public class SecurityConfig extends Object
SecurityConfig
allows to enable transport encryption between the client and the servers.Modifier and Type | Class and Description |
---|---|
static class |
SecurityConfig.Builder
This builder allows to customize the default security configuration.
|
static class |
SecurityConfig.Defaults |
static class |
SecurityConfig.InternalMethods |
Modifier and Type | Method and Description |
---|---|
static SecurityConfig.Builder |
builder()
Deprecated.
Instead of creating a new builder, please use
CoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer.
Note: CoreEnvironment is a base class; you'll
probably call that method via a subclass named
ClusterEnvironment . |
static List<X509Certificate> |
capellaCaCertificates()
Returns the Certificate Authority (CA) certificates required for connecting to Couchbase Capella.
|
List<String> |
ciphers()
Returns the custom list of ciphers.
|
static SecurityConfig.Builder |
ciphers(List<String> ciphers)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
static SecurityConfig |
create()
Deprecated.
Instead, please use
CoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer.
Note: CoreEnvironment is a base class; you'll
probably call that method via a subclass named
ClusterEnvironment . |
static List<X509Certificate> |
decodeCertificates(List<String> certificates)
Helper method to decode string-encoded certificates into their x.509 format.
|
static List<X509Certificate> |
defaultCaCertificates()
Returns the Certificate Authority (CA) certificates that are trusted if
no other certificate (or other trust source) is specified in the security config.
|
static List<String> |
defaultCiphers(boolean nativeTlsEnabled)
Lists the default ciphers used for this platform.
|
static SecurityConfig.Builder |
enableHostnameVerification(boolean hostnameVerificationEnabled)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
static SecurityConfig.Builder |
enableNativeTls(boolean nativeTlsEnabled)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
static SecurityConfig.Builder |
enableTls(boolean tlsEnabled)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
boolean |
hostnameVerificationEnabled()
True if TLS hostname verification is enabled, false otherwise.
|
static List<X509Certificate> |
jvmCaCertificates()
Returns the Certificate Authority (CA) certificates trusted by the JVM's default trust manager.
|
boolean |
nativeTlsEnabled()
Returns whether native TLS is enabled.
|
boolean |
tlsEnabled()
True if TLS is enabled, false otherwise.
|
static SecurityConfig.Builder |
trustCertificate(Path certificatePath)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
List<X509Certificate> |
trustCertificates()
The list of trust certificates that should be used, if present.
|
static SecurityConfig.Builder |
trustCertificates(List<X509Certificate> certificates)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
TrustManagerFactory |
trustManagerFactory()
The currently configured trust manager factory, if present.
|
static SecurityConfig.Builder |
trustManagerFactory(TrustManagerFactory trustManagerFactory)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
static SecurityConfig.Builder |
trustStore(KeyStore trustStore)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
static SecurityConfig.Builder |
trustStore(Path trustStorePath,
String trustStorePassword,
Optional<String> trustStoreType)
Deprecated.
This method creates a new builder. Please see the deprecation notice on
builder() . |
@Deprecated public static SecurityConfig.Builder builder()
CoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer.
Note: CoreEnvironment is a base class; you'll
probably call that method via a subclass named
ClusterEnvironment
.SecurityConfig
configuration.@Deprecated public static SecurityConfig create()
CoreEnvironment.Builder.securityConfig(Consumer)
and configure the builder passed to the consumer.
Note: CoreEnvironment is a base class; you'll
probably call that method via a subclass named
ClusterEnvironment
.SecurityConfig
with the default configuration.@Deprecated public static SecurityConfig.Builder enableTls(boolean tlsEnabled)
builder()
.tlsEnabled
- true if enabled, false otherwise.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder enableHostnameVerification(boolean hostnameVerificationEnabled)
builder()
.Note that disabling hostname verification will cause the TLS connection to not verify that the hostname/ip is actually part of the certificate and as a result not detect certain kinds of attacks. Only disable if you understand the impact and risks!
hostnameVerificationEnabled
- set to true if it should be enabled, false for disabled.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder enableNativeTls(boolean nativeTlsEnabled)
builder()
.nativeTlsEnabled
- true if it should be enabled, false otherwise.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder trustCertificates(List<X509Certificate> certificates)
builder()
.certificates
- the list of certificates to load.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder trustCertificate(Path certificatePath)
builder()
.certificatePath
- the path to load the certificates from.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder trustStore(KeyStore trustStore)
builder()
.TrustManagerFactory
with the given trust store.trustStore
- the loaded trust store to use.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder trustStore(Path trustStorePath, String trustStorePassword, Optional<String> trustStoreType)
builder()
.TrustManagerFactory
.trustStorePath
- the path to the truststore.trustStorePassword
- the password (can be null if not password protected).trustStoreType
- the type of the trust store. If empty, the KeyStore.getDefaultType()
will be used.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder trustManagerFactory(TrustManagerFactory trustManagerFactory)
builder()
.
While providing the most flexibility, most users will find the other overloads more convenient, like passing
in a trustStore(KeyStore)
directly or via filepath trustStore(Path, String, Optional)
.
trustManagerFactory
- the trust manager factory to use.SecurityConfig.Builder
for chaining purposes.@Deprecated public static SecurityConfig.Builder ciphers(List<String> ciphers)
builder()
.Note that this method is considered advanced API, please only customize the cipher list if you know what you are doing (for example if you want to shrink the cipher list down to a very specific subset for security or compliance reasons).
If no custom ciphers are configured, the default set will be used.
ciphers
- the custom list of ciphers to use.SecurityConfig.Builder
for chaining purposes.public boolean tlsEnabled()
public boolean hostnameVerificationEnabled()
public List<X509Certificate> trustCertificates()
public TrustManagerFactory trustManagerFactory()
public boolean nativeTlsEnabled()
public List<String> ciphers()
public static List<X509Certificate> decodeCertificates(List<String> certificates)
certificates
- the string-encoded certificates.public static List<String> defaultCiphers(boolean nativeTlsEnabled)
Note that the list of ciphers can differ whether native TLS is enabled or not, so the parameter should reflect the actual security configuration used. Native TLS is enabled by default on the configuration, so if it is not overridden it should be set to true here as well.
nativeTlsEnabled
- if native TLS is enabled on the security configuration (defaults to yes there).@Stability.Volatile public static List<X509Certificate> defaultCaCertificates()
Includes the CA certificate(s) required for connecting to hosted Couchbase Capella clusters, plus CA certificates trusted by the JVM's default trust manager.
@Stability.Volatile public static List<X509Certificate> capellaCaCertificates()
@Stability.Volatile public static List<X509Certificate> jvmCaCertificates()
defaultCaCertificates()
;
it does not include the Couchbase Capella CA certificate.Copyright © 2024 Couchbase, Inc.. All rights reserved.