Package org.apache.cassandra.security

Interface ISslContextFactory

  • All Known Implementing Classes:
    AbstractSslContextFactory, DefaultSslContextFactory, DisableSslContextFactory, FileBasedSslContextFactory, PEMBasedSslContextFactory
    public interface ISslContextFactory
    The purpose of this interface is to provide pluggable mechanism for creating custom JSSE and Netty SSLContext objects. Please use the Cassandra configuration key ssl_context_factory as part of client_encryption_options/server_encryption_options and provide a custom class-name implementing this interface with parameters to be used to plugin a your own way to load the SSLContext.

    Implementation of this interface must have a constructor with argument of type Map<String,Object> to allow custom parameters, needed by the implementation, to be passed from the yaml configuration. Common SSL configurations like protocol, algorithm, cipher_suites, accepted_protocols, require_client_auth, require_endpoint_verification, enabled, optional will also be passed to that map by Cassanddra.

    Since on top of Netty, Cassandra is internally using JSSE SSLContext also for certain use-cases- this interface has methods for both.

    Below is an example of how to configure a custom implementation with parameters 

     ssl_context_factory:
       class_name: org.apache.cassandra.security.YourSslContextFactoryImpl
       parameters:
         key1: "value1"
         key2: "value2"
         key3: "value3"

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Interface Description
      static class  ISslContextFactory.SocketType
      Indicates if the process holds the inbound/listening (Server) end of the socket or the outbound side (Client).

    • Method Detail

      • createJSSESslContext

        javax.net.ssl.SSLContext createJSSESslContext​(boolean verifyPeerCertificate)
                                       throws javax.net.ssl.SSLException
        Creates JSSE SSLContext.
        Parameters:
        verifyPeerCertificate - true if SSL peer's certificate needs to be verified; false otherwise
        Returns:
        JSSE's SSLContext
        Throws:
        javax.net.ssl.SSLException - in case the Ssl Context creation fails for some reason

      • createNettySslContext

        io.netty.handler.ssl.SslContext createNettySslContext​(boolean verifyPeerCertificate,
                                                      ISslContextFactory.SocketType socketType,
                                                      io.netty.handler.ssl.CipherSuiteFilter cipherFilter)
                                               throws javax.net.ssl.SSLException
        Creates Netty's SslContext object.
        Parameters:
        verifyPeerCertificate - true if SSL peer's certificate needs to be verified; false otherwise
        socketType - ISslContextFactory.SocketType for Netty's Inbound or Outbound channels
        cipherFilter - to allow Netty's cipher suite filtering, e.g. SslContextBuilder.ciphers(Iterable, CipherSuiteFilter)
        Returns:
        Netty's SslContext
        Throws:
        javax.net.ssl.SSLException - in case the Ssl Context creation fails for some reason

      • initHotReloading

        void initHotReloading()
               throws javax.net.ssl.SSLException
        Initializes hot reloading of the security keys/certs. The implementation must guarantee this to be thread safe.
        Throws:
        javax.net.ssl.SSLException

      • shouldReload

        boolean shouldReload()
        Returns if any changes require the reloading of the SSL context returned by this factory. This will be called by Cassandra's periodic polling for any potential changes that will reload the SSL context. However only newer connections established after the reload will use the reloaded SSL context.
        Returns:
        true if SSL Context needs to be reload; false otherwise

      • hasKeystore

        default boolean hasKeystore()
        Returns if this factory uses private keystore.
        Returns:
        true by default unless the implementation overrides this

      • hasOutboundKeystore

        default boolean hasOutboundKeystore()
        Returns if this factory uses outbound keystore.
        Returns:
        true by default unless the implementation overrides this

      • getAcceptedProtocols

        java.util.List<java.lang.String> getAcceptedProtocols()
        Returns the prepared list of accepted protocols.
        Returns:
        array of protocol names suitable for passing to Netty's SslContextBuilder.protocols, or null if the default

      • getCipherSuites

        java.util.List<java.lang.String> getCipherSuites()
        Returns the list of cipher suites supported by the implementation.
        Returns:
        List of supported cipher suites