Class SecurityConfig

  • public class SecurityConfig
    extends Object
    The SecurityConfig allows to enable transport encryption between the client and the servers.
    • Method Detail

      • create

        public static SecurityConfig create()
        Creates a SecurityConfig with the default configuration.
        the default security config.
      • enableTls

        public static SecurityConfig.Builder enableTls​(boolean tlsEnabled)
        Enables TLS for all client/server communication (disabled by default).
        tlsEnabled - true if enabled, false otherwise.
        this SecurityConfig.Builder for chaining purposes.
      • enableHostnameVerification

        public static SecurityConfig.Builder enableHostnameVerification​(boolean hostnameVerificationEnabled)
        Allows enabling or disabling hostname verification (enabled by default).

        Note that disabling hostname verification will cause the TLS connection to not verify that the hostname/ip is actually part of the certificate and as a result not detect certain kinds of attacks. Only disable if you understand the impact and risks!

        hostnameVerificationEnabled - set to true if it should be enabled, false for disabled.
        this SecurityConfig.Builder for chaining purposes.
      • enableNativeTls

        public static SecurityConfig.Builder enableNativeTls​(boolean nativeTlsEnabled)
        Enables/disables native TLS (enabled by default).
        nativeTlsEnabled - true if it should be enabled, false otherwise.
        this SecurityConfig.Builder for chaining purposes.
      • trustCertificate

        public static SecurityConfig.Builder trustCertificate​(Path certificatePath)
        Loads X.509 certificates from the specified file into the trust store.
        certificatePath - the path to load the certificates from.
        this SecurityConfig.Builder for chaining purposes.
      • ciphers

        public static SecurityConfig.Builder ciphers​(List<String> ciphers)
        Allows to customize the list of ciphers that is negotiated with the cluster.

        Note that this method is considered advanced API, please only customize the cipher list if you know what you are doing (for example if you want to shrink the cipher list down to a very specific subset for security or compliance reasons).

        If no custom ciphers are configured, the default set will be used.

        ciphers - the custom list of ciphers to use.
        this SecurityConfig.Builder for chaining purposes.
      • tlsEnabled

        public boolean tlsEnabled()
        True if TLS is enabled, false otherwise.
        a boolean if tls/transport encryption is enabled.
      • hostnameVerificationEnabled

        public boolean hostnameVerificationEnabled()
        True if TLS hostname verification is enabled, false otherwise.
      • trustCertificates

        public List<X509Certificate> trustCertificates()
        The list of trust certificates that should be used, if present.
        the list of certificates.
      • trustManagerFactory

        public TrustManagerFactory trustManagerFactory()
        The currently configured trust manager factory, if present.
        the trust manager factory.
      • nativeTlsEnabled

        public boolean nativeTlsEnabled()
        Returns whether native TLS is enabled.
        true if enabled, false otherwise.
      • ciphers

        public List<String> ciphers()
        Returns the custom list of ciphers.
        the custom list of ciphers.
      • decodeCertificates

        public static List<X509Certificate> decodeCertificates​(List<String> certificates)
        Helper method to decode string-encoded certificates into their x.509 format.
        certificates - the string-encoded certificates.
        the decoded certs in x.509 format.
      • defaultCiphers

        public static List<String> defaultCiphers​(boolean nativeTlsEnabled)
        Lists the default ciphers used for this platform.

        Note that the list of ciphers can differ whether native TLS is enabled or not, so the parameter should reflect the actual security configuration used. Native TLS is enabled by default on the configuration, so if it is not overridden it should be set to true here as well.

        nativeTlsEnabled - if native TLS is enabled on the security configuration (defaults to yes there).
        the list of default ciphers.
      • defaultCaCertificates

        public static List<X509Certificate> defaultCaCertificates()
        Returns the Certificate Authority (CA) certificates that are trusted if no other certificates (or other trust source) are specified in the security config.

        Includes the CA certificate(s) required for connecting to hosted Couchbase Capella clusters.