Class ConfluentKeyManager

java.lang.Object
javax.net.ssl.X509ExtendedKeyManager
io.confluent.kafka.server.plugins.ssl.ConfluentKeyManager
All Implemented Interfaces:
KeyManager, X509KeyManager

public class ConfluentKeyManager extends X509ExtendedKeyManager
Custom key manager that selects client certificates for mTLS authentication.

This key manager supports multiple certificate selection strategies for outbound connections where the broker acts as a TLS client (e.g., Cluster Linking, inter-broker communication):

Certificate Selection Priority:

  1. SPIRE Certificate: If SPIRE is enabled and the server accepts SPIRE CA (detected via certificate_authorities in CertificateRequest), use the SPIRE X509-SVID for service-to-service authentication.
  2. Server Certificate as Client Certificate: If useServerCertForClientAuth is enabled, use the broker's Let's Encrypt server certificate for client authentication. This is useful when dedicated client certificates are unavailable.
  3. Default Client Certificate: Fall back to the standard client certificate from the configured keystore.

Configuration:

  • confluent.spire.clientside.validation.enabled - Enable SPIRE certificate selection for client-side (outbound) connections
  • confluent.mtls.use.server.cert.for.client.auth.clientside.enabled - Enable using server certificate for client authentication (supports dynamic configuration update)
See Also:
  • Constructor Details

    • ConfluentKeyManager

      public ConfluentKeyManager(Map<String,?> configs, X509ExtendedKeyManager defaultKeyManager)
      Creates a ConfluentKeyManager with the default key manager. SPIRE key manager is initialized internally if SPIRE is enabled.
      Parameters:
      configs - configuration map containing SSL/TLS and SPIRE settings
      defaultKeyManager - the default key manager (typically for Let's Encrypt server certificates)
  • Method Details

    • chooseEngineClientAlias

      public String chooseEngineClientAlias(String[] keyTypes, Principal[] issuers, SSLEngine engine)
      Selects the client certificate alias for SSLEngine-based connections.

      This method implements the certificate selection priority:

      1. SPIRE certificate if SPIRE is enabled and server accepts SPIRE CA
      2. Server certificate if useServerCertForClientAuth is enabled and available
      3. Default client certificate as fallback

      The issuers parameter contains acceptable CAs from the server's TLS CertificateRequest message. This is used to detect if the server accepts SPIRE CA.

      Overrides:
      chooseEngineClientAlias in class X509ExtendedKeyManager
      Parameters:
      keyTypes - the key algorithm type names (e.g., "RSA", "EC")
      issuers - acceptable CA subject names from server's CertificateRequest
      engine - the SSLEngine for this connection
      Returns:
      the alias for the selected client certificate, or null if none available
    • chooseClientAlias

      public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket)
      Selects the client certificate alias for socket-based connections.

      Applies the same certificate selection priority as chooseEngineClientAlias(String[], Principal[], SSLEngine):

      1. SPIRE certificate if SPIRE is enabled and server accepts SPIRE CA
      2. Server certificate if useServerCertForClientAuth is enabled and available
      3. Default client certificate as fallback
      Parameters:
      keyTypes - the key algorithm type names (e.g., "RSA", "EC")
      issuers - acceptable CA subject names from server's CertificateRequest
      socket - the socket for this connection
      Returns:
      the alias for the selected client certificate, or null if none available
    • chooseEngineServerAlias

      public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
      Overrides:
      chooseEngineServerAlias in class X509ExtendedKeyManager
    • chooseServerAlias

      public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
    • getClientAliases

      public String[] getClientAliases(String keyType, Principal[] issuers)
    • getServerAliases

      public String[] getServerAliases(String keyType, Principal[] issuers)
    • getCertificateChain

      public X509Certificate[] getCertificateChain(String alias)
    • getPrivateKey

      public PrivateKey getPrivateKey(String alias)