case class TlsServerConfig(certChainFile: ExistingFile, privateKeyFile: ExistingFile, trustCollectionFile: Option[ExistingFile] = None, secretsUrl: Option[String] = None, clientAuth: ServerAuthRequirementConfig = ServerAuthRequirementConfig.Optional, minimumServerProtocolVersion: Option[String] = Some( TlsServerConfig.defaultMinimumServerProtocol ), ciphers: Option[Seq[String]] = TlsServerConfig.defaultCiphers, enableCertRevocationChecking: Boolean = false) extends BaseTlsArguments with Product with Serializable
A wrapper for TLS related server parameters supporting mutual authentication.
Certificates and keys must be provided in the PEM format. It is recommended to create them with OpenSSL. Other formats (such as GPG) may also work, but have not been tested.
- certChainFile
a file containing a certificate chain, containing the certificate chain from the server to the root CA. The certificate chain is used to authenticate the server. The order of certificates in the chain matters, i.e., it must start with the server certificate and end with the root certificate.
- privateKeyFile
a file containing the server's private key. The key must not use a password.
- trustCollectionFile
a file containing certificates of all nodes the server trusts. Used for client authentication. It depends on the enclosing configuration whether client authentication is mandatory, optional or unsupported. If client authentication is enabled and this parameter is absent, the certificates in the JVM trust store will be used instead.
- secretsUrl
URL of a secrets service that provide parameters needed to decrypt the private key. Required when private key is encrypted (indicated by '.enc' filename suffix).
- clientAuth
indicates whether server requires, requests, does does not request auth from clients. Normally the ledger api server requires client auth under TLS, but using this setting this requirement can be loosened. See https://github.com/digital-asset/daml/commit/edd73384c427d9afe63bae9d03baa2a26f7b7f54
- minimumServerProtocolVersion
minimum supported TLS protocol. Set None (or null in config file) to default to JVM settings.
- ciphers
supported ciphers. Set to None (or null in config file) to default to JVM settings.
- enableCertRevocationChecking
whether to enable certificate revocation checking per https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/ TODO(#4881): implement cert-revocation at the participant and domain admin endpoints Ledger api server reference PR: https://github.com/digital-asset/daml/pull/7965
- Alphabetic
- By Inheritance
- TlsServerConfig
- Serializable
- Product
- Equals
- BaseTlsArguments
- AnyRef
- Any
- Hide All
- Show All
- Public
- Protected
Instance Constructors
- new TlsServerConfig(certChainFile: ExistingFile, privateKeyFile: ExistingFile, trustCollectionFile: Option[ExistingFile] = None, secretsUrl: Option[String] = None, clientAuth: ServerAuthRequirementConfig = ServerAuthRequirementConfig.Optional, minimumServerProtocolVersion: Option[String] = Some(
TlsServerConfig.defaultMinimumServerProtocol
), ciphers: Option[Seq[String]] = TlsServerConfig.defaultCiphers, enableCertRevocationChecking: Boolean = false)
- certChainFile
a file containing a certificate chain, containing the certificate chain from the server to the root CA. The certificate chain is used to authenticate the server. The order of certificates in the chain matters, i.e., it must start with the server certificate and end with the root certificate.
- privateKeyFile
a file containing the server's private key. The key must not use a password.
- trustCollectionFile
a file containing certificates of all nodes the server trusts. Used for client authentication. It depends on the enclosing configuration whether client authentication is mandatory, optional or unsupported. If client authentication is enabled and this parameter is absent, the certificates in the JVM trust store will be used instead.
- secretsUrl
URL of a secrets service that provide parameters needed to decrypt the private key. Required when private key is encrypted (indicated by '.enc' filename suffix).
- clientAuth
indicates whether server requires, requests, does does not request auth from clients. Normally the ledger api server requires client auth under TLS, but using this setting this requirement can be loosened. See https://github.com/digital-asset/daml/commit/edd73384c427d9afe63bae9d03baa2a26f7b7f54
- minimumServerProtocolVersion
minimum supported TLS protocol. Set None (or null in config file) to default to JVM settings.
- ciphers
supported ciphers. Set to None (or null in config file) to default to JVM settings.
- enableCertRevocationChecking
whether to enable certificate revocation checking per https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/ TODO(#4881): implement cert-revocation at the participant and domain admin endpoints Ledger api server reference PR: https://github.com/digital-asset/daml/pull/7965
Value Members
- final def !=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def ##: Int
- Definition Classes
- AnyRef → Any
- final def ==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def asInstanceOf[T0]: T0
- Definition Classes
- Any
- val certChainFile: ExistingFile
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- val ciphers: Option[Seq[String]]
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- val clientAuth: ServerAuthRequirementConfig
- lazy val clientConfig: TlsClientConfig
- def clone(): AnyRef
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.CloneNotSupportedException]) @native() @HotSpotIntrinsicCandidate()
- val enableCertRevocationChecking: Boolean
- final def eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- final def getClass(): Class[_ <: AnyRef]
- Definition Classes
- AnyRef → Any
- Annotations
- @native() @HotSpotIntrinsicCandidate()
- final def isInstanceOf[T0]: Boolean
- Definition Classes
- Any
- val minimumServerProtocolVersion: Option[String]
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- final def ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- final def notify(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native() @HotSpotIntrinsicCandidate()
- final def notifyAll(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native() @HotSpotIntrinsicCandidate()
- val privateKeyFile: ExistingFile
- Definition Classes
- TlsServerConfig → BaseTlsArguments
- def productElementNames: Iterator[String]
- Definition Classes
- Product
- def protocols: Option[Seq[String]]
- Definition Classes
- BaseTlsArguments
- val secretsUrl: Option[String]
- final def synchronized[T0](arg0: => T0): T0
- Definition Classes
- AnyRef
- val trustCollectionFile: Option[ExistingFile]
- final def wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])
- final def wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException]) @native()
- final def wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])