Package org.forgerock.opendj.setup.model
Class Security
java.lang.Object
org.forgerock.opendj.setup.model.Security
Utility class to create secure peer to peer communications settings in a newly set up OpenDJ instance.
Securing communications means providing:
- Certificate(s) which represent server identity
- The certificate of the CA signing all servers certificates
- Optionally a list of certificates of trusted servers
Different strategies can be used:
- Use the server's
deployment ID. This is the default behavior and is suitable when the server is setup in a private network. In other words this strategy is not appropriate for public facing services for which a public CA certificate and SSL key-pair is generally needed - Provide existing
CA cert and SSL key-pair. This strategy is more complex to configure but should generally be used when implementing public facing services or when the network security policy mandates the use of externally acquired and approved SSL assets.
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classAbstract class which represents an existing keystore to use to setup a server instance.static classRepresents keystore data which will be used to secure the server instance to setup.static classRepresents a strategy to retrieve an existing password.static classRepresents a truststore to trust remote server certificates. -
Method Summary
Modifier and TypeMethodDescriptionstatic Security.TrustStoreModelReturns aSecurity.TrustStoreModelwhich will blindly trust all certificates.static Security.PasswordProviderclearTextPassword(String password) Specifies that the password is the provided clear textString.static Security.PasswordProviderfileBasedPassword(String passwordFilePath) Specifies that the password is located in the file path represented in the providedString.static Security.PasswordProviderfileBasedPassword(Path passwordFilePath) Specifies that the password is located in the provided filePath.static Security.ExistingKeyStorejceksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStorejceksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModeljceksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) Returns a JCEKS file basedSecurity.TrustStoreModel.static Security.TrustStoreModeljceksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) Returns a JCEKS file basedSecurity.TrustStoreModel.static Security.ExistingKeyStorejksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStorejksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModeljksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) Returns a JKS file basedSecurity.TrustStoreModel.static Security.TrustStoreModeljksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) Returns a JKS file basedSecurity.TrustStoreModel.static Security.TrustStoreModelReturns aSecurity.TrustStoreModelwhich will use the JVM truststore.static Security.ExistingKeyStorepkcs11KeyStore(Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStorepkcs12KeyStore(String keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.ExistingKeyStorepkcs12KeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModelpkcs12TrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) Returns a PKCS#12 file basedSecurity.TrustStoreModel.static Security.TrustStoreModelpkcs12TrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) Returns a PKCS#12 file basedSecurity.TrustStoreModel.static Security.PasswordProviderSpecifies that the setup component is not protected by a password.
-
Method Details
-
unprotected
Specifies that the setup component is not protected by a password.This provider can only be used for
Security.KeyStoreModelorSecurity.ExistingTrustStoreModel.- Returns:
- A
Security.PasswordProviderto use when creating a setup component
-
clearTextPassword
public static Security.PasswordProvider clearTextPassword(String password) throws com.forgerock.opendj.cli.ArgumentException Specifies that the password is the provided clear textString.The password will be stored in a dedicated file located in the instance
- Parameters:
password- The clear text password- Returns:
- A
Security.PasswordProviderto use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException- If the provided password is empty
-
fileBasedPassword
public static Security.PasswordProvider fileBasedPassword(String passwordFilePath) throws com.forgerock.opendj.cli.ArgumentException Specifies that the password is located in the file path represented in the providedString.The server configuration will refers to the provided file path
- Parameters:
passwordFilePath- Path of the password- Returns:
- A
Security.PasswordProviderto use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException- If the provided file does not exists or cannot be read
-
fileBasedPassword
public static Security.PasswordProvider fileBasedPassword(Path passwordFilePath) throws com.forgerock.opendj.cli.ArgumentException Specifies that the password is located in the provided filePath.The server configuration will refers to the provided file path
- Parameters:
passwordFilePath- Path of the password- Returns:
- A
Security.PasswordProviderto use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException- If the provided file does not exists or cannot be read
-
jksKeyStore
public static Security.ExistingKeyStore jksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
jksKeyStore
public static Security.ExistingKeyStore jksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
jceksKeyStore
public static Security.ExistingKeyStore jceksKeyStore(String keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jceksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
jceksKeyStore
public static Security.ExistingKeyStore jceksKeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.jceksKeyStore("/path/to/keystore", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
pkcs12KeyStore
public static Security.ExistingKeyStore pkcs12KeyStore(String keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs12KeyStore("/path/to/opendj", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
pkcs12KeyStore
public static Security.ExistingKeyStore pkcs12KeyStore(Path keyStorePath, Security.PasswordProvider passwordProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs12KeyStore("/path/to/opendj", Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
pkcs11KeyStore
Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs11KeyStore(Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
- Parameters:
passwordProvider- The strategy to use to provide the keystore password- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(org.forgerock.opendj.setup.model.Security.KeyStoreModel, org.forgerock.opendj.setup.model.Security.TrustStoreModel)
-
jksTrustStore
public static Security.TrustStoreModel jksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a JKS file basedSecurity.TrustStoreModel.- Parameters:
trustStorePath- JKS truststore file pathpasswordProvider- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModelwhich represents a JKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based JKS truststore cannot be loaded- See Also:
-
jksTrustStore
public static Security.TrustStoreModel jksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a JKS file basedSecurity.TrustStoreModel.- Parameters:
trustStorePath- JKS truststore file pathpasswordProvider- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModelwhich represents a JKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based JKS truststore cannot be loaded- See Also:
-
jceksTrustStore
public static Security.TrustStoreModel jceksTrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a JCEKS file basedSecurity.TrustStoreModel.- Parameters:
trustStorePath- JCEKS truststore file pathpasswordProvider- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModelwhich represents a JCEKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based JCEKS truststore cannot be loaded- See Also:
-
jceksTrustStore
public static Security.TrustStoreModel jceksTrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a JCEKS file basedSecurity.TrustStoreModel.- Parameters:
trustStorePath- JCEKS truststore file pathpasswordProvider- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModelwhich represents a JCEKS file. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based JCEKS truststore cannot be loaded- See Also:
-
pkcs12TrustStore
public static Security.TrustStoreModel pkcs12TrustStore(String trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a PKCS#12 file basedSecurity.TrustStoreModel.- Parameters:
trustStorePath- PKCS#12 truststore file pathpasswordProvider- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModelwhich represents a PKCS#12. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based PKCS#12 truststore cannot be loaded- See Also:
-
pkcs12TrustStore
public static Security.TrustStoreModel pkcs12TrustStore(Path trustStorePath, Security.PasswordProvider passwordProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a PKCS#12 file basedSecurity.TrustStoreModel.- Parameters:
trustStorePath- PKCS#12 truststore file pathpasswordProvider- The strategy to use to provide the truststore password- Returns:
- A
Security.TrustStoreModelwhich represents a PKCS#12 file. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based PKCS#12 truststore cannot be loaded- See Also:
-
jvmTrustStore
Returns aSecurity.TrustStoreModelwhich will use the JVM truststore.- Returns:
- a
Security.TrustStoreModelwhich will use the JVM truststore.
-
blindTrust
Returns aSecurity.TrustStoreModelwhich will blindly trust all certificates.- Returns:
- a
Security.TrustStoreModelwhich will blindly trust all certificates.
-