Package org.forgerock.opendj.setup.model

Class Security

java.lang.Object

org.forgerock.opendj.setup.model.Security

public final class Security
extends Object

Utility class to create secure peer to peer communications settings in a newly set up OpenDJ instance.

Securing communications means providing:

• Certificate(s) which represent server identity
• The certificate of the CA signing all servers certificates
• Optionally a list of certificates of trusted servers

Different strategies can be used:

• Use the server's deployment ID. This is the default behavior and is suitable when the server is setup in a private network. In other words this strategy is not appropriate for public facing services for which a public CA certificate and SSL key-pair is generally needed
• Provide existing CA cert and SSL key-pair. This strategy is more complex to configure but should generally be used when implementing public facing services or when the network security policy mandates the use of externally acquired and approved SSL assets.

See Also:

OPENDJ-5866

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	Security.ExistingKeyStore	Abstract class which represents an existing keystore to use to setup a server instance.
static class	Security.KeyStoreModel	Represents keystore data which will be used to secure the server instance to setup.
static class	Security.PasswordProvider	Represents a strategy to retrieve an existing password.
static class	Security.TrustStoreModel	Represents a truststore to trust remote server certificates.

Method Summary

Modifier and Type	Method	Description
static Security.TrustStoreModel	blindTrust()	Returns a Security.TrustStoreModel which will blindly trust all certificates.
static Security.PasswordProvider	clearTextPassword(String password)	Specifies that the password is the provided clear text String.
static Security.PasswordProvider	fileBasedPassword(String passwordFilePath)	Specifies that the password is located in the file path represented in the provided String.
static Security.PasswordProvider	fileBasedPassword(Path passwordFilePath)	Specifies that the password is located in the provided file Path.
static Security.ExistingKeyStore	jceksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.ExistingKeyStore	jceksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.TrustStoreModel	jceksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider)	Returns a JCEKS file based Security.TrustStoreModel.
static Security.TrustStoreModel	jceksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider)	Returns a JCEKS file based Security.TrustStoreModel.
static Security.ExistingKeyStore	jksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.ExistingKeyStore	jksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.TrustStoreModel	jksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider)	Returns a JKS file based Security.TrustStoreModel.
static Security.TrustStoreModel	jksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider)	Returns a JKS file based Security.TrustStoreModel.
static Security.TrustStoreModel	jvmTrustStore()	Returns a Security.TrustStoreModel which will use the JVM truststore.
static Security.ExistingKeyStore	pkcs11KeyStore(Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.ExistingKeyStore	pkcs12KeyStore(String keyStorePath, Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.ExistingKeyStore	pkcs12KeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider)	Specifies keystore data to use to secure the server instance to setup.
static Security.TrustStoreModel	pkcs12TrustStore(String trustStorePath, Security.PasswordProvider passwordProvider)	Returns a PKCS#12 file based Security.TrustStoreModel.
static Security.TrustStoreModel	pkcs12TrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider)	Returns a PKCS#12 file based Security.TrustStoreModel.
static Security.PasswordProvider	unprotected()	Specifies that the setup component is not protected by a password.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

unprotected

public static Security.PasswordProvider unprotected()

Specifies that the setup component is not protected by a password.

This provider can only be used for Security.KeyStoreModel or Security.ExistingTrustStoreModel.

Returns:

A Security.PasswordProvider to use when creating a setup component

clearTextPassword

public static Security.PasswordProvider clearTextPassword(String password)
                                                   throws com.forgerock.opendj.cli.ArgumentException

Specifies that the password is the provided clear text String.

The password will be stored in a dedicated file located in the instance

Parameters:

password - The clear text password

Returns:

A Security.PasswordProvider to use when creating a setup component

Throws:

com.forgerock.opendj.cli.ArgumentException - If the provided password is empty

fileBasedPassword

public static Security.PasswordProvider fileBasedPassword(String passwordFilePath)
                                                   throws com.forgerock.opendj.cli.ArgumentException

Specifies that the password is located in the file path represented in the provided String.

The server configuration will refers to the provided file path

Parameters:

passwordFilePath - Path of the password

Returns:

A Security.PasswordProvider to use when creating a setup component

Throws:

com.forgerock.opendj.cli.ArgumentException - If the provided file does not exists or cannot be read

fileBasedPassword

public static Security.PasswordProvider fileBasedPassword(Path passwordFilePath)
                                                   throws com.forgerock.opendj.cli.ArgumentException

Specifies that the password is located in the provided file Path.

The server configuration will refers to the provided file path

Parameters:

passwordFilePath - Path of the password

Returns:

A Security.PasswordProvider to use when creating a setup component

Throws:

com.forgerock.opendj.cli.ArgumentException - If the provided file does not exists or cannot be read

jksKeyStore

public static Security.ExistingKeyStore jksKeyStore(String keyStorePath,
                                                    Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

The unprotected() provider is not allowed to be used with this method.

Parameters:

keyStorePath - The keystore path

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

Throws:

IllegalArgumentException - If the unprotected() password provider is used with this method

jksKeyStore

public static Security.ExistingKeyStore jksKeyStore(Path keyStorePath,
                                                    Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

The unprotected() provider is not allowed to be used with this method.

Parameters:

keyStorePath - The keystore path

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

Throws:

IllegalArgumentException - If the unprotected() password provider is used with this method

jceksKeyStore

public static Security.ExistingKeyStore jceksKeyStore(String keyStorePath,
                                                      Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jceksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

The unprotected() provider is not allowed to be used with this method.

Parameters:

keyStorePath - The keystore path

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

Throws:

IllegalArgumentException - If the unprotected() password provider is used with this method

jceksKeyStore

public static Security.ExistingKeyStore jceksKeyStore(Path keyStorePath,
                                                      Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jceksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

The unprotected() provider is not allowed to be used with this method.

Parameters:

keyStorePath - The keystore path

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

Throws:

IllegalArgumentException - If the unprotected() password provider is used with this method

pkcs12KeyStore

public static Security.ExistingKeyStore pkcs12KeyStore(String keyStorePath,
                                                       Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs12KeyStore("/path/to/opendj", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

The unprotected() provider is not allowed to be used with this method.

Parameters:

keyStorePath - The keystore path

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

Throws:

IllegalArgumentException - If the unprotected() password provider is used with this method

pkcs12KeyStore

public static Security.ExistingKeyStore pkcs12KeyStore(Path keyStorePath,
                                                       Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs12KeyStore("/path/to/opendj", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

The unprotected() provider is not allowed to be used with this method.

Parameters:

keyStorePath - The keystore path

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

Throws:

IllegalArgumentException - If the unprotected() password provider is used with this method

pkcs11KeyStore

public static Security.ExistingKeyStore pkcs11KeyStore(Security.PasswordProvider passwordProvider)

Specifies keystore data to use to secure the server instance to setup.

If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs11KeyStore(Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");

Parameters:

passwordProvider - The strategy to use to provide the keystore password

Returns:

The created Security.KeyStoreModel object to use in Setup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)

jksTrustStore

public static Security.TrustStoreModel jksTrustStore(String trustStorePath,
                                                     Security.PasswordProvider passwordProvider)
                                              throws com.forgerock.opendj.cli.ArgumentException

Returns a JKS file based Security.TrustStoreModel.

Parameters:

trustStorePath - JKS truststore file path

passwordProvider - The strategy to use to provide the truststore password

Returns:

A Security.TrustStoreModel which represents a JKS file.

Throws:

com.forgerock.opendj.cli.ArgumentException - If the file based JKS truststore cannot be loaded

See Also:

Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)

jksTrustStore

public static Security.TrustStoreModel jksTrustStore(Path trustStorePath,
                                                     Security.PasswordProvider passwordProvider)
                                              throws com.forgerock.opendj.cli.ArgumentException

Returns a JKS file based Security.TrustStoreModel.

Parameters:

trustStorePath - JKS truststore file path

passwordProvider - The strategy to use to provide the truststore password

Returns:

A Security.TrustStoreModel which represents a JKS file.

Throws:

com.forgerock.opendj.cli.ArgumentException - If the file based JKS truststore cannot be loaded

See Also:

Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)

jceksTrustStore

public static Security.TrustStoreModel jceksTrustStore(String trustStorePath,
                                                       Security.PasswordProvider passwordProvider)
                                                throws com.forgerock.opendj.cli.ArgumentException

Returns a JCEKS file based Security.TrustStoreModel.

Parameters:

trustStorePath - JCEKS truststore file path

passwordProvider - The strategy to use to provide the truststore password

Returns:

A Security.TrustStoreModel which represents a JCEKS file.

Throws:

com.forgerock.opendj.cli.ArgumentException - If the file based JCEKS truststore cannot be loaded

See Also:

Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)

jceksTrustStore

public static Security.TrustStoreModel jceksTrustStore(Path trustStorePath,
                                                       Security.PasswordProvider passwordProvider)
                                                throws com.forgerock.opendj.cli.ArgumentException

Returns a JCEKS file based Security.TrustStoreModel.

Parameters:

trustStorePath - JCEKS truststore file path

passwordProvider - The strategy to use to provide the truststore password

Returns:

A Security.TrustStoreModel which represents a JCEKS file.

Throws:

com.forgerock.opendj.cli.ArgumentException - If the file based JCEKS truststore cannot be loaded

See Also:

Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)

pkcs12TrustStore

public static Security.TrustStoreModel pkcs12TrustStore(String trustStorePath,
                                                        Security.PasswordProvider passwordProvider)
                                                 throws com.forgerock.opendj.cli.ArgumentException

Returns a PKCS#12 file based Security.TrustStoreModel.

Parameters:

trustStorePath - PKCS#12 truststore file path

passwordProvider - The strategy to use to provide the truststore password

Returns:

A Security.TrustStoreModel which represents a PKCS#12.

Throws:

com.forgerock.opendj.cli.ArgumentException - If the file based PKCS#12 truststore cannot be loaded

See Also:

Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)

pkcs12TrustStore

public static Security.TrustStoreModel pkcs12TrustStore(Path trustStorePath,
                                                        Security.PasswordProvider passwordProvider)
                                                 throws com.forgerock.opendj.cli.ArgumentException

Returns a PKCS#12 file based Security.TrustStoreModel.

Parameters:

trustStorePath - PKCS#12 truststore file path

passwordProvider - The strategy to use to provide the truststore password

Returns:

A Security.TrustStoreModel which represents a PKCS#12 file.

Throws:

com.forgerock.opendj.cli.ArgumentException - If the file based PKCS#12 truststore cannot be loaded

See Also:

Setup.useExistingCertificatesForTls(KeyStoreModel, TrustStoreModel)

jvmTrustStore

public static Security.TrustStoreModel jvmTrustStore()

Returns a Security.TrustStoreModel which will use the JVM truststore.

Returns:

a Security.TrustStoreModel which will use the JVM truststore.

blindTrust

public static Security.TrustStoreModel blindTrust()

Returns a Security.TrustStoreModel which will blindly trust all certificates.

Returns:

a Security.TrustStoreModel which will blindly trust all certificates.