Class ServerTlsOptionsHeaplet

  • All Implemented Interfaces:
    Heaplet

    public class ServerTlsOptionsHeaplet
    extends GenericHeaplet
    Creates and initializes server-side TLS options in a heap environment.
     
      {
        "type": "ServerTlsOptions",
        "config": {
          ... parameters inherited from TlsOptionsHeaplet ...
          "clientAuth"                 : String                            [OPTIONAL]
          "sni"                        : {                                 [OPTIONAL]
            "serverNames"              : Map of server names to secret Ids [REQUIRED]
            "defaultSecretId"          : String                            [REQUIRED]
            "secretsProvider"          : SecretsProvider                   [REQUIRED]
          }
        }
       }
      
     

    The clientAuth represents the expected client authentication to be provided and determines the authentication negotiation between the client and server. Possible values are NONE (the default), REQUIRED and REQUEST. If this is configured to use REQUIRED or REQUEST then a trustManager must also be configured.

    Either a keyManager or a SNI block must be present to provide server authentication. if both are set, the keyManager will be ignored.

    When SNI is enabled, if the server name provided during TLS handshake does not match any of the keys in the sni/serverNames map, then the sni/defaultSecretId will be used to retrieve the key/certificate pair from the sni/secretsProvider.

    When SNI is enabled, secret ID mapped to the key/certificate chain selection follows this algorithm :

    1. Look for an exact match in the sni/serverNames map and get its associated secret ID
    2. Otherwise look for a "wildcard match" in the sni/serverNames map and get its associated secret ID
    3. Otherwise, use the sni/defaultSecretId

    A "wildcard match" allows to match the direct subdomains of a server name starting with '*.'. Example : '*.test.com' will match 'my.test.com' but not 'my.sub.test.com'.

    SNI Configuration example :

     
     {
       "type": "ServerTlsOptions",
       "config": {
         "sni": {
           "serverNames": {
             "app1.example.com": "my.app1.secretId",
             "app2.example.com": "my.app2.secretId",
             "*.app3.test.com": "my.wildcard.app3.test.secretId",
             "*.test.com": "my.wildcard.test.secretId"
           },
           "defaultSecretId" : "default.sni.secretId"
           "secretsProvider": {
             "type": "SecretsProvider",
             "config": {
               "stores": [secretStore1, secretStore2, secretStore3]
             }
           }
         }
       }
     }
     
     

    See TlsOptionsHeaplet for a summary of the inherited configuration options.

    See Also:
    TlsOptionsHeaplet, ServerTlsOptions.ClientAuthentication
    • Constructor Detail

      • ServerTlsOptionsHeaplet

        public ServerTlsOptionsHeaplet()
    • Method Detail

      • tlsOptions

        protected final TlsOptions tlsOptions​(String algorithm,
                                              KeyManager[] keyManagers,
                                              TrustManager[] trustManagers,
                                              List<String> ciphers,
                                              List<String> protocols,
                                              boolean enableAlpn)
                                       throws HeapException
        Factory method creating appropriate TlsOptions.
        Parameters:
        algorithm - the SSL context algorithm name
        keyManagers - the array of KeyManagers to use
        trustManagers - the array of TrustManagers to use
        ciphers - the array of cipher suites to be enabled
        protocols - the array of protocols to be enabled
        enableAlpn - indicate if ALPN (Application Layer Protocol Negotiation, a TLS extension) enabled
        Returns:
        new TlsOptions subtype
        Throws:
        HeapException - should there be a configuration error