Package org.apache.cassandra.security

Class PEMBasedSslContextFactory

java.lang.Object

org.apache.cassandra.security.AbstractSslContextFactory

org.apache.cassandra.security.FileBasedSslContextFactory

org.apache.cassandra.security.PEMBasedSslContextFactory

All Implemented Interfaces:

ISslContextFactory

public final class PEMBasedSslContextFactory
extends FileBasedSslContextFactory

SslContextFactory for the PEM standard encoded PKCS#8 private keys and X509 certificates/public-keys. It parses the key material based on the standard defined in the RFC 7468. It creates PKCS# 8 based private key and X509 certificate(s) for the public key to build the required keystore and the truststore managers that are used for the SSL context creation. Internally it builds Java KeyStore with PKCS# 12 store type to be used for keystore and the truststore managers.

This factory also supports 'hot reloading' of the key material, the same way as defined by FileBasedSslContextFactory, if it is file based. This factory ignores the existing 'store_type' configuration used for other file based store types like JKS.

You can configure this factory with either inline PEM data or with the files having the required PEM data as shown below, Configuration: PEM keys/certs defined inline (mind the spaces in the YAML!) client/server_encryption_options: ssl_context_factory: class_name: org.apache.cassandra.security.PEMBasedSslContextFactory parameters: private_key: | -----BEGIN ENCRYPTED PRIVATE KEY----- OR -----BEGIN PRIVATE KEY----- <your base64 encoded private key> -----END ENCRYPTED PRIVATE KEY----- OR -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- <your base64 encoded certificate chain> -----END CERTIFICATE----- private_key_password: "<your password if the private key is encrypted with a password>" trusted_certificates: | -----BEGIN CERTIFICATE----- <your base64 encoded certificate> -----END CERTIFICATE----- Configuration: PEM keys/certs defined in files

     client/server_encryption_options:
      ssl_context_factory:
         class_name: org.apache.cassandra.security.PEMBasedSslContextFactory
      keystore: <file path to the keystore file in the PEM format with the private key and the certificate chain>
      keystore_password: "<your password if the private key is encrypted with a password>"
      truststore: <file path to the truststore file in the PEM format>
 

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	PEMBasedSslContextFactory.ConfigKey
static class	PEMBasedSslContextFactory.PEMBasedKeyStoreContext

Nested classes/interfaces inherited from class org.apache.cassandra.security.FileBasedSslContextFactory

FileBasedSslContextFactory.FileBasedStoreContext, FileBasedSslContextFactory.HotReloadableFile

Nested classes/interfaces inherited from interface org.apache.cassandra.security.ISslContextFactory

ISslContextFactory.SocketType

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	DEFAULT_TARGET_STORETYPE

Fields inherited from class org.apache.cassandra.security.FileBasedSslContextFactory

hotReloadableFiles, keystoreContext, outboundKeystoreContext, trustStoreContext

Fields inherited from class org.apache.cassandra.security.AbstractSslContextFactory

accepted_protocols, algorithm, cipher_suites, enabled, openSslIsAvailable, optional, parameters, protocol, require_client_auth, require_endpoint_verification, store_type, TLS_PROTOCOL_SUBSTITUTION

Constructor Summary

Constructors

Constructor	Description
PEMBasedSslContextFactory()
PEMBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)

Method Summary

Modifier and Type	Method	Description
protected javax.net.ssl.KeyManagerFactory	buildKeyManagerFactory()	Builds required KeyManagerFactory from the PEM based keystore.
protected javax.net.ssl.KeyManagerFactory	buildOutboundKeyManagerFactory()	Create a KeyManagerFactory for outbound connections.
protected javax.net.ssl.TrustManagerFactory	buildTrustManagerFactory()	Builds TrustManagerFactory from the PEM based truststore.
boolean	hasKeystore()	Decides if this factory has a keystore defined - key material specified in files or inline to the configuration.
boolean	hasOutboundKeystore()	Decides if this factory has an outbound keystore defined - key material specified in files or inline to the configuration.
void	initHotReloading()	This enables 'hot' reloading of the key/trust stores based on the last updated timestamps if they are file based.

Methods inherited from class org.apache.cassandra.security.FileBasedSslContextFactory

checkExpiredCerts, shouldReload, validatePassword

Methods inherited from class org.apache.cassandra.security.AbstractSslContextFactory

createJSSESslContext, createNettySslContext, deriveIfOpenSslAvailable, getAcceptedProtocols, getBoolean, getBoolean, getCipherSuites, getSslProvider, getString, getString, getStringList

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_TARGET_STORETYPE

public static final java.lang.String DEFAULT_TARGET_STORETYPE

See Also:

Constant Field Values

Constructor Detail

PEMBasedSslContextFactory

public PEMBasedSslContextFactory()

PEMBasedSslContextFactory

public PEMBasedSslContextFactory(java.util.Map<java.lang.String,java.lang.Object> parameters)

Method Detail

hasKeystore

public boolean hasKeystore()

Decides if this factory has a keystore defined - key material specified in files or inline to the configuration.

Specified by:

hasKeystore in interface ISslContextFactory

Overrides:

hasKeystore in class FileBasedSslContextFactory

Returns:

true if there is a keystore defined; false otherwise

hasOutboundKeystore

public boolean hasOutboundKeystore()

Decides if this factory has an outbound keystore defined - key material specified in files or inline to the configuration.

Specified by:

hasOutboundKeystore in interface ISslContextFactory

Overrides:

hasOutboundKeystore in class FileBasedSslContextFactory

Returns:

true if there is an outbound keystore defined; false otherwise

initHotReloading

public void initHotReloading()

This enables 'hot' reloading of the key/trust stores based on the last updated timestamps if they are file based.

Specified by:

initHotReloading in interface ISslContextFactory

Overrides:

initHotReloading in class FileBasedSslContextFactory

buildKeyManagerFactory

protected javax.net.ssl.KeyManagerFactory buildKeyManagerFactory()
                                                          throws javax.net.ssl.SSLException

Builds required KeyManagerFactory from the PEM based keystore. It also checks for the PrivateKey's certificate's expiry and logs warning for each expired PrivateKey's certitificate.

Overrides:

buildKeyManagerFactory in class FileBasedSslContextFactory

Returns:

KeyManagerFactory built from the PEM based keystore.

Throws:

javax.net.ssl.SSLException - if any issues encountered during the build process

See Also:

FileBasedSslContextFactory.validatePassword(boolean, String)

buildOutboundKeyManagerFactory

protected javax.net.ssl.KeyManagerFactory buildOutboundKeyManagerFactory()
                                                                  throws javax.net.ssl.SSLException

Description copied from class: AbstractSslContextFactory

Create a KeyManagerFactory for outbound connections. It provides a seperate keystore for internode mTLS outbound connections.

Overrides:

buildOutboundKeyManagerFactory in class FileBasedSslContextFactory

Returns:

KeyManagerFactory

Throws:

javax.net.ssl.SSLException

buildTrustManagerFactory

protected javax.net.ssl.TrustManagerFactory buildTrustManagerFactory()
                                                              throws javax.net.ssl.SSLException

Builds TrustManagerFactory from the PEM based truststore.

Overrides:

buildTrustManagerFactory in class FileBasedSslContextFactory

Returns:

TrustManagerFactory from the PEM based truststore

Throws:

javax.net.ssl.SSLException - if any issues encountered during the build process