Package org.forgerock.openig.security

Class ServerTlsOptionsHeaplet

java.lang.Object

org.forgerock.openig.heap.GenericHeaplet

org.forgerock.openig.security.ServerTlsOptionsHeaplet

All Implemented Interfaces:

Heaplet

public class ServerTlsOptionsHeaplet
extends GenericHeaplet

Creates and initializes server-side TLS options in a heap environment.

 
  {
    "type": "ServerTlsOptions",
    "config": {
      ... parameters inherited from TlsOptionsHeaplet ...
      "clientAuth"                 : String                            [OPTIONAL]
      "sni"                        : {                                 [OPTIONAL]
        "serverNames"              : Map of server names to secret Ids [REQUIRED]
        "defaultSecretId"          : String                            [REQUIRED]
        "secretsProvider"          : SecretsProvider                   [REQUIRED]
      }
    }
   }
  
 

The clientAuth represents the expected client authentication to be provided and determines the authentication negotiation between the client and server. Possible values are NONE (the default), REQUIRED and REQUEST. If this is configured to use REQUIRED or REQUEST then a trustManager must also be configured.

Either a keyManager or a SNI block must be present to provide server authentication. if both are set, the keyManager will be ignored.

When SNI is enabled, if the server name provided during TLS handshake does not match any of the keys in the sni/serverNames map, then the sni/defaultSecretId will be used to retrieve the key/certificate pair from the sni/secretsProvider.

When SNI is enabled, secret ID mapped to the key/certificate chain selection follows this algorithm :

1. Look for an exact match in the sni/serverNames map and get its associated secret ID
2. Otherwise look for a "wildcard match" in the sni/serverNames map and get its associated secret ID
3. Otherwise, use the sni/defaultSecretId

A "wildcard match" allows to match the direct subdomains of a server name starting with '*.'. Example : '*.test.com' will match 'my.test.com' but not 'my.sub.test.com'.

SNI Configuration example :

 
 {
   "type": "ServerTlsOptions",
   "config": {
     "sni": {
       "serverNames": {
         "app1.example.com": "my.app1.secretId",
         "app2.example.com": "my.app2.secretId",
         "*.app3.test.com": "my.wildcard.app3.test.secretId",
         "*.test.com": "my.wildcard.test.secretId"
       },
       "defaultSecretId" : "default.sni.secretId"
       "secretsProvider": {
         "type": "SecretsProvider",
         "config": {
           "stores": [secretStore1, secretStore2, secretStore3]
         }
       }
     }
   }
 }
 
 

See TlsOptionsHeaplet for a summary of the inherited configuration options.

See Also:

• TlsOptionsHeaplet
• ServerTlsOptions.ClientAuthentication

Field Summary

Fields

Modifier and Type	Field	Description
static final String	NAME	Public name used by resolver.

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

config, heap, name, object, qualified

Constructor Summary

Constructors

Constructor	Description
ServerTlsOptionsHeaplet()

Method Summary

Modifier and Type	Method	Description
Object	create()	Called to request the heaplet create an object.
protected final TlsOptions	tlsOptions(String algorithm, KeyManager[] keyManagers, TrustManager[] trustManagers, List<String> ciphers, List<String> protocols, boolean enableAlpn)	Factory method creating appropriate TlsOptions.

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

NAME

public static final String NAME

Public name used by resolver.

See Also:

• Constant Field Values

Constructor Details

ServerTlsOptionsHeaplet

public ServerTlsOptionsHeaplet()

Method Details

tlsOptions

protected final TlsOptions tlsOptions(String algorithm,
 KeyManager[] keyManagers,
 TrustManager[] trustManagers,
 List<String> ciphers,
 List<String> protocols,
 boolean enableAlpn)
                               throws HeapException

Factory method creating appropriate TlsOptions.

Parameters:

algorithm - the SSL context algorithm name

keyManagers - the array of KeyManagers to use

trustManagers - the array of TrustManagers to use

ciphers - the array of cipher suites to be enabled

protocols - the array of protocols to be enabled

enableAlpn - indicate if ALPN (Application Layer Protocol Negotiation, a TLS extension) enabled

Returns:

new TlsOptions subtype

Throws:

HeapException - should there be a configuration error

create

public Object create()
              throws HeapException

Description copied from class: GenericHeaplet

Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.

Specified by:

create in class GenericHeaplet

Returns:

The created object.

Throws:

HeapException - if an exception occurred during creation of the heap object or any of its dependencies.