Package org.keycloak.infinispan.module.certificates

Class CertificateReloadManager

java.lang.Object

org.keycloak.infinispan.module.certificates.CertificateReloadManager

All Implemented Interfaces:

org.infinispan.commons.api.Lifecycle

public class CertificateReloadManager
extends Object
implements org.infinispan.commons.api.Lifecycle

Class to handle JGroups certificate reloading for encryption (mTLS).

This class is attached to Infinispan lifecycle, and it starts/stops together with the EmbeddedCacheManager.

It provides two public methods, rotateCertificate() to force a certificate rotation without waiting for the configured period, and reloadCertificate() to force a certificate reloading from storage and schedule the next rotation.

When the timer expires, only the cluster coordinator generates a new certificate. It notifies the other cluster members that a new certificate is available in storage. Both the key and trust stores keep a hold of the old and the new certificates.

Last, but not least, it listens to topology changes and, if the coordinator crashes, the new re-elected coordinator will continue to perform its duties to rotate the certificate.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CERTIFICATE_ID

Constructor Summary

Constructors

Constructor	Description
CertificateReloadManager(KeycloakSessionFactory sessionFactory, JGroupsCertificateHolder certificateHolder, int rotationDays)

Method Summary

Modifier and Type	Method	Description
JGroupsCertificate	currentCertificate()
static String	generateSelfSignedCertificate(long validForSeconds)
long	getRotationSeconds()
boolean	hasRotationTask()
boolean	isCoordinator()
void	onViewChanged(org.infinispan.notifications.cachemanagerlistener.event.ViewChangedEvent event)
void	reloadCertificate()	Reloads the certificate from storage.
void	rotateCertificate()	Creates and reload a new certificate.
void	setRotationSeconds(long seconds)
void	start()
void	stop()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

CERTIFICATE_ID

public static final String CERTIFICATE_ID

See Also:

• Constant Field Values

Constructor Details

CertificateReloadManager

public CertificateReloadManager(KeycloakSessionFactory sessionFactory,
 JGroupsCertificateHolder certificateHolder,
 int rotationDays)

Method Details

start

public void start()

Specified by:

start in interface org.infinispan.commons.api.Lifecycle

stop

public void stop()

Specified by:

stop in interface org.infinispan.commons.api.Lifecycle

rotateCertificate

public void rotateCertificate()

Creates and reload a new certificate.

reloadCertificate

public void reloadCertificate()

Reloads the certificate from storage.

onViewChanged

public void onViewChanged(org.infinispan.notifications.cachemanagerlistener.event.ViewChangedEvent event)

currentCertificate

public JGroupsCertificate currentCertificate()

setRotationSeconds

public void setRotationSeconds(long seconds)

getRotationSeconds

public long getRotationSeconds()

isCoordinator

public boolean isCoordinator()

hasRotationTask

public boolean hasRotationTask()

generateSelfSignedCertificate

public static String generateSelfSignedCertificate(long validForSeconds)