java.lang.Object
- org.forgerock.openig.heap.GenericHeaplet
- - org.forgerock.openig.security.ServerTlsOptionsHeaplet

All Implemented Interfaces:

Heaplet
```
public class ServerTlsOptionsHeaplet
extends GenericHeaplet
```
Creates and initializes server-side TLS options in a heap environment.
```
 
  {
    "type": "ServerTlsOptions",
    "config": {
      ... parameters inherited from TlsOptionsHeaplet ...
      "clientAuth"                 : String                            [OPTIONAL]
      "sni"                        : {                                 [OPTIONAL]
        "serverNames"              : Map of server names to secret Ids [REQUIRED]
        "defaultSecretId"          : String                            [REQUIRED]
        "secretsProvider"          : SecretsProvider                   [REQUIRED]
      }
    }
   }
  
 
```
The clientAuth represents the expected client authentication to be provided and determines the authentication negotiation between the client and server. Possible values are NONE (the default), REQUIRED and REQUEST. If this is configured to use REQUIRED or REQUEST then a trustManager must also be configured.
Either a keyManager or a SNI block must be present to provide server authentication. if both are set, the keyManager will be ignored.
When SNI is enabled, if the server name provided during TLS handshake does not match any of the keys in the sni/serverNames map, then the sni/defaultSecretId will be used to retrieve the key/certificate pair from the sni/secretsProvider.
When SNI is enabled, secret ID mapped to the key/certificate chain selection follows this algorithm :
1. Look for an exact match in the sni/serverNames map and get its associated secret ID
2. Otherwise look for a "wildcard match" in the sni/serverNames map and get its associated secret ID
3. Otherwise, use the sni/defaultSecretId
A "wildcard match" allows to match the direct subdomains of a server name starting with '*.'. Example : '*.test.com' will match 'my.test.com' but not 'my.sub.test.com'.
SNI Configuration example :
```
 
 {
   "type": "ServerTlsOptions",
   "config": {
     "sni": {
       "serverNames": {
         "app1.example.com": "my.app1.secretId",
         "app2.example.com": "my.app2.secretId",
         "*.app3.test.com": "my.wildcard.app3.test.secretId",
         "*.test.com": "my.wildcard.test.secretId"
       },
       "defaultSecretId" : "default.sni.secretId"
       "secretsProvider": {
         "type": "SecretsProvider",
         "config": {
           "stores": [secretStore1, secretStore2, secretStore3]
         }
       }
     }
   }
 }
 
 
```
See TlsOptionsHeaplet for a summary of the inherited configuration options.
See Also:

TlsOptionsHeaplet, ServerTlsOptions.ClientAuthentication

Field Summary
- Fields inherited from class org.forgerock.openig.heap.GenericHeaplet
  config, heap, name, object, qualified

Constructor Summary

Constructors
Constructor Description

ServerTlsOptionsHeaplet()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`Object`	`create()`	Called to request the heaplet create an object.
`protected TlsOptions`	`tlsOptions(String algorithm, KeyManager[] keyManagers, TrustManager[] trustManagers, List<String> ciphers, List<String> protocols, boolean enableAlpn)`	Factory method creating appropriate `TlsOptions`.

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getSecretsProvider, getType, initialBindings, meterRegistryHolder, start

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - ServerTlsOptionsHeaplet
```
public ServerTlsOptionsHeaplet()
```
- Method Detail
  - tlsOptions
```
protected final TlsOptions tlsOptions(String algorithm,
                                      KeyManager[] keyManagers,
                                      TrustManager[] trustManagers,
                                      List<String> ciphers,
                                      List<String> protocols,
                                      boolean enableAlpn)
                               throws HeapException
```
    Factory method creating appropriate TlsOptions.
    
    Parameters:
    
    algorithm - the SSL context algorithm name
    
    keyManagers - the array of KeyManagers to use
    
    trustManagers - the array of TrustManagers to use
    
    ciphers - the array of cipher suites to be enabled
    
    protocols - the array of protocols to be enabled
    
    enableAlpn - indicate if ALPN (Application Layer Protocol Negotiation, a TLS extension) enabled
    
    Returns:
    
    new TlsOptions subtype
    
    Throws:
    
    HeapException - should there be a configuration error
  - create
```
public Object create()
              throws HeapException
```
    Description copied from class: GenericHeaplet
    
    Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.
    
    Specified by:
    
    create in class GenericHeaplet
    
    Returns:
    
    The created object.
    
    Throws:
    
    HeapException - if an exception occurred during creation of the heap object or any of its dependencies.

Class ServerTlsOptionsHeaplet

Field Summary

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

Constructor Summary

Method Summary

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

Methods inherited from class java.lang.Object

Constructor Detail

ServerTlsOptionsHeaplet

Method Detail

tlsOptions

create