Class Security
- java.lang.Object
-
- org.forgerock.opendj.setup.model.Security
-
public final class Security extends Object
Utility class to create secure peer to peer communications settings in a newly set up OpenDJ instance.Securing communications means providing:
- Certificate(s) which represent server identity
- The certificate of the CA signing all servers certificates
- Optionally a list of certificates of trusted servers
Different strategies can be used:
- Use the server's
deployment ID
. This is the default behavior and is suitable when the server is setup in a private network. In other words this strategy is not appropriate for public facing services for which a public CA certificate and SSL key-pair is generally needed - Provide existing
CA cert and SSL key-pair
. This strategy is more complex to configure but should generally be used when implementing public facing services or when the network security policy mandates the use of externally acquired and approved SSL assets.
- See Also:
- OPENDJ-5866
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
Security.ExistingKeyStore
Abstract class which represents an existing keystore to use to setup a server instance.static class
Security.KeyStoreModel
Represents keystore data which will be used to secure the server instance to setup.static class
Security.PasswordProvider
Represents a strategy to retrieve an existing password.static class
Security.TrustStoreModel
Represents a truststore to trust remote server certificates.
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static Security.TrustStoreModel
blindTrust()
Returns aSecurity.TrustStoreModel
which will blindly trust all certificates.static Security.PasswordProvider
clearTextPassword(String password)
Specifies that the password is the provided clear textString
.static Security.PasswordProvider
fileBasedPassword(String passwordFilePath)
Specifies that the password is located in the file path represented in the providedString
.static Security.PasswordProvider
fileBasedPassword(Path passwordFilePath)
Specifies that the password is located in the provided filePath
.static Security.ExistingKeyStore
jceksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStore
jceksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModel
jceksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider)
Returns a JCEKS file basedSecurity.TrustStoreModel
.static Security.TrustStoreModel
jceksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider)
Returns a JCEKS file basedSecurity.TrustStoreModel
.static Security.ExistingKeyStore
jksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStore
jksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModel
jksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider)
Returns a JKS file basedSecurity.TrustStoreModel
.static Security.TrustStoreModel
jksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider)
Returns a JKS file basedSecurity.TrustStoreModel
.static Security.TrustStoreModel
jvmTrustStore()
Returns aSecurity.TrustStoreModel
which will use the JVM truststore.static Security.ExistingKeyStore
pkcs11KeyStore(Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStore
pkcs12KeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStore
pkcs12KeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModel
pkcs12TrustStore(String trustStorePath, Security.PasswordProvider passwordProvider)
Returns a PKCS#12 file basedSecurity.TrustStoreModel
.static Security.TrustStoreModel
pkcs12TrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider)
Returns a PKCS#12 file basedSecurity.TrustStoreModel
.static Security.PasswordProvider
unprotected()
Specifies that the setup component is not protected by a password.
-
-
-
Method Detail
-
unprotected
public static Security.PasswordProvider unprotected()
Specifies that the setup component is not protected by a password.This provider can only be used for
Security.KeyStoreModel
orSecurity.ExistingTrustStoreModel
.- Returns:
- A
Security.PasswordProvider
to use when creating a setup component
-
clearTextPassword
public static Security.PasswordProvider clearTextPassword(String password) throws com.forgerock.opendj.cli.ArgumentException
Specifies that the password is the provided clear textString
.The password will be stored in a dedicated file located in the instance
- Parameters:
password
- The clear text password- Returns:
- A
Security.PasswordProvider
to use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the provided password is empty
-
fileBasedPassword
public static Security.PasswordProvider fileBasedPassword(String passwordFilePath) throws com.forgerock.opendj.cli.ArgumentException
Specifies that the password is located in the file path represented in the providedString
.The server configuration will refers to the provided file path
- Parameters:
passwordFilePath
- Path of the password- Returns:
- A
Security.PasswordProvider
to use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the provided file does not exists or cannot be read
-
fileBasedPassword
public static Security.PasswordProvider fileBasedPassword(Path passwordFilePath) throws com.forgerock.opendj.cli.ArgumentException
Specifies that the password is located in the provided filePath
.The server configuration will refers to the provided file path
- Parameters:
passwordFilePath
- Path of the password- Returns:
- A
Security.PasswordProvider
to use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the provided file does not exists or cannot be read
-
jksKeyStore
public static Security.ExistingKeyStore jksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()
provider is not allowed to be used with this method.- Parameters:
keyStorePath
- The keystore pathpasswordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
- Throws:
IllegalArgumentException
- If theunprotected()
password provider is used with this method
-
jksKeyStore
public static Security.ExistingKeyStore jksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()
provider is not allowed to be used with this method.- Parameters:
keyStorePath
- The keystore pathpasswordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
- Throws:
IllegalArgumentException
- If theunprotected()
password provider is used with this method
-
jceksKeyStore
public static Security.ExistingKeyStore jceksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jceksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()
provider is not allowed to be used with this method.- Parameters:
keyStorePath
- The keystore pathpasswordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
- Throws:
IllegalArgumentException
- If theunprotected()
password provider is used with this method
-
jceksKeyStore
public static Security.ExistingKeyStore jceksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jceksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()
provider is not allowed to be used with this method.- Parameters:
keyStorePath
- The keystore pathpasswordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
- Throws:
IllegalArgumentException
- If theunprotected()
password provider is used with this method
-
pkcs12KeyStore
public static Security.ExistingKeyStore pkcs12KeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs12KeyStore("/path/to/opendj", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()
provider is not allowed to be used with this method.- Parameters:
keyStorePath
- The keystore pathpasswordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
- Throws:
IllegalArgumentException
- If theunprotected()
password provider is used with this method
-
pkcs12KeyStore
public static Security.ExistingKeyStore pkcs12KeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs12KeyStore("/path/to/opendj", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()
provider is not allowed to be used with this method.- Parameters:
keyStorePath
- The keystore pathpasswordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
- Throws:
IllegalArgumentException
- If theunprotected()
password provider is used with this method
-
pkcs11KeyStore
public static Security.ExistingKeyStore pkcs11KeyStore(Security.PasswordProvider passwordProvider)
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs11KeyStore(Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
- Parameters:
passwordProvider
- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModel
object to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
-
jksTrustStore
public static Security.TrustStoreModel jksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException
Returns a JKS file basedSecurity.TrustStoreModel
.- Parameters:
trustStorePath
- JKS truststore file pathpasswordProvider
- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModel
which represents a JKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the file based JKS truststore cannot be loaded- See Also:
Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)
-
jksTrustStore
public static Security.TrustStoreModel jksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException
Returns a JKS file basedSecurity.TrustStoreModel
.- Parameters:
trustStorePath
- JKS truststore file pathpasswordProvider
- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModel
which represents a JKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the file based JKS truststore cannot be loaded- See Also:
Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)
-
jceksTrustStore
public static Security.TrustStoreModel jceksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException
Returns a JCEKS file basedSecurity.TrustStoreModel
.- Parameters:
trustStorePath
- JCEKS truststore file pathpasswordProvider
- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModel
which represents a JCEKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the file based JCEKS truststore cannot be loaded- See Also:
Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)
-
jceksTrustStore
public static Security.TrustStoreModel jceksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException
Returns a JCEKS file basedSecurity.TrustStoreModel
.- Parameters:
trustStorePath
- JCEKS truststore file pathpasswordProvider
- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModel
which represents a JCEKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the file based JCEKS truststore cannot be loaded- See Also:
Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)
-
pkcs12TrustStore
public static Security.TrustStoreModel pkcs12TrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException
Returns a PKCS#12 file basedSecurity.TrustStoreModel
.- Parameters:
trustStorePath
- PKCS#12 truststore file pathpasswordProvider
- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModel
which represents a PKCS#12. - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the file based PKCS#12 truststore cannot be loaded- See Also:
Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)
-
pkcs12TrustStore
public static Security.TrustStoreModel pkcs12TrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException
Returns a PKCS#12 file basedSecurity.TrustStoreModel
.- Parameters:
trustStorePath
- PKCS#12 truststore file pathpasswordProvider
- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModel
which represents a PKCS#12 file. - Throws:
com.forgerock.opendj.cli.ArgumentException
- If the file based PKCS#12 truststore cannot be loaded- See Also:
Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)
-
jvmTrustStore
public static Security.TrustStoreModel jvmTrustStore()
Returns aSecurity.TrustStoreModel
which will use the JVM truststore.- Returns:
- a
Security.TrustStoreModel
which will use the JVM truststore.
-
blindTrust
public static Security.TrustStoreModel blindTrust()
Returns aSecurity.TrustStoreModel
which will blindly trust all certificates.- Returns:
- a
Security.TrustStoreModel
which will blindly trust all certificates.
-
-