Class DeploymentId

java.lang.Object
org.forgerock.opendj.security.DeploymentId

public final class DeploymentId extends Object
A deployment ID, together with its password, facilitates the generation of the cryptographic keys required to protect a deployment, such as a root CA key-pair for SSL/TLS and a master key-pair for protecting symmetric keys used for data encryption.
The typical workflow to secure a deployment using a deployment ID and password is follows:
  1. Generate a new deployment ID with generateDeploymentId(char[]) and store the key as returned by toString() in a secure place.
  2. For each deployment application:
  3. Repeat when the deployment root CA is about to expire.
  • Field Details

    • DEFAULT_CA_CERT_VALIDITY

      public static final Duration DEFAULT_CA_CERT_VALIDITY
      The default root CA certificate validity duration.
    • DEFAULT_SSL_CERT_VALIDITY

      public static final Duration DEFAULT_SSL_CERT_VALIDITY
      The default SSL certificate validity duration.
    • DEFAULT_CA_ALIAS

      public static final String DEFAULT_CA_ALIAS
      The default alias for a deployment-id-generated CA certificate.
      See Also:
    • DEFAULT_SSL_KEY_PAIR_ALIAS

      public static final String DEFAULT_SSL_KEY_PAIR_ALIAS
      The default alias for a deployment-id-generated SSL key-pair.
      See Also:
    • DEFAULT_MASTER_KEY_PAIR_ALIAS

      public static final String DEFAULT_MASTER_KEY_PAIR_ALIAS
      The default alias for the master key pair.
      See Also:
    • MIN_DEPLOYMENT_ID_VALIDITY

      public static final Duration MIN_DEPLOYMENT_ID_VALIDITY
      The minimum deployment ID validity duration.
    • MAX_DEPLOYMENT_ID_VALIDITY

      public static final Duration MAX_DEPLOYMENT_ID_VALIDITY
      The maximum deployment ID validity duration, approximately 90 years.
  • Method Details

    • generateDeploymentId

      public static DeploymentId generateDeploymentId(char[] password)
      Generates a new deployment ID whose root CA certificate will be valid from now for ten years.
      Parameters:
      password - An arbitrary password that will be used to protect this deployment ID.
      Returns:
      A new deployment ID.
    • generateDeploymentId

      public static DeploymentId generateDeploymentId(char[] password, Instant notBefore, Duration validity)
      Generates a new deployment ID whose root CA certificate will be valid from notBefore for the provided duration rounded down to days. validity must be in range [MIN_DEPLOYMENT_ID_VALIDITY, MAX_DEPLOYMENT_ID_VALIDITY] inclusive.
      Parameters:
      password - An arbitrary password that will be used to protect this deployment ID.
      notBefore - The date from which the root CA certificate associated with this deployment ID will be valid.
      validity - The duration for which the root CA certificate associated with this deployment ID will be valid.
      Returns:
      A new deployment ID.
      Throws:
      IllegalArgumentException - If validity is outside the range of acceptable values.
    • valueOf

      public static DeploymentId valueOf(String deploymentId, char[] password, Consumer<LocalizableMessage> warningHandler) throws DecodeException, NoSuchProviderException
      Parses the provided deployment ID and creates the associated root CA key-pair.
      Parameters:
      deploymentId - The deployment ID to be parsed.
      password - The deployment ID password.
      warningHandler - The handler for the message about version mismatch
      Returns:
      The deployment ID.
      Throws:
      DecodeException - If the combination of deployment ID and password is invalid.
      NoSuchProviderException - If the key-pair generator implementation associated with the deployment ID is not available on this JRE. This can happen when the deployment ID is generated on one JRE implementation and parsed on another.
    • toString

      public String toString()
      Returns the string representation of this deployment ID, it can be reused to re-create the same deployment ID instance with valueOf(String, char[], Consumer). The string representation only contains URL safe characters. The key returned by this method is a sensitive piece of information because, when used in combination with the deployment ID password, it allows to recreate at will the deployment root CA key-pair, therefore care must be taken when storing this key.
      Overrides:
      toString in class Object
      Returns:
      The string representation of this deployment ID.
    • getRootCaCertificate

      public X509Certificate getRootCaCertificate()
      Returns the self-signed CA certificate associated with this deployment ID. It can be used as the trusted CA certificate within a deployment.
      Returns:
      This deployment ID root CA certificate.
    • generateSslKeyPair

      public Pair<PrivateKey,X509Certificate> generateSslKeyPair(Dn subjectDn, Collection<String> dnsNames) throws LocalizedIllegalArgumentException
      Generates an SSL private key and an SSL certificate signed by the root CA certificate associated with this deployment ID. The SSL certificate will be valid for one year from the generation date. The DNS names will appear in the certificate subject alternative names extension. The SSL key-pair can be used by a client or a server application hence is suitable for implementing mutual TLS.
      Parameters:
      subjectDn - The SSL certificate subject DN.
      dnsNames - The DNS names, must not be empty.
      Returns:
      The generated SSL key-pair.
      Throws:
      LocalizedIllegalArgumentException - If at least one of the provided DNS names is not valid.
    • generateSslKeyPair

      public Pair<PrivateKey,X509Certificate> generateSslKeyPair(Dn subjectDn, Collection<String> dnsNames, Instant notBefore, Duration validity) throws LocalizedIllegalArgumentException
      Generates an SSL private key and an SSL certificate signed by the root CA certificate associated with this deployment ID. The SSL certificate will be valid from notBefore for the provided duration rounded down to seconds. The provided DNS names will appear in the certificate subject alternative names extension. The SSL key-pair can be used by a client or a server application hence is suitable for implementing mutual TLS.
      Parameters:
      subjectDn - The SSL certificate subject DN.
      dnsNames - The DNS names, must not be empty.
      notBefore - The date from which the SSL certificate will be valid.
      validity - The duration for which the SSL certificate will be valid.
      Returns:
      The generated SSL key-pair.
      Throws:
      LocalizedIllegalArgumentException - If at least one of the provided DNS names is not valid.
    • generateSslKeyPairForWritableReplica

      public Pair<PrivateKey,X509Certificate> generateSslKeyPairForWritableReplica(Dn subjectDn, Collection<String> dnsNames, Instant notBefore, Duration validity) throws LocalizedIllegalArgumentException
      Generates an SSL private key and an SSL certificate, same as generateSslKeyPair(Dn, Collection, Instant, Duration), but the ExtendedKeyUsage extension has an additional ForgeRock defined usage for recognizing replicas allowed to send updates.
      Parameters:
      subjectDn - The SSL certificate subject DN.
      dnsNames - The DNS names, must not be empty.
      notBefore - The date from which the SSL certificate will be valid.
      validity - The duration for which the SSL certificate will be valid.
      Returns:
      The generated SSL key-pair.
      Throws:
      LocalizedIllegalArgumentException - If at least one of the provided DNS names is not valid.
    • getMasterKeyPair

      public Pair<PrivateKey,X509Certificate> getMasterKeyPair()
      Returns the master public/private key-pair associated with this deployment ID. The master key-pair will be the same on all instances in the deployment. It will ONLY be used for encrypting secrets such as symmetric keys stored in the crypto manager. Specifically, this key-pair WILL NOT be used for securing TLS connections.

      NOTE: The KeyStore API requires that the public key be encoded as an X509 certificate. The certificate details do not matter since it is not used for signing or validation. We're only interested in the public key.

      Returns:
      The generated master key-pair.
    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object