Class ConfluentFipsValidator
java.lang.Object
io.confluent.kafka.security.fips.ConfluentFipsValidator
- All Implemented Interfaces:
org.apache.kafka.common.security.fips.FipsValidator
public class ConfluentFipsValidator
extends Object
implements org.apache.kafka.common.security.fips.FipsValidator
This class centralizes FIPS validation for cipher suites, SSL/TLS versions and kafka broker protocols. One of its primary uses is to validate FIPS requirements.
Important: When using the default constructor (for ServiceLoader),
you must call configure(FipsSecurityConfig.FipsMode) before calling any validation methods.
Otherwise, an IllegalStateException will be thrown.
-
Field Summary
Fields inherited from interface org.apache.kafka.common.security.fips.FipsValidator
LDAP_PROVIDER_URL_CONFIG -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionfinal voidconfigure(org.apache.kafka.common.security.fips.FipsSecurityConfig.FipsMode fipsMode) booleanvoidvalidateFipsBrokerProtocol(Map<String, org.apache.kafka.common.security.auth.SecurityProtocol> securityProtocolMap) Validate broker protocol, make sure broker uses either SSL or SASL_SSL protocol.voidvalidateFipsLdapProtocol(String providerUrls) Validate LDAP protocol, make sure only LDAPS protocol is used in all provider URLs.voidvalidateFipsTls(Map<String, ?> configs) Validate FIPS requirements on cipher suites, TLS protocols versions.voidvalidateFipsTlsCipherSuite(Collection<String> cipherSuites) Validate cipher suites are FIPS compliant or not.voidvalidateFipsTlsCipherSuite(Map<String, ?> configs) Validate cipher suites are FIPS compliant or not.voidvalidateFipsTlsVersion(Collection<String> tlsVersions) Validate TLS versions are FIPS compliant or not.voidvalidateFipsTlsVersion(Map<String, ?> configs) Validate TLS versions are FIPS compliant or not.voidvalidateRestProtocol(String restProtocolOrUrl) Validate rest server protocol, make sure connect uses https protocol.Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.kafka.common.security.fips.FipsValidator
validateFipsLdapProtocol
-
Constructor Details
-
ConfluentFipsValidator
public ConfluentFipsValidator()
-
-
Method Details
-
configure
public final void configure(org.apache.kafka.common.security.fips.FipsSecurityConfig.FipsMode fipsMode) - Specified by:
configurein interfaceorg.apache.kafka.common.security.fips.FipsValidator
-
fipsEnabled
public boolean fipsEnabled()- Specified by:
fipsEnabledin interfaceorg.apache.kafka.common.security.fips.FipsValidator
-
validateFipsTls
Validate FIPS requirements on cipher suites, TLS protocols versions.- Specified by:
validateFipsTlsin interfaceorg.apache.kafka.common.security.fips.FipsValidator- Parameters:
configs- the configuration contains cipher suites, TLS protocols.- Throws:
InvalidFipsTlsCipherSuiteException- if cipher suites not FIPS compliant.InvalidFipsTlsVersionException- if TLS protocols not FIPS compliant.IllegalStateException- if configure() has not been called
-
validateFipsBrokerProtocol
public void validateFipsBrokerProtocol(Map<String, org.apache.kafka.common.security.auth.SecurityProtocol> securityProtocolMap) Validate broker protocol, make sure broker uses either SSL or SASL_SSL protocol.- Specified by:
validateFipsBrokerProtocolin interfaceorg.apache.kafka.common.security.fips.FipsValidator- Parameters:
securityProtocolMap- the Map contains map relationship between listener name and security protocol.- Throws:
InvalidFipsBrokerProtocolException- if broker protocols not FIPS compliant.IllegalStateException- if configure() has not been called
-
validateRestProtocol
Validate rest server protocol, make sure connect uses https protocol. Accepts either a protocol string (e.g., "https") or a URL (e.g., "https://localhost:8080").- Specified by:
validateRestProtocolin interfaceorg.apache.kafka.common.security.fips.FipsValidator- Parameters:
restProtocolOrUrl- protocol or URL used by rest servers of listeners.- Throws:
InvalidFipsRestProtocolException- if rest server protocol is not FIPS compliant.IllegalStateException- if configure() has not been called
-
validateFipsTlsCipherSuite
Validate cipher suites are FIPS compliant or not.- Parameters:
configs- the configuration contains cipher suites.- Throws:
InvalidFipsTlsCipherSuiteException- if cipher suites not FIPS compliant.
-
validateFipsTlsVersion
Validate TLS versions are FIPS compliant or not.- Parameters:
configs- the configuration contains TLS versions.- Throws:
InvalidFipsTlsVersionException- if TLS protocol not FIPS compliant.
-
validateFipsTlsCipherSuite
Validate cipher suites are FIPS compliant or not.- Parameters:
cipherSuites- a collection of cipher suites- Throws:
InvalidFipsTlsCipherSuiteException- if cipher suites not FIPS compliant.IllegalStateException- if configure() has not been called
-
validateFipsTlsVersion
Validate TLS versions are FIPS compliant or not.- Parameters:
tlsVersions- a collection of TLS protocol version.- Throws:
InvalidFipsTlsVersionException- if TLS protocol not FIPS compliant.IllegalStateException- if configure() has not been called
-
validateFipsLdapProtocol
Validate LDAP protocol, make sure only LDAPS protocol is used in all provider URLs. The providerUrls can contain multiple space-separated URLs.- Specified by:
validateFipsLdapProtocolin interfaceorg.apache.kafka.common.security.fips.FipsValidator- Parameters:
providerUrls- LDAP provider URLs from ldap.java.naming.provider.url config- Throws:
InvalidFipsLdapProtocolException- if any LDAP URL uses insecure ldap:// protocol.IllegalStateException- if configure() has not been called
-