactory

Throws:

javax.net.ssl.SSLException

buildTrustManagerFactory

protected javax.net.ssl.TrustManagerFactory buildTrustManagerFactory()
                                                              throws javax.net.ssl.SSLException

Builds TrustManagerFactory from the file based truststore.

Specified by:

buildTrustManagerFactory in class AbstractSslContextFactory

Returns:

TrustManagerFactory from the file based truststore

Throws:

javax.net.ssl.SSLException - if any issues encountered during the build process

checkExpiredCerts

protected boolean checkExpiredCerts(java.security.KeyStore ks)
                             throws java.security.KeyStoreException

Throws:

java.security.KeyStoreException