org.forgerock.opendj.security

Class SslOptions

java.lang.Object

org.forgerock.opendj.security.SslOptions

public final class SslOptions
extends Object

Encapsulates options for configuring SSL based security as well as providing methods for building SSLEngines.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	SslOptions.ClientAuthPolicy Represents the client authentication policy option.

Field Summary

Fields

Modifier and Type	Field and Description
static String	SSL_HOST_NAME_VALIDATION_DISABLED_PROPERTY The name of the property which, when true, will disable SSL host name validation.
static KeyManager[]	USE_EMPTY_KEY_MANAGER Use an empty KeyManager while initializing an SSLContext.
static TrustManager[]	USE_JVM_TRUST_MANAGER Use the JVM trust manager.

Method Summary

Modifier and Type	Method and Description
SslOptions.ClientAuthPolicy	clientAuthPolicy() Returns the client authentication policy.
SslOptions	clientAuthPolicy(SslOptions.ClientAuthPolicy clientAuthPolicy) Sets the client auth policy.
static SslOptions	copyOfSslOptions(SslOptions sslOptions) Creates a copy of the provided SslOptions.
String[]	enabledCipherSuites() Returns the names of the cipher suites which are currently enabled for secure connections with the Directory Server.
SslOptions	enabledCipherSuites(Collection<String> cipherSuites) Adds the cipher suites enabled for secure connections with the Directory Server.
SslOptions	enabledCipherSuites(String... cipherSuites) Adds the cipher suites enabled for secure connections with the Directory Server.
String[]	enabledProtocols() Returns the names of the protocol versions which are currently enabled for secure connections with the Directory Server.
SslOptions	enabledProtocols(Collection<String> protocols) Adds the protocol versions enabled for secure connections with the Directory Server.
SslOptions	enabledProtocols(String... protocols) Adds the protocol versions enabled for secure connections with the Directory Server.
static boolean	isSslHostNameValidationEnabled() Returns whether server host name validation against the SSL certificate's subject must be performed.
static SSLEngine	newClientSslEngine(SslOptions sslOptions) Creates a new SSLEngine configured to be used by a client application.
static SSLEngine	newServerSslEngine(SslOptions sslOptions) Creates a new SSLEngine configured to be used by a server application.
static SslOptions	newSslOptions(KeyManager[] keyManagers, TrustManager[] trustManagers) Creates a new SslOptions for the provided key managers and trust managers.
static SslOptions	newSslOptions(KeyManager keyManager, TrustManager trustManager) Creates a new SslOptions for the provided key manager and trust manager.
SSLContext	sslContext() Returns the SSLContext that should be used when installing the SSL layer.
static List<String>	supportedCipherSuites() Returns a List of TLS cipher suites names reported as supported by the running JVM.
static List<String>	supportedProtocols() Returns a List of TLS protocol names reported as supported by the running JVM.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

USE_EMPTY_KEY_MANAGER

public static final KeyManager[] USE_EMPTY_KEY_MANAGER

Use an empty KeyManager while initializing an SSLContext.

This parameter should be used as the first one of SSLContext.init(KeyManager[], TrustManager[], java.security.SecureRandom). An empty KeyManager implementation never returns any certificates/keys.

See Also:

OPENDJ-4281, The Java Secure Socket Extension Reference Guide

USE_JVM_TRUST_MANAGER

public static final TrustManager[] USE_JVM_TRUST_MANAGER

Use the JVM trust manager.

SSL_HOST_NAME_VALIDATION_DISABLED_PROPERTY

public static final String SSL_HOST_NAME_VALIDATION_DISABLED_PROPERTY

The name of the property which, when true, will disable SSL host name validation. Host name validation is enabled by default.

See Also:

Constant Field Values

Method Detail

isSslHostNameValidationEnabled

public static boolean isSslHostNameValidationEnabled()

Returns whether server host name validation against the SSL certificate's subject must be performed.

Returns:

true If the host name must be validated, false otherwise.

newClientSslEngine

public static SSLEngine newClientSslEngine(SslOptions sslOptions)

Creates a new SSLEngine configured to be used by a client application.

Parameters:

sslOptions - SslOptions to use to configure the SSLEngine.

Returns:

A new SSLEngine which has been configured with the settings contained in this SslOptions

newServerSslEngine

public static SSLEngine newServerSslEngine(SslOptions sslOptions)

Creates a new SSLEngine configured to be used by a server application.

Parameters:

sslOptions - SslOptions to use to configure the SSLEngine.

Returns:

A new SSLEngine which has been configured with the settings contained in this SslOptions

supportedCipherSuites

public static List<String> supportedCipherSuites()

Returns a List of TLS cipher suites names reported as supported by the running JVM.

Returns:

a List of TLS cipher suites names reported as supported by the running JVM

supportedProtocols

public static List<String> supportedProtocols()

Returns a List of TLS protocol names reported as supported by the running JVM.

Returns:

a List of TLS protocol names reported as supported by the running JVM

newSslOptions

public static SslOptions newSslOptions(KeyManager keyManager,
                                       TrustManager trustManager)
                                throws KeyManagementException

Creates a new SslOptions for the provided key manager and trust manager.

Parameters:

keyManager - The key manager, which may be null indicating that no certificates will be used.

trustManager - The trust manager, which may be null indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Returns:

A new SslOptions instance.

Throws:

KeyManagementException - If the key manager or trust manager could not be used for some reason.

newSslOptions

public static SslOptions newSslOptions(KeyManager[] keyManagers,
                                       TrustManager[] trustManagers)
                                throws KeyManagementException

Creates a new SslOptions for the provided key managers and trust managers.

Parameters:

keyManagers - The key managers, which may be null indicating that no certificates will be used.

trustManagers - The trust managers, which may be null indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Returns:

A new SslOptions instance.

Throws:

KeyManagementException - If the key managers or trust managers could not be used for some reason.

copyOfSslOptions

public static SslOptions copyOfSslOptions(SslOptions sslOptions)

Creates a copy of the provided SslOptions.

Parameters:

sslOptions - The SslOptions

Returns:

A new SslOptions instance.

clientAuthPolicy

public SslOptions.ClientAuthPolicy clientAuthPolicy()

Returns the client authentication policy. This option is only useful in server mode.

Returns:

The SslOptions.ClientAuthPolicy option.

enabledProtocols

public String[] enabledProtocols()

Returns the names of the protocol versions which are currently enabled for secure connections with the Directory Server.

Returns:

an array of protocols or null if the default protocols are to be used.

enabledCipherSuites

public String[] enabledCipherSuites()

Returns the names of the cipher suites which are currently enabled for secure connections with the Directory Server.

Returns:

an array of cipher-suite or null if the default cipher-suites are to be used.

sslContext

public SSLContext sslContext()

Returns the SSLContext that should be used when installing the SSL layer.

Returns:

The SSLContext that should be used when installing the SSL layer.

clientAuthPolicy

public SslOptions clientAuthPolicy(SslOptions.ClientAuthPolicy clientAuthPolicy)

Sets the client auth policy. This option is only useful in server mode.

Parameters:

clientAuthPolicy - The client auth policy.

Returns:

this SslOptions.

See Also:

SslOptions.ClientAuthPolicy

enabledCipherSuites

public SslOptions enabledCipherSuites(Collection<String> cipherSuites)

Adds the cipher suites enabled for secure connections with the Directory Server. The suites must be supported by the SSLContext specified during construction. Following a successful call to this method, only the suites listed in the protocols parameter are enabled for use.

Parameters:

cipherSuites - Names of all the cipher-suites to enable or null to use the default ones.

Returns:

This SslOptions.

enabledCipherSuites

public SslOptions enabledCipherSuites(String... cipherSuites)

Adds the cipher suites enabled for secure connections with the Directory Server. The suites must be supported by the SSLContext specified during construction. Following a successful call to this method, only the suites listed in the protocols parameter are enabled for use.

Parameters:

cipherSuites - Names of all the cipher-suites to enable or null to use the default ones.

Returns:

This SslOptions.

enabledProtocols

public SslOptions enabledProtocols(Collection<String> protocols)

Adds the protocol versions enabled for secure connections with the Directory Server. The protocols must be supported by the SSLContext specified during construction.

Parameters:

protocols - Names of all the protocols to enable or null to use the default ones.

Returns:

This SslOptions.

enabledProtocols

public SslOptions enabledProtocols(String... protocols)

Adds the protocol versions enabled for secure connections with the Directory Server. The protocols must be supported by the SSLContext specified during construction.

Parameters:

protocols - Names of all the protocols to enable or null to use the default ones.

Returns:

This SslOptions.