The Java client library for Spanner works with Spanner Omni in the same way it works with Spanner. This document shows you how to establish secure connections to Spanner Omni by configuring the Java client library. You establish these connections by setting client options when you create a database administrative client or a database client.
The Java client library supports plain text, TLS, and mTLS connections.
For more information, see Get started with Spanner in Java in the Spanner documentation.
Before you begin
To get started with Spanner Omni in Java, use the Java client library version 6.115.0 or later.
If you use Maven without the Bill of Materials (BOM), add the following to the
pom.xml file dependencies:
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-spanner</artifactId>
<version>6.115.0</version>
</dependency>
Configure the SpannerOptions object
While you configure the
SpannerOptions
object to create a
DatabaseClient or
DatabaseAdminClient,
specify the Spanner Omni endpoint using setExperimentalHost().
Use plain-text communication
To establish a plain-text connection, specify the Spanner Omni
endpoint and use the usePlainText() method:
SpannerOptions options =
SpannerOptions.newBuilder()
.setExperimentalHost("http://ENDPOINT") // Replace with your Spanner Omni endpoint
.usePlainText()
.build();
Spanner spanner = options.getService();
Use a TLS setup
When you configure the SpannerOptions object for a TLS connection, you don't
need to set any additional credentials properties. You must add the CA
certificate to the Java truststore.
To add the CA certificate to the Java truststore, use the following command:
sudo keytool -import -trustcacerts -file /.spanner/certs/ca.crt -alias spanner-ca -keystore $JAVA_HOME/lib/security/cacerts
Alternatively, you can pass a custom CA certificate store directly when you run the application:
java -Djavax.net.ssl.trustStore=PATH_TO_CUSTOM_CACERTS -Djavax.net.ssl.trustStorePassword=changeit app
To maintain compatibility, build your custom truststore on top of the Java truststore by making a copy:
cp $JAVA_HOME/lib/security/cacerts /PATH_TO_CUSTOM_CACERTS
Use an mTLS setup
To use an mTLS connection, convert the key generated by Spanner Omni to a format compliant with Java using the following command:
openssl pkcs8 -topk8 -in ~/.spanner/certs/client.key -out ~/.spanner/certs/java-client.key -nocrypt
The following example shows how to configure the SpannerOptions object to use
a client certificate:
SpannerOptions options =
SpannerOptions.newBuilder()
.setExperimentalHost("https://ENDPOINT") // Replace with your Spanner Omni endpoint
.useClientCert("PATH_TO_CLIENT_CERT","PATH_TO_CLIENT_CERT_KEY")
.build();
Spanner spanner = options.getService();
Create the database
Next, create the database. Specify the project as default where
necessary in the library code. For example, specify default when you create a
DatabaseId:
DatabaseId dbId = DatabaseId.of("default", "default", DATABASE_ID);
DatabaseClient client = spanner.getDatabaseClient(dbId);