Package org.keycloak.jgroups.certificates

Class DatabaseJGroupsCertificateProvider

java.lang.Object

org.keycloak.jgroups.certificates.DatabaseJGroupsCertificateProvider

All Implemented Interfaces:

Provider, JGroupsCertificateProvider

public class DatabaseJGroupsCertificateProvider
extends Object
implements JGroupsCertificateProvider

A JGroupsCertificateProvider implementation that stores the certificates in the database.

The generated certificate is self-signed, and the database is used to share the certificate amongst the Keycloak instances in the cluster. This implementation supports rotation and reloading of the certificate. The rotation can happen at any time, or by a periodic task, or by sysadmin request.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CERTIFICATE_ID

Fields inherited from interface org.keycloak.spi.infinispan.JGroupsCertificateProvider

DISABLED

Method Summary

Modifier and Type	Method	Description
static DatabaseJGroupsCertificateProvider	create(KeycloakSessionFactory factory, Duration rotationPeriod)
JGroupsCertificate	getCurrentCertificate()
Duration	getRotationPeriod()
boolean	isEnabled()
KeyManager	keyManager()	Returns a managed KeyManager.
Duration	nextRotation()	Returns when the next certificate rotation is required.
void	reloadCertificate()	Reloads the most recent certificate and apply it to the KeyManager and TrustManager.
void	rotateCertificate()	A new certificate must be generated.
void	setRotationPeriod(Duration rotationPeriod)
boolean	supportRotateAndReload()
TrustManager	trustManager()	Returns a managed TrustManager.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.spi.infinispan.JGroupsCertificateProvider

close

Field Details

CERTIFICATE_ID

public static final String CERTIFICATE_ID

See Also:

• Constant Field Values

Method Details

create

public static DatabaseJGroupsCertificateProvider create(KeycloakSessionFactory factory,
 Duration rotationPeriod)

rotateCertificate

public void rotateCertificate()

Description copied from interface: JGroupsCertificateProvider

A new certificate must be generated.

The generated certificate should not be used immediately, but only after JGroupsCertificateProvider.reloadCertificate() is invoked.

This method must be implemented when JGroupsCertificateProvider.supportRotateAndReload() returns true.

Specified by:

rotateCertificate in interface JGroupsCertificateProvider

reloadCertificate

public void reloadCertificate()

Description copied from interface: JGroupsCertificateProvider

Reloads the most recent certificate and apply it to the KeyManager and TrustManager.

This method must be implemented when JGroupsCertificateProvider.supportRotateAndReload() returns true.

Specified by:

reloadCertificate in interface JGroupsCertificateProvider

nextRotation

public Duration nextRotation()

Description copied from interface: JGroupsCertificateProvider

Returns when the next certificate rotation is required.

It is used to automatically rotate certificates periodically.

This method must be implemented when JGroupsCertificateProvider.supportRotateAndReload() returns true.

Specified by:

nextRotation in interface JGroupsCertificateProvider

Returns:

The time until the next rotation.

supportRotateAndReload

public boolean supportRotateAndReload()

Specified by:

supportRotateAndReload in interface JGroupsCertificateProvider

Returns:

true if rotation and reload requests is possible.

keyManager

public KeyManager keyManager()

Description copied from interface: JGroupsCertificateProvider

Returns a managed KeyManager.

If JGroupsCertificateProvider.supportRotateAndReload() returns true, the instance returned must be updated with the new certificate when JGroupsCertificateProvider.reloadCertificate(). This method is invoked only once at boot time.

This method must be implemented when JGroupsCertificateProvider.isEnabled() returns true.

Specified by:

keyManager in interface JGroupsCertificateProvider

Returns:

The KeyManager to use by the SSLContext.

trustManager

public TrustManager trustManager()

Description copied from interface: JGroupsCertificateProvider

Returns a managed TrustManager.

If JGroupsCertificateProvider.supportRotateAndReload() returns true, the instance returned must be updated with the new certificate when JGroupsCertificateProvider.reloadCertificate(). This method is invoked only once at boot time.

This method must be implemented when JGroupsCertificateProvider.isEnabled() returns true.

Specified by:

trustManager in interface JGroupsCertificateProvider

Returns:

The TrustManager to use by the SSLContext.

isEnabled

public boolean isEnabled()

Specified by:

isEnabled in interface JGroupsCertificateProvider

Returns:

true if TLS is enabled for JGroups communication.

setRotationPeriod

public void setRotationPeriod(Duration rotationPeriod)

getRotationPeriod

public Duration getRotationPeriod()

getCurrentCertificate

public JGroupsCertificate getCurrentCertificate()