Management API Reference for trust-manager

A trust manager definition for creating the TrustManager[] as used to create an SSLContext.

Provided Capabilities (1)

Name	Dynamic	Other provider points
org.wildfly.security.trust-manager	true	/subsystem=security/elytron-trust-manager=*

Attributes (11)

algorithm - The name of the algorithm to use to create the underlying TrustManagerFactory.

Type	STRING
Is the attribute nillable?	true
Does the attribute allow expression?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The name of the algorithm to use to create the underlying TrustManagerFactory.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }`

alias-filter - A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2

Type	STRING
Is the attribute nillable?	true
Does the attribute allow expression?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

certificate-revocation-list - Enables certificate revocation list checks to a trust manager.

Type	OBJECT
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "OBJECT" }, "description" : "Enables certificate revocation list checks to a trust manager.", "expressions-allowed" : false, "required" : false, "nillable" : true, "alternatives" : ["certificate-revocation-lists"], "stability" : "default", "value-type" : { "path" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The path to the configuration to use to initialise the provider.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "relative-to" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The base path of the certificate revocation list file.", "expressions-allowed" : false, "required" : false, "nillable" : true, "requires" : ["path"], "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "maximum-cert-path" : { "type" : { "TYPE_MODEL_VALUE" : "INT" }, "description" : "The maximum number of non-self-issued intermediate certificates that may exist in a certification path.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min" : 1, "max" : 2147483647, "stability" : "default", "deprecated" : { "since" : "8.0.0", "reason" : "Use 'maximum-cert-path' in trust manager proper." } } }, "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

certificate-revocation-lists - Enables certificate revocation list checks to a trust manager using multiple certificate revocation lists.

Type	LIST
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "LIST" }, "description" : "Enables certificate revocation list checks to a trust manager using multiple certificate revocation lists.", "expressions-allowed" : false, "required" : false, "nillable" : true, "alternatives" : ["certificate-revocation-list"], "min-length" : 0, "max-length" : 2147483647, "stability" : "default", "value-type" : { "path" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The path to the certificate revocation list.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "relative-to" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The base path of the certificate revocation list file.", "expressions-allowed" : false, "required" : false, "nillable" : true, "requires" : ["path"], "min-length" : 1, "max-length" : 2147483647, "stability" : "default" } }, "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

key-store - Reference to the KeyStore to use to initialise the underlying TrustManagerFactory.

Type	STRING
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "Reference to the KeyStore to use to initialise the underlying TrustManagerFactory.", "expressions-allowed" : false, "required" : true, "nillable" : false, "capability-reference" : "org.wildfly.security.key-store", "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services" }`

maximum-cert-path - The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect.

Type	INT
Is the attribute nillable?	true
Does the attribute allow expression?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Min	1
Max	2147483647
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "INT" }, "description" : "The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min" : 1, "max" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

ocsp - Enables online certificate status protocol checks to a trust manager.

Type	OBJECT
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "OBJECT" }, "description" : "Enables online certificate status protocol checks to a trust manager.", "expressions-allowed" : false, "required" : false, "nillable" : true, "stability" : "default", "value-type" : { "responder" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The URL of OCSP responder to use. Keep undefined to use responder from the certificate.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "prefer-crls" : { "type" : { "TYPE_MODEL_VALUE" : "BOOLEAN" }, "description" : "Whether a certificate-revocation-list should be preferred over OCSP.", "expressions-allowed" : false, "required" : false, "nillable" : true, "default" : false, "stability" : "default" }, "responder-certificate" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate in validation.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "responder-keystore" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined.", "expressions-allowed" : true, "required" : false, "nillable" : true, "requires" : ["responder-certificate"], "min-length" : 1, "max-length" : 2147483647, "stability" : "default" } }, "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

only-leaf-cert - Whether only leaf certificate should be checked for revocation status.

Type	BOOLEAN
Default Value	false
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "BOOLEAN" }, "description" : "Whether only leaf certificate should be checked for revocation status.", "expressions-allowed" : false, "required" : false, "nillable" : true, "default" : false, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }`

provider-name - The name of the provider to use to create the underlying TrustManagerFactory.

Type	STRING
Is the attribute nillable?	true
Does the attribute allow expression?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The name of the provider to use to create the underlying TrustManagerFactory.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }`

providers - Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory.

Type	STRING
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory.", "expressions-allowed" : false, "required" : false, "nillable" : true, "capability-reference" : "org.wildfly.security.providers", "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services" }`

soft-fail - Whether a certificate with unknown OCSP response should be accepted.

Type	BOOLEAN
Default Value	false
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "BOOLEAN" }, "description" : "Whether a certificate with unknown OCSP response should be accepted.", "expressions-allowed" : false, "required" : false, "nillable" : true, "default" : false, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }`

Operations (4)

add - Add the new trust manager definition.

Request Parameter	Type	Required	Expressions Allowed	Default value	Description
algorithm	STRING	false	true		The name of the algorithm to use to create the underlying TrustManagerFactory.
alias-filter	STRING	false	true		A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2
certificate-revocation-list	OBJECT	false	false		Enables certificate revocation list checks to a trust manager.
certificate-revocation-lists	LIST	false	false		Enables certificate revocation list checks to a trust manager using multiple certificate revocation lists.
key-store	STRING	true	false		Reference to the KeyStore to use to initialise the underlying TrustManagerFactory.
maximum-cert-path	INT	false	true		The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect.
ocsp	OBJECT	false	false		Enables online certificate status protocol checks to a trust manager.
only-leaf-cert	BOOLEAN	false	false	false	Whether only leaf certificate should be checked for revocation status.
provider-name	STRING	false	true		The name of the provider to use to create the underlying TrustManagerFactory.
providers	STRING	false	false		Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory.
soft-fail	BOOLEAN	false	false	false	Whether a certificate with unknown OCSP response should be accepted.

Raw DMR model


{
    "operation-name" : "add",
    "description" : "Add the new trust manager definition.",
    "request-properties" : {
        "algorithm" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "STRING"
            },
            "description" : "The name of the algorithm to use to create the underlying TrustManagerFactory.",
            "expressions-allowed" : true,
            "required" : false,
            "nillable" : true,
            "min-length" : 1,
            "max-length" : 2147483647,
            "stability" : "default"
        },
        "alias-filter" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "STRING"
            },
            "description" : "A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2",
            "expressions-allowed" : true,
            "required" : false,
            "nillable" : true,
            "min-length" : 1,
            "max-length" : 2147483647,
            "stability" : "default"
        },
        "certificate-revocation-list" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "OBJECT"
            },
            "description" : "Enables certificate revocation list checks to a trust manager.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "alternatives" : ["certificate-revocation-lists"],
            "stability" : "default",
            "value-type" : {
                "path" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The path to the configuration to use to initialise the provider.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "relative-to" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The base path of the certificate revocation list file.",
                    "expressions-allowed" : false,
                    "required" : false,
                    "nillable" : true,
                    "requires" : ["path"],
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "maximum-cert-path" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "INT"
                    },
                    "description" : "The maximum number of non-self-issued intermediate certificates that may exist in a certification path.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min" : 1,
                    "max" : 2147483647,
                    "stability" : "default",
                    "deprecated" : {
                        "since" : "8.0.0",
                        "reason" : "Use 'maximum-cert-path' in trust manager proper."
                    }
                }
            }
        },
        "certificate-revocation-lists" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "LIST"
            },
            "description" : "Enables certificate revocation list checks to a trust manager using multiple certificate revocation lists.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "alternatives" : ["certificate-revocation-list"],
            "min-length" : 0,
            "max-length" : 2147483647,
            "stability" : "default",
            "value-type" : {
                "path" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The path to the certificate revocation list.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "relative-to" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The base path of the certificate revocation list file.",
                    "expressions-allowed" : false,
                    "required" : false,
                    "nillable" : true,
                    "requires" : ["path"],
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                }
            }
        },
        "key-store" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "STRING"
            },
            "description" : "Reference to the KeyStore to use to initialise the underlying TrustManagerFactory.",
            "expressions-allowed" : false,
            "required" : true,
            "nillable" : false,
            "capability-reference" : "org.wildfly.security.key-store",
            "min-length" : 1,
            "max-length" : 2147483647,
            "stability" : "default"
        },
        "maximum-cert-path" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "INT"
            },
            "description" : "The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect.",
            "expressions-allowed" : true,
            "required" : false,
            "nillable" : true,
            "min" : 1,
            "max" : 2147483647,
            "stability" : "default"
        },
        "ocsp" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "OBJECT"
            },
            "description" : "Enables online certificate status protocol checks to a trust manager.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "stability" : "default",
            "value-type" : {
                "responder" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The URL of OCSP responder to use. Keep undefined to use responder from the certificate.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "prefer-crls" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "BOOLEAN"
                    },
                    "description" : "Whether a certificate-revocation-list should be preferred over OCSP.",
                    "expressions-allowed" : false,
                    "required" : false,
                    "nillable" : true,
                    "default" : false,
                    "stability" : "default"
                },
                "responder-certificate" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate in validation.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "responder-keystore" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "requires" : ["responder-certificate"],
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                }
            }
        },
        "only-leaf-cert" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "BOOLEAN"
            },
            "description" : "Whether only leaf certificate should be checked for revocation status.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "default" : false,
            "stability" : "default"
        },
        "provider-name" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "STRING"
            },
            "description" : "The name of the provider to use to create the underlying TrustManagerFactory.",
            "expressions-allowed" : true,
            "required" : false,
            "nillable" : true,
            "min-length" : 1,
            "max-length" : 2147483647,
            "stability" : "default"
        },
        "providers" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "STRING"
            },
            "description" : "Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "capability-reference" : "org.wildfly.security.providers",
            "min-length" : 1,
            "max-length" : 2147483647,
            "stability" : "default"
        },
        "soft-fail" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "BOOLEAN"
            },
            "description" : "Whether a certificate with unknown OCSP response should be accepted.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "default" : false,
            "stability" : "default"
        }
    },
    "reply-properties" : {},
    "stability" : "default",
    "read-only" : false,
    "restart-required" : "resource-services",
    "runtime-only" : false
}

init - Reinitialize trust manager.

Raw DMR model


{
    "operation-name" : "init",
    "description" : "Reinitialize trust manager.",
    "request-properties" : {},
    "reply-properties" : {},
    "stability" : "default",
    "read-only" : false,
    "runtime-only" : true
}

reload-certificate-revocation-list - Notify the trust manager in order to reload the certificate revocation list, if defined.

Raw DMR model


{
    "operation-name" : "reload-certificate-revocation-list",
    "description" : "Notify the trust manager in order to reload the certificate revocation list, if defined.",
    "request-properties" : {},
    "reply-properties" : {},
    "stability" : "default",
    "read-only" : false,
    "runtime-only" : true
}

remove - Remove the trust manager definition.

Raw DMR model


{
    "operation-name" : "remove",
    "description" : "Remove the trust manager definition.",
    "request-properties" : {},
    "reply-properties" : {},
    "stability" : "default",
    "read-only" : false,
    "restart-required" : "resource-services",
    "runtime-only" : false
}

Galleon Features

Galleon features are to be used when creating Galleon feature-packs.

subsystem.elytron.trust-manager

        
<feature spec="subsystem.elytron.trust-manager">
  <param name="trust-manager" value="{resource name}"/>
  <param name="algorithm" value="{value}"/>
  <param name="alias-filter" value="{value}"/>
  <param name="certificate-revocation-list" value="{value}"/>
  <param name="certificate-revocation-lists" value="{value}"/>
  <param name="key-store" value="{value}"/>
  <param name="maximum-cert-path" value="{value}"/>
  <param name="ocsp" value="{value}"/>
  <param name="only-leaf-cert" value="{value}"/>
  <param name="provider-name" value="{value}"/>
  <param name="providers" value="{value}"/>
  <param name="soft-fail" value="{value}"/>
<feature/>