Class Security
java.lang.Object
org.forgerock.opendj.setup.model.Security
Utility class to create secure peer to peer communications settings in a newly set up OpenDJ instance.
Securing communications means providing:
- Certificate(s) which represent server identity
- The certificate of the CA signing all servers certificates
- Optionally a list of certificates of trusted servers
Different strategies can be used:
- Use the server's
deployment ID. This is the default behavior and is suitable when the server is setup in a private network. In other words this strategy is not appropriate for public facing services for which a public CA certificate and SSL key-pair is generally needed - Provide existing
CA cert and SSL key-pair. This strategy is more complex to configure but should generally be used when implementing public facing services or when the network security policy mandates the use of externally acquired and approved SSL assets.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classRepresents keystore data which will be used to secure the server instance to setup.static classRepresents a strategy to retrieve an existing password.static classRepresents a truststore to trust remote server certificates. -
Method Summary
Modifier and TypeMethodDescriptionstatic Security.TrustStoreModelReturns aSecurity.TrustStoreModelwhich will blindly trust all certificates.static Security.PasswordProviderclearTextPassword(String password) Specifies that the password is the provided clear textString.static Security.KeyStoreModelfileBasedKeyStore(String keyStoreType, String keyStorePath, Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Specifies keystore data to use to secure the server instance to setup.static Security.KeyStoreModelfileBasedKeyStore(String keyStoreType, Path keyStorePath, Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Specifies keystore data to use to secure the server instance to setup.static Security.PasswordProviderfileBasedPassword(Path passwordFilePath) Specifies that the password is located in the provided filePath.static Security.TrustStoreModelfileBasedTrustStore(String trustStoreType, Path trustStorePath, Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Returns a file basedSecurity.TrustStoreModel.static Security.TrustStoreModelReturns aSecurity.TrustStoreModelwhich will use the JVM truststore.static Security.KeyStoreModelpkcs11KeyStore(Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Specifies keystore data to use to secure the server instance to setup.static Security.TrustStoreModelpkcs11TrustStore(Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Returns a PKCS#11 basedSecurity.TrustStoreModel.static Security.PasswordProviderSpecifies that the setup component is not protected by a password.
-
Method Details
-
unprotected
Specifies that the setup component is not protected by a password.This provider can only be used for
Security.KeyStoreModelorSecurity.ExistingTrustStoreModel.- Returns:
- A
Security.PasswordProviderto use when creating a setup component
-
clearTextPassword
public static Security.PasswordProvider clearTextPassword(String password) throws com.forgerock.opendj.cli.ArgumentException Specifies that the password is the provided clear textString.The password will be stored in a dedicated file located in the instance
- Parameters:
password- The clear text password- Returns:
- A
Security.PasswordProviderto use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException- If the provided password is empty
-
fileBasedPassword
public static Security.PasswordProvider fileBasedPassword(Path passwordFilePath) throws com.forgerock.opendj.cli.ArgumentException Specifies that the password is located in the provided filePath.The server configuration will refers to the provided file path
- Parameters:
passwordFilePath- Path of the password- Returns:
- A
Security.PasswordProviderto use when creating a setup component - Throws:
com.forgerock.opendj.cli.ArgumentException- If the provided file does not exists or cannot be read
-
fileBasedKeyStore
public static Security.KeyStoreModel fileBasedKeyStore(String keyStoreType, String keyStorePath, Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow:
Security.fileBasedKeyStore("PKCS12", "/path/to/keystore", Security.clearTextStorePassword("somesecretphrase"), securityProvider) .addCertificateAliases("example-com", "foo-com");The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStoreType- The keystore type (seeKeyManagers.JKS,KeyManagers.JCEKS,KeyManagers.PKCS12, etc.)keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore passwordsecurityProvider- The key store file provider to use when loading the keystore. May benullto use the default.- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(Security.KeyStoreModel, Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
fileBasedKeyStore
public static Security.KeyStoreModel fileBasedKeyStore(String keyStoreType, Path keyStorePath, Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow:
Security.fileBasedKeyStore("PKCS12", "/path/to/keystore", Security.clearTextStorePassword("somesecretphrase"), securityProvider) .addCertificateAliases("example-com", "foo-com");The
unprotected()provider is not allowed to be used with this method.- Parameters:
keyStoreType- The keystore type (seeKeyManagers.JKS,KeyManagers.JCEKS,KeyManagers.PKCS12, etc.)keyStorePath- The keystore pathpasswordProvider- The strategy to use to provide the keystore passwordsecurityProvider- The key store file provider to use when loading the keystore. May benullto use the default.- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(Security.KeyStoreModel, Security.TrustStoreModel) - Throws:
IllegalArgumentException- If theunprotected()password provider is used with this method
-
pkcs11KeyStore
public static Security.KeyStoreModel pkcs11KeyStore(Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) Specifies keystore data to use to secure the server instance to setup.If the keystore contains multiple aliases, aliases which should be used by the server must be listed as follow: Security.pkcs11KeyStore(Security.clearTextStorePassword("somesecretphrase")) .addCertificateAliases("example-com", "foo-com");
- Parameters:
passwordProvider- The strategy to use to provide the keystore passwordsecurityProvider- The key store file provider to use when loading the keystore. May benullto use the default.- Returns:
- The created
Security.KeyStoreModelobject to use inSetup.useExistingCertificatesForTls(Security.KeyStoreModel, Security.TrustStoreModel)
-
fileBasedTrustStore
public static Security.TrustStoreModel fileBasedTrustStore(String trustStoreType, Path trustStorePath, Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a file basedSecurity.TrustStoreModel.- Parameters:
trustStoreType- The type of the truststore (JKS, JCE, PCKS12, etc.)trustStorePath- JKS truststore file pathpasswordProvider- The strategy to use to provide the truststore passwordsecurityProvider- The key store file provider to use when loading the truststore. May benullto use the default provider.- Returns:
- A
Security.TrustStoreModelwhich represents a truststore file. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the file based JKS truststore cannot be loaded- See Also:
-
pkcs11TrustStore
public static Security.TrustStoreModel pkcs11TrustStore(Security.PasswordProvider passwordProvider, KeyManagers.SecurityProvider securityProvider) throws com.forgerock.opendj.cli.ArgumentException Returns a PKCS#11 basedSecurity.TrustStoreModel.- Parameters:
passwordProvider- The strategy to use to provide the truststore passwordsecurityProvider- The key store file provider to use when loading the truststore. May benullto use the default provider.- Returns:
- A
Security.TrustStoreModelwhich represents a PKCS#11 truststore. - Throws:
com.forgerock.opendj.cli.ArgumentException- If the PKCS#11 truststore cannot be loaded- See Also:
-
jvmTrustStore
Returns aSecurity.TrustStoreModelwhich will use the JVM truststore.- Returns:
- a
Security.TrustStoreModelwhich will use the JVM truststore
-
blindTrust
Returns aSecurity.TrustStoreModelwhich will blindly trust all certificates.- Returns:
- a
Security.TrustStoreModelwhich will blindly trust all certificates
-