Class ServerTlsOptionsHeaplet
- java.lang.Object
-
- org.forgerock.openig.heap.GenericHeaplet
-
- org.forgerock.openig.security.ServerTlsOptionsHeaplet
-
- All Implemented Interfaces:
Heaplet
public class ServerTlsOptionsHeaplet extends GenericHeaplet
Creates and initializes server-side TLS options in a heap environment.{ "type": "ServerTlsOptions", "config": { ... parameters inherited from TlsOptionsHeaplet ... "clientAuth" : String [OPTIONAL] "sni" : { [OPTIONAL] "serverNames" : Map of server names to secret Ids [REQUIRED] "defaultSecretId" : String [REQUIRED] "secretsProvider" : SecretsProvider [REQUIRED] } } }
The clientAuth represents the expected client authentication to be provided and determines the authentication negotiation between the client and server. Possible values are NONE (the default), REQUIRED and REQUEST. If this is configured to use REQUIRED or REQUEST then a trustManager must also be configured.
Either a keyManager or a SNI block must be present to provide server authentication. if both are set, the keyManager will be ignored.
When SNI is enabled, if the server name provided during TLS handshake does not match any of the keys in the sni/serverNames map, then the sni/defaultSecretId will be used to retrieve the key/certificate pair from the sni/secretsProvider.
When SNI is enabled, secret ID mapped to the key/certificate chain selection follows this algorithm :
- Look for an exact match in the sni/serverNames map and get its associated secret ID
- Otherwise look for a "wildcard match" in the sni/serverNames map and get its associated secret ID
- Otherwise, use the sni/defaultSecretId
A "wildcard match" allows to match the direct subdomains of a server name starting with '*.'. Example : '*.test.com' will match 'my.test.com' but not 'my.sub.test.com'.
SNI Configuration example :
{ "type": "ServerTlsOptions", "config": { "sni": { "serverNames": { "app1.example.com": "my.app1.secretId", "app2.example.com": "my.app2.secretId", "*.app3.test.com": "my.wildcard.app3.test.secretId", "*.test.com": "my.wildcard.test.secretId" }, "defaultSecretId" : "default.sni.secretId" "secretsProvider": { "type": "SecretsProvider", "config": { "stores": [secretStore1, secretStore2, secretStore3] } } } } }
See
TlsOptionsHeaplet
for a summary of the inherited configuration options.- See Also:
TlsOptionsHeaplet
,ServerTlsOptions.ClientAuthentication
-
-
Constructor Summary
Constructors Constructor Description ServerTlsOptionsHeaplet()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Object
create()
Called to request the heaplet create an object.protected TlsOptions
tlsOptions(String algorithm, KeyManager[] keyManagers, TrustManager[] trustManagers, List<String> ciphers, List<String> protocols, boolean enableAlpn)
Factory method creating appropriateTlsOptions
.-
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getSecretsProvider, getType, initialBindings, meterRegistryHolder, start
-
-
-
-
Method Detail
-
tlsOptions
protected final TlsOptions tlsOptions(String algorithm, KeyManager[] keyManagers, TrustManager[] trustManagers, List<String> ciphers, List<String> protocols, boolean enableAlpn) throws HeapException
Factory method creating appropriateTlsOptions
.- Parameters:
algorithm
- the SSL context algorithm namekeyManagers
- the array ofKeyManager
s to usetrustManagers
- the array ofTrustManager
s to useciphers
- the array of cipher suites to be enabledprotocols
- the array of protocols to be enabledenableAlpn
- indicate if ALPN (Application Layer Protocol Negotiation, a TLS extension) enabled- Returns:
- new
TlsOptions
subtype - Throws:
HeapException
- should there be a configuration error
-
create
public Object create() throws HeapException
Description copied from class:GenericHeaplet
Called to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)
after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()
method.- Specified by:
create
in classGenericHeaplet
- Returns:
- The created object.
- Throws:
HeapException
- if an exception occurred during creation of the heap object or any of its dependencies.
-
-