Class SecurityConfig.Builder
- Enclosing class:
SecurityConfig
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionbuild()
Builds theSecurityConfig
out of this builder.Allows to customize the list of ciphers that is negotiated with the cluster.enableCertificateVerification
(boolean certificateVerificationEnabled) Pass false to bypass all TLS certificate verification checks.enableHostnameVerification
(boolean hostnameVerificationEnabled) Allows to enable or disable hostname verification (enabled by default).enableNativeTls
(boolean nativeTlsEnabled) Enables/disables native TLS (enabled by default).enableTls
(boolean tlsEnabled) Enables TLS for all client/server communication (disabled by default).trustCertificate
(Path certificatePath) Loads X.509 certificates from the file at the given path into the trust store.trustCertificates
(List<X509Certificate> certificates) Loads the given list of X.509 certificates into the trust store.trustManagerFactory
(TrustManagerFactory trustManagerFactory) Allows to provide a trust manager factory directly for maximum flexibility.trustStore
(Path trustStorePath, String trustStorePassword, Optional<String> trustStoreType) Loads a trust store from a file path and password and initializes theTrustManagerFactory
.trustStore
(KeyStore trustStore) Initializes theTrustManagerFactory
with the given trust store.
-
Constructor Details
-
Builder
public Builder()
-
-
Method Details
-
build
Builds theSecurityConfig
out of this builder.- Returns:
- the built security config.
-
enableTls
Enables TLS for all client/server communication (disabled by default).- Parameters:
tlsEnabled
- true if enabled, false otherwise.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
enableHostnameVerification
Allows to enable or disable hostname verification (enabled by default).Note that disabling hostname verification will cause the TLS connection to not verify that the hostname/ip is actually part of the certificate and as a result not detect certain kinds of attacks. Only disable if you understand the impact and risks!
- Parameters:
hostnameVerificationEnabled
- set to true if it should be enabled, false for disabled.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
enableCertificateVerification
@Volatile public SecurityConfig.Builder enableCertificateVerification(boolean certificateVerificationEnabled) Pass false to bypass all TLS certificate verification checks. This is equivalent to callingtrustManagerFactory(TrustManagerFactory)
with an argument ofInsecureTrustManagerFactory.INSTANCE
.Certificate verification is enabled by default.
Certificate verification must never be disabled in a production environment, and should be disabled in development only if there is no better solution. The better solution is almost always to specify the CA certificate(s) to trust, by calling
trustCertificate(Path)
or some variant.See also
enableHostnameVerification(boolean)
, which can selectively disable just hostname verification.- Parameters:
certificateVerificationEnabled
- Pass false to set the trust manager factory toInsecureTrustManagerFactory.INSTANCE
, and bypass all TLS certificate verification checks.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
enableNativeTls
Enables/disables native TLS (enabled by default).- Parameters:
nativeTlsEnabled
- true if it should be enabled, false otherwise.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustCertificates
Loads the given list of X.509 certificates into the trust store.- Parameters:
certificates
- the list of certificates to load.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustCertificate
Loads X.509 certificates from the file at the given path into the trust store.TIP: If you have multiple certificate files in PEM format (for example, "cert1.pem" and "cert2.pem"), and you want to create a single PEM file containing all the certificates, concatenate the PEM files using this shell command:
$ cat cert1.pem cert2.pem > both-certs.pem
Then, when configuring the SDK, call this method with the path to `both-certs.pem` as the argument.- Parameters:
certificatePath
- the file to load the certificates from.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustManagerFactory
Allows to provide a trust manager factory directly for maximum flexibility.While providing the most flexibility, most users will find the other overloads more convenient, like passing in a
trustStore(KeyStore)
directly or via filepathtrustStore(Path, String, Optional)
.- Parameters:
trustManagerFactory
- the trust manager factory to use.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustStore
Initializes theTrustManagerFactory
with the given trust store.- Parameters:
trustStore
- the loaded trust store to use.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustStore
public SecurityConfig.Builder trustStore(Path trustStorePath, String trustStorePassword, Optional<String> trustStoreType) Loads a trust store from a file path and password and initializes theTrustManagerFactory
.- Parameters:
trustStorePath
- the path to the truststore.trustStorePassword
- the password (can be null if not password protected).trustStoreType
- the type of the trust store. If empty, theKeyStore.getDefaultType()
will be used.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
ciphers
Allows to customize the list of ciphers that is negotiated with the cluster.Note that this method is considered advanced API, please only customize the cipher list if you know what you are doing (for example if you want to shrink the cipher list down to a very specific subset for security or compliance reasons).
If no custom ciphers are configured, the default set will be used.
If you wish to add additional ciphers instead of providing an exclusive list, you can use the static
SecurityConfig.defaultCiphers(boolean)
method to load the default list first, add your own ciphers and then pass it into this method.- Parameters:
ciphers
- the custom list of ciphers to use.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-