Class ConfluentKeyManager
java.lang.Object
javax.net.ssl.X509ExtendedKeyManager
io.confluent.kafka.server.plugins.ssl.ConfluentKeyManager
- All Implemented Interfaces:
KeyManager, X509KeyManager
Custom key manager that selects client certificates for mTLS authentication.
This key manager supports multiple certificate selection strategies for outbound connections where the broker acts as a TLS client (e.g., Cluster Linking, inter-broker communication):
Certificate Selection Priority:
- SPIRE Certificate: If SPIRE is enabled and the server accepts SPIRE CA (detected via certificate_authorities in CertificateRequest), use the SPIRE X509-SVID for service-to-service authentication.
- Server Certificate as Client Certificate: If
useServerCertForClientAuthis enabled, use the broker's Let's Encrypt server certificate for client authentication. This is useful when dedicated client certificates are unavailable. - Default Client Certificate: Fall back to the standard client certificate from the configured keystore.
Configuration:
confluent.spire.clientside.validation.enabled- Enable SPIRE certificate selection for client-side (outbound) connectionsconfluent.mtls.use.server.cert.for.client.auth.clientside.enabled- Enable using server certificate for client authentication (supports dynamic configuration update)
- See Also:
-
Constructor Summary
ConstructorsConstructorDescriptionConfluentKeyManager(Map<String, ?> configs, X509ExtendedKeyManager defaultKeyManager) Creates a ConfluentKeyManager with the default key manager. -
Method Summary
Modifier and TypeMethodDescriptionchooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) Selects the client certificate alias for socket-based connections.chooseEngineClientAlias(String[] keyTypes, Principal[] issuers, SSLEngine engine) Selects the client certificate alias for SSLEngine-based connections.chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) chooseServerAlias(String keyType, Principal[] issuers, Socket socket) getCertificateChain(String alias) String[]getClientAliases(String keyType, Principal[] issuers) getPrivateKey(String alias) String[]getServerAliases(String keyType, Principal[] issuers)
-
Constructor Details
-
ConfluentKeyManager
Creates a ConfluentKeyManager with the default key manager. SPIRE key manager is initialized internally if SPIRE is enabled.- Parameters:
configs- configuration map containing SSL/TLS and SPIRE settingsdefaultKeyManager- the default key manager (typically for Let's Encrypt server certificates)
-
-
Method Details
-
chooseEngineClientAlias
Selects the client certificate alias for SSLEngine-based connections.This method implements the certificate selection priority:
- SPIRE certificate if SPIRE is enabled and server accepts SPIRE CA
- Server certificate if
useServerCertForClientAuthis enabled and available - Default client certificate as fallback
The
issuersparameter contains acceptable CAs from the server's TLS CertificateRequest message. This is used to detect if the server accepts SPIRE CA.- Overrides:
chooseEngineClientAliasin classX509ExtendedKeyManager- Parameters:
keyTypes- the key algorithm type names (e.g., "RSA", "EC")issuers- acceptable CA subject names from server's CertificateRequestengine- the SSLEngine for this connection- Returns:
- the alias for the selected client certificate, or null if none available
-
chooseClientAlias
Selects the client certificate alias for socket-based connections.Applies the same certificate selection priority as
chooseEngineClientAlias(String[], Principal[], SSLEngine):- SPIRE certificate if SPIRE is enabled and server accepts SPIRE CA
- Server certificate if
useServerCertForClientAuthis enabled and available - Default client certificate as fallback
- Parameters:
keyTypes- the key algorithm type names (e.g., "RSA", "EC")issuers- acceptable CA subject names from server's CertificateRequestsocket- the socket for this connection- Returns:
- the alias for the selected client certificate, or null if none available
-
chooseEngineServerAlias
- Overrides:
chooseEngineServerAliasin classX509ExtendedKeyManager
-
chooseServerAlias
-
getClientAliases
-
getServerAliases
-
getCertificateChain
-
getPrivateKey
-