X509Util (Apache HBase - Common 3.0.0-beta-1 API)

java.lang.Object
- org.apache.hadoop.hbase.io.crypto.tls.X509Util

```
@InterfaceAudience.Private
public final class X509Util
extends Object
```
Utility code for X509 handling Default cipher suites: Performance testing done by Facebook engineers shows that on Intel x86_64 machines, Java9 performs better with GCM and Java8 performs better with CBC, so these seem like reasonable defaults.
This file has been copied from the Apache ZooKeeper project.

See Also:

Base revision

Nested Class Summary

Nested Classes
Modifier and Type Class and Description

static class X509Util.ClientAuth
Enum specifying the client auth requirement of server-side TLS sockets created by this X509Util.

Nested Classes
Modifier and Type	Class and Description
`static class`	`X509Util.ClientAuth` Enum specifying the client auth requirement of server-side TLS sockets created by this X509Util.

Field Summary

Fields
Modifier and Type	Field and Description
`static int`	`DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS`
`static int`	`DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE`
`static String`	`DEFAULT_PROTOCOL`
`static String`	`HBASE_CLIENT_NETTY_TLS_ENABLED`
`static String`	`HBASE_CLIENT_NETTY_TLS_HANDSHAKETIMEOUT`
`static String`	`HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME`
`static String`	`HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE`
`static String`	`HBASE_SERVER_NETTY_TLS_ENABLED`
`static String`	`HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT`
`static String`	`HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME`
`static String`	`HBASE_SERVER_NETTY_TLS_WRAP_SIZE` Set the SSL wrapSize for netty.
`static String`	`TLS_CERT_RELOAD`
`static String`	`TLS_CIPHER_SUITES`
`static String`	`TLS_CONFIG_CLR`
`static String`	`TLS_CONFIG_KEYSTORE_LOCATION`
`static String`	`TLS_CONFIG_KEYSTORE_PASSWORD`
`static String`	`TLS_CONFIG_KEYSTORE_TYPE`
`static String`	`TLS_CONFIG_OCSP`
`static String`	`TLS_CONFIG_PROTOCOL`
`static String`	`TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED`
`static String`	`TLS_CONFIG_TRUSTSTORE_LOCATION`
`static String`	`TLS_CONFIG_TRUSTSTORE_PASSWORD`
`static String`	`TLS_CONFIG_TRUSTSTORE_TYPE`
`static String`	`TLS_ENABLED_PROTOCOLS`
`static String`	`TLS_USE_OPENSSL`

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext`	`createSslContextForClient(org.apache.hadoop.conf.Configuration config)`
`static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext`	`createSslContextForServer(org.apache.hadoop.conf.Configuration config)`
`static void`	`enableCertFileReloading(org.apache.hadoop.conf.Configuration config, AtomicReference<FileChangeWatcher> keystoreWatcher, AtomicReference<FileChangeWatcher> trustStoreWatcher, Runnable resetContext)` Enable certificate file reloading by creating FileWatchers for keystore and truststore.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- TLS_CONFIG_PROTOCOL
```
public static final String TLS_CONFIG_PROTOCOL
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_KEYSTORE_LOCATION
```
public static final String TLS_CONFIG_KEYSTORE_LOCATION
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_KEYSTORE_TYPE
```
public static final String TLS_CONFIG_KEYSTORE_TYPE
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_KEYSTORE_PASSWORD
```
public static final String TLS_CONFIG_KEYSTORE_PASSWORD
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_TRUSTSTORE_LOCATION
```
public static final String TLS_CONFIG_TRUSTSTORE_LOCATION
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_TRUSTSTORE_TYPE
```
public static final String TLS_CONFIG_TRUSTSTORE_TYPE
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_TRUSTSTORE_PASSWORD
```
public static final String TLS_CONFIG_TRUSTSTORE_PASSWORD
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_CLR
```
public static final String TLS_CONFIG_CLR
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_OCSP
```
public static final String TLS_CONFIG_OCSP
```
  See Also:
  
  Constant Field Values
- TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED
```
public static final String TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED
```
  See Also:
  
  Constant Field Values
- TLS_ENABLED_PROTOCOLS
```
public static final String TLS_ENABLED_PROTOCOLS
```
  See Also:
  
  Constant Field Values
- TLS_CIPHER_SUITES
```
public static final String TLS_CIPHER_SUITES
```
  See Also:
  
  Constant Field Values
- TLS_CERT_RELOAD
```
public static final String TLS_CERT_RELOAD
```
  See Also:
  
  Constant Field Values
- TLS_USE_OPENSSL
```
public static final String TLS_USE_OPENSSL
```
  See Also:
  
  Constant Field Values
- DEFAULT_PROTOCOL
```
public static final String DEFAULT_PROTOCOL
```
  See Also:
  
  Constant Field Values
- HBASE_SERVER_NETTY_TLS_ENABLED
```
public static final String HBASE_SERVER_NETTY_TLS_ENABLED
```
  See Also:
  
  Constant Field Values
- HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE
```
public static final String HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE
```
  See Also:
  
  Constant Field Values
- HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME
```
public static final String HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME
```
  See Also:
  
  Constant Field Values
- HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT
```
public static final String HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT
```
  See Also:
  
  Constant Field Values
- HBASE_SERVER_NETTY_TLS_WRAP_SIZE
```
public static final String HBASE_SERVER_NETTY_TLS_WRAP_SIZE
```
  Set the SSL wrapSize for netty. This is only a maximum wrap size. Buffers smaller than this will not be consolidated, but buffers larger than this will be split into multiple wrap buffers. The netty default of 16k is not great for hbase which tends to return larger payloads than that, meaning most responses end up getting chunked up. This leads to more memory contention in netty's PoolArena. See https://github.com/netty/netty/pull/13551
  
  See Also:
  
  Constant Field Values
- DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE
```
public static final int DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE
```
  See Also:
  
  Constant Field Values
- HBASE_CLIENT_NETTY_TLS_ENABLED
```
public static final String HBASE_CLIENT_NETTY_TLS_ENABLED
```
  See Also:
  
  Constant Field Values
- HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME
```
public static final String HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME
```
  See Also:
  
  Constant Field Values
- HBASE_CLIENT_NETTY_TLS_HANDSHAKETIMEOUT
```
public static final String HBASE_CLIENT_NETTY_TLS_HANDSHAKETIMEOUT
```
  See Also:
  
  Constant Field Values
- DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
```
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
```
  See Also:
  
  Constant Field Values

Method Detail

createSslContextForClient

public static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext createSslContextForClient(org.apache.hadoop.conf.Configuration config)
                                                                                             throws X509Exception,
                                                                                                    IOException

Throws:: X509Exception; IOException

createSslContextForServer

public static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext createSslContextForServer(org.apache.hadoop.conf.Configuration config)
                                                                                             throws X509Exception,
                                                                                                    IOException

Throws:: X509Exception; IOException

enableCertFileReloading

public static void enableCertFileReloading(org.apache.hadoop.conf.Configuration config,
                                           AtomicReference<FileChangeWatcher> keystoreWatcher,
                                           AtomicReference<FileChangeWatcher> trustStoreWatcher,
                                           Runnable resetContext)
                                    throws IOException

Enable certificate file reloading by creating FileWatchers for keystore and truststore. AtomicReferences will be set with the new instances. resetContext - if not null - will be called when the file has been modified.

Parameters:: keystoreWatcher - Reference to keystoreFileWatcher.; trustStoreWatcher - Reference to truststoreFileWatcher.; resetContext - Callback for file changes.
Throws:: IOException

Class X509Util

Nested Class Summary

Field Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

TLS_CONFIG_PROTOCOL

TLS_CONFIG_KEYSTORE_LOCATION

TLS_CONFIG_KEYSTORE_TYPE

TLS_CONFIG_KEYSTORE_PASSWORD

TLS_CONFIG_TRUSTSTORE_LOCATION

TLS_CONFIG_TRUSTSTORE_TYPE

TLS_CONFIG_TRUSTSTORE_PASSWORD

TLS_CONFIG_CLR

TLS_CONFIG_OCSP

TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED

TLS_ENABLED_PROTOCOLS

TLS_CIPHER_SUITES

TLS_CERT_RELOAD

TLS_USE_OPENSSL

DEFAULT_PROTOCOL

HBASE_SERVER_NETTY_TLS_ENABLED

HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE

HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME

HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT

HBASE_SERVER_NETTY_TLS_WRAP_SIZE

DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE

HBASE_CLIENT_NETTY_TLS_ENABLED

HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME

HBASE_CLIENT_NETTY_TLS_HANDSHAKETIMEOUT

DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS

Method Detail

createSslContextForClient

createSslContextForServer

enableCertFileReloading