final case class TlsServerConfig(certChainFile: PemFileOrString, privateKeyFile: PemFile, trustCollectionFile: Option[PemFileOrString] = None, clientAuth: ServerAuthRequirementConfig = ServerAuthRequirementConfig.Optional, minimumServerProtocolVersion: Option[String] = Some( TlsServerConfig.defaultMinimumServerProtocol ), ciphers: Option[Seq[String]] = TlsServerConfig.defaultCiphers, enableCertRevocationChecking: Boolean = false) extends BaseTlsArguments with UniformCantonConfigValidation with Product with Serializable
A wrapper for TLS related server parameters supporting mutual authentication.
Certificates and keys must be provided in the PEM format. It is recommended to create them with OpenSSL. Other formats (such as GPG) may also work, but have not been tested.
- certChainFile
a file containing a certificate chain, containing the certificate chain from the server to the root CA. The certificate chain is used to authenticate the server. The order of certificates in the chain matters, i.e., it must start with the server certificate and end with the root certificate.
- privateKeyFile
a file containing the server's private key. The key must not use a password.
- trustCollectionFile
a file containing certificates of all nodes the server trusts. Used for client authentication. It depends on the enclosing configuration whether client authentication is mandatory, optional or unsupported. If client authentication is enabled and this parameter is absent, the certificates in the JVM trust store will be used instead.
- clientAuth
indicates whether server requires, requests, or does not request auth from clients. Normally the ledger api server requires client auth under TLS, but using this setting this requirement can be loosened. See https://github.com/digital-asset/daml/commit/edd73384c427d9afe63bae9d03baa2a26f7b7f54
- minimumServerProtocolVersion
minimum supported TLS protocol. Set None (or null in config file) to default to JVM settings.
- ciphers
supported ciphers. Set to None (or null in config file) to default to JVM settings.
- enableCertRevocationChecking
whether to enable certificate revocation checking per https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/ TODO(#4881): implement cert-revocation at the participant and synchronizer admin endpoints Ledger api server reference PR: https://github.com/digital-asset/daml/pull/7965
- Alphabetic
- By Inheritance
- TlsServerConfig
- Serializable
- Product
- Equals
- UniformCantonConfigValidation
- CustomCantonConfigValidation
- CantonConfigValidation
- BaseTlsArguments
- AnyRef
- Any
- Hide All
- Show All
- Public
- Protected
Instance Constructors
- new TlsServerConfig(certChainFile: PemFileOrString, privateKeyFile: PemFile, trustCollectionFile: Option[PemFileOrString] = None, clientAuth: ServerAuthRequirementConfig = ServerAuthRequirementConfig.Optional, minimumServerProtocolVersion: Option[String] = Some(
TlsServerConfig.defaultMinimumServerProtocol
), ciphers: Option[Seq[String]] = TlsServerConfig.defaultCiphers, enableCertRevocationChecking: Boolean = false)
- certChainFile
a file containing a certificate chain, containing the certificate chain from the server to the root CA. The certificate chain is used to authenticate the server. The order of certificates in the chain matters, i.e., it must start with the server certificate and end with the root certificate.
- privateKeyFile
a file containing the server's private key. The key must not use a password.
- trustCollectionFile
a file containing certificates of all nodes the server trusts. Used for client authentication. It depends on the enclosing configuration whether client authentication is mandatory, optional or unsupported. If client authentication is enabled and this parameter is absent, the certificates in the JVM trust store will be used instead.
- clientAuth
indicates whether server requires, requests, or does not request auth from clients. Normally the ledger api server requires client auth under TLS, but using this setting this requirement can be loosened. See https://github.com/digital-asset/daml/commit/edd73384c427d9afe63bae9d03baa2a26f7b7f54
- minimumServerProtocolVersion
minimum supported TLS protocol. Set None (or null in config file) to default to JVM settings.
- ciphers
supported ciphers. Set to None (or null in config file) to default to JVM settings.
- enableCertRevocationChecking
whether to enable certificate revocation checking per https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/ TODO(#4881): implement cert-revocation at the participant and synchronizer admin endpoints Ledger api server reference PR: https://github.com/digital-asset/daml/pull/7965
Value Members
- final def !=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def ##: Int
- Definition Classes
- AnyRef → Any
- final def ==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def asInstanceOf[T0]: T0
- Definition Classes
- Any
- val certChainFile: PemFileOrString
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- val ciphers: Option[Seq[String]]
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- val clientAuth: ServerAuthRequirementConfig
- lazy val clientConfig: TlsClientConfig
- def clone(): AnyRef
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.CloneNotSupportedException]) @IntrinsicCandidate() @native()
- final def doValidate(edition: CantonEdition): Seq[CantonConfigValidationError]
Returns all validation errors that are specific to this Canton configuration class.
Returns all validation errors that are specific to this Canton configuration class. Successful validation should return an empty sequence.
Validation errors of subconfigurations should not be reported by this method, but via the type class derivation.
- Attributes
- protected
- Definition Classes
- UniformCantonConfigValidation → CustomCantonConfigValidation
- val enableCertRevocationChecking: Boolean
- final def eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- final def getClass(): Class[_ <: AnyRef]
- Definition Classes
- AnyRef → Any
- Annotations
- @IntrinsicCandidate() @native()
- final def isInstanceOf[T0]: Boolean
- Definition Classes
- Any
- val minimumServerProtocolVersion: Option[String]
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- final def ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- final def notify(): Unit
- Definition Classes
- AnyRef
- Annotations
- @IntrinsicCandidate() @native()
- final def notifyAll(): Unit
- Definition Classes
- AnyRef
- Annotations
- @IntrinsicCandidate() @native()
- val privateKeyFile: PemFile
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- def productElementNames: Iterator[String]
- Definition Classes
- Product
- def protocols: Option[Seq[String]]
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- def setJvmTlsProperties(): Unit
This is a side-effecting method.
This is a side-effecting method. It modifies JVM TLS properties according to the TLS configuration.
- final def synchronized[T0](arg0: => T0): T0
- Definition Classes
- AnyRef
- val trustCollectionFile: Option[PemFileOrString]
- final def validate[T >: TlsServerConfig.this.type](edition: CantonEdition)(implicit validator: CantonConfigValidator[T]): Either[NonEmpty[Seq[CantonConfigValidationError]], Unit]
- Definition Classes
- CantonConfigValidation
- final def wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])
- final def wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException]) @native()
- final def wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])