Class SecurityConfig
SecurityConfig
allows to enable transport encryption between the client and the servers.-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
This builder allows to customize the default security configuration.static class
static class
-
Method Summary
Modifier and TypeMethodDescriptionstatic SecurityConfig.Builder
builder()
Deprecated.static List
<X509Certificate> Returns the Certificate Authority (CA) certificates required for connecting to Couchbase Capella.ciphers()
Returns the custom list of ciphers.static SecurityConfig.Builder
Deprecated.This method creates a new builder.static SecurityConfig
create()
Deprecated.Instead, please useCoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer.static List
<X509Certificate> decodeCertificates
(List<String> certificates) Helper method to decode string-encoded certificates into their x.509 format.static List
<X509Certificate> Returns the Certificate Authority (CA) certificates that are trusted if no other certificate (or other trust source) is specified in the security config.defaultCiphers
(boolean nativeTlsEnabled) Lists the default ciphers used for this platform.static SecurityConfig.Builder
enableHostnameVerification
(boolean hostnameVerificationEnabled) Deprecated.This method creates a new builder.static SecurityConfig.Builder
enableNativeTls
(boolean nativeTlsEnabled) Deprecated.This method creates a new builder.static SecurityConfig.Builder
enableTls
(boolean tlsEnabled) Deprecated.This method creates a new builder.boolean
True if TLS hostname verification is enabled, false otherwise.static List
<X509Certificate> Returns the Certificate Authority (CA) certificates trusted by the JVM's default trust manager.boolean
Returns whether native TLS is enabled.boolean
True if TLS is enabled, false otherwise.static SecurityConfig.Builder
trustCertificate
(Path certificatePath) Deprecated.This method creates a new builder.The list of trust certificates that should be used, if present.static SecurityConfig.Builder
trustCertificates
(List<X509Certificate> certificates) Deprecated.This method creates a new builder.The currently configured trust manager factory, if present.static SecurityConfig.Builder
trustManagerFactory
(TrustManagerFactory trustManagerFactory) Deprecated.This method creates a new builder.static SecurityConfig.Builder
trustStore
(Path trustStorePath, String trustStorePassword, Optional<String> trustStoreType) Deprecated.This method creates a new builder.static SecurityConfig.Builder
trustStore
(KeyStore trustStore) Deprecated.This method creates a new builder.
-
Method Details
-
builder
Deprecated.Instead of creating a new builder, please useCoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer. Note: CoreEnvironment is a base class; you'll probably call that method via a subclass namedClusterEnvironment
.Creates a builder to customize theSecurityConfig
configuration.- Returns:
- the builder to customize.
-
create
Deprecated.Instead, please useCoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer. Note: CoreEnvironment is a base class; you'll probably call that method via a subclass namedClusterEnvironment
.Creates aSecurityConfig
with the default configuration.- Returns:
- the default security config.
-
enableTls
Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Enables TLS for all client/server communication (disabled by default).- Parameters:
tlsEnabled
- true if enabled, false otherwise.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
enableHostnameVerification
@Deprecated public static SecurityConfig.Builder enableHostnameVerification(boolean hostnameVerificationEnabled) Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Allows enabling or disabling hostname verification (enabled by default).Note that disabling hostname verification will cause the TLS connection to not verify that the hostname/ip is actually part of the certificate and as a result not detect certain kinds of attacks. Only disable if you understand the impact and risks!
- Parameters:
hostnameVerificationEnabled
- set to true if it should be enabled, false for disabled.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
enableNativeTls
Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Enables/disables native TLS (enabled by default).- Parameters:
nativeTlsEnabled
- true if it should be enabled, false otherwise.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustCertificates
@Deprecated public static SecurityConfig.Builder trustCertificates(List<X509Certificate> certificates) Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Loads the given list of X.509 certificates into the trust store.- Parameters:
certificates
- the list of certificates to load.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustCertificate
Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Loads X.509 certificates from the specified file into the trust store.- Parameters:
certificatePath
- the path to load the certificates from.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustStore
Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Initializes theTrustManagerFactory
with the given trust store.- Parameters:
trustStore
- the loaded trust store to use.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustStore
@Deprecated public static SecurityConfig.Builder trustStore(Path trustStorePath, String trustStorePassword, Optional<String> trustStoreType) Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Loads a trust store from a file path and password and initializes theTrustManagerFactory
.- Parameters:
trustStorePath
- the path to the truststore.trustStorePassword
- the password (can be null if not password protected).trustStoreType
- the type of the trust store. If empty, theKeyStore.getDefaultType()
will be used.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
trustManagerFactory
@Deprecated public static SecurityConfig.Builder trustManagerFactory(TrustManagerFactory trustManagerFactory) Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Allows to provide a trust manager factory directly for maximum flexibility.While providing the most flexibility, most users will find the other overloads more convenient, like passing in a
trustStore(KeyStore)
directly or via filepathtrustStore(Path, String, Optional)
.- Parameters:
trustManagerFactory
- the trust manager factory to use.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
ciphers
Deprecated.This method creates a new builder. Please see the deprecation notice onbuilder()
.Allows to customize the list of ciphers that is negotiated with the cluster.Note that this method is considered advanced API, please only customize the cipher list if you know what you are doing (for example if you want to shrink the cipher list down to a very specific subset for security or compliance reasons).
If no custom ciphers are configured, the default set will be used.
- Parameters:
ciphers
- the custom list of ciphers to use.- Returns:
- this
SecurityConfig.Builder
for chaining purposes.
-
tlsEnabled
public boolean tlsEnabled()True if TLS is enabled, false otherwise.- Returns:
- a boolean if tls/transport encryption is enabled.
-
hostnameVerificationEnabled
public boolean hostnameVerificationEnabled()True if TLS hostname verification is enabled, false otherwise. -
trustCertificates
The list of trust certificates that should be used, if present.- Returns:
- the list of certificates.
-
trustManagerFactory
The currently configured trust manager factory, if present.- Returns:
- the trust manager factory.
-
nativeTlsEnabled
public boolean nativeTlsEnabled()Returns whether native TLS is enabled.- Returns:
- true if enabled, false otherwise.
-
ciphers
Returns the custom list of ciphers.- Returns:
- the custom list of ciphers.
-
decodeCertificates
Helper method to decode string-encoded certificates into their x.509 format.- Parameters:
certificates
- the string-encoded certificates.- Returns:
- the decoded certs in x.509 format.
-
defaultCiphers
Lists the default ciphers used for this platform.Note that the list of ciphers can differ whether native TLS is enabled or not, so the parameter should reflect the actual security configuration used. Native TLS is enabled by default on the configuration, so if it is not overridden it should be set to true here as well.
- Parameters:
nativeTlsEnabled
- if native TLS is enabled on the security configuration (defaults to yes there).- Returns:
- the list of default ciphers.
-
defaultCaCertificates
Returns the Certificate Authority (CA) certificates that are trusted if no other certificate (or other trust source) is specified in the security config.Includes the CA certificate(s) required for connecting to hosted Couchbase Capella clusters, plus CA certificates trusted by the JVM's default trust manager.
-
capellaCaCertificates
Returns the Certificate Authority (CA) certificates required for connecting to Couchbase Capella. -
jvmCaCertificates
Returns the Certificate Authority (CA) certificates trusted by the JVM's default trust manager. This is a subset of the certificates returned bydefaultCaCertificates()
; it does not include the Couchbase Capella CA certificate.
-
CoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer.