Class ConfluentKeyProvider

All Implemented Interfaces:
Serializable, Cloneable, Map<Object,Object>

public class ConfluentKeyProvider extends Provider
A Java Security Provider that registers the ConfluentKeyManagerFactory.

This provider enables the JVM to use Confluent's custom key management for outbound mTLS connections, where the broker acts as a TLS client and needs to select which client certificate to present.

Certificate Selection Priority:

  1. SPIRE certificate - if SPIRE is enabled and the server accepts SPIRE CA
  2. Let's Encrypt server certificate as client certificate - if useServerCertForClientAuth is enabled
  3. Default client certificate - from the configured keystore

Usage:

Security.addProvider(new ConfluentKeyProvider(configs));
KeyManagerFactory kmf = KeyManagerFactory.getInstance(ConfluentKeyProvider.ALGORITHM);
See Also:
  • Field Details

    • PROVIDER_NAME

      public static final String PROVIDER_NAME
      The provider name.
      See Also:
    • KEY_PROVIDER_CONFIG

      public static final String KEY_PROVIDER_CONFIG
      The property key for accessing the configuration from the provider.
      See Also:
  • Constructor Details

    • ConfluentKeyProvider

      public ConfluentKeyProvider(Map<String,?> configs)
      Creates a ConfluentKeyProvider with the given configuration.
      Parameters:
      configs - the configuration map containing SSL/TLS settings
  • Method Details

    • updateConfigs

      public void updateConfigs(Map<String,?> configs)
      Updates the provider's configuration for dynamic reconfiguration support. This allows SSL components to pick up new config values without requiring a broker restart.
      Parameters:
      configs - the new configuration map