private SSLContext createSSLContext(LDAPConnectionHandlerCfg config) throws DirectoryException {
try {
DN keyMgrDN = config.getKeyManagerProviderDN();
KeyManagerProvider<?> keyManagerProvider = DirectoryServer.getKeyManagerProvider(keyMgrDN);
if (keyManagerProvider == null) {
logger.error(ERR_NULL_KEY_PROVIDER_MANAGER, keyMgrDN, friendlyName);
disableAndWarnIfUseSSL(config);
keyManagerProvider = new NullKeyManagerProvider();
// The SSL connection is unusable without a key manager provider
} else if (!keyManagerProvider.containsAtLeastOneKey()) {
logger.error(ERR_INVALID_KEYSTORE, friendlyName);
disableAndWarnIfUseSSL(config);
}
final SortedSet<String> aliases = new TreeSet<>(config.getSSLCertNickname());
final KeyManager[] keyManagers;
if (aliases.isEmpty()) {
keyManagers = keyManagerProvider.getKeyManagers();
} else {
final Iterator<String> it = aliases.iterator();
while (it.hasNext()) {
if (!keyManagerProvider.containsKeyWithAlias(it.next())) {
logger.error(ERR_KEYSTORE_DOES_NOT_CONTAIN_ALIAS, aliases, friendlyName);
it.remove();
}
}
if (aliases.isEmpty()) {
disableAndWarnIfUseSSL(config);
}
keyManagers =
SelectableCertificateKeyManager.wrap(
keyManagerProvider.getKeyManagers(), aliases, friendlyName);
}
DN trustMgrDN = config.getTrustManagerProviderDN();
TrustManagerProvider<?> trustManagerProvider =
DirectoryServer.getTrustManagerProvider(trustMgrDN);
if (trustManagerProvider == null) {
trustManagerProvider = new NullTrustManagerProvider();
}
SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
sslContext.init(keyManagers, trustManagerProvider.getTrustManagers(), null);
return sslContext;
} catch (Exception e) {
logger.traceException(e);
ResultCode resCode = DirectoryServer.getServerErrorResultCode();
LocalizableMessage message =
ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e));
throw new DirectoryException(resCode, message, e);
}
}
private SSLContext createSSLContext(HTTPConnectionHandlerCfg config) throws Exception {
if (!config.isUseSSL()) {
return null;
}
DN keyMgrDN = config.getKeyManagerProviderDN();
KeyManagerProvider<?> keyManagerProvider = DirectoryServer.getKeyManagerProvider(keyMgrDN);
if (keyManagerProvider == null) {
logger.error(ERR_NULL_KEY_PROVIDER_MANAGER, keyMgrDN, friendlyName);
logger.warn(INFO_DISABLE_CONNECTION, friendlyName);
keyManagerProvider = new NullKeyManagerProvider();
enabled = false;
} else if (!keyManagerProvider.containsAtLeastOneKey()) {
logger.error(ERR_INVALID_KEYSTORE, friendlyName);
logger.warn(INFO_DISABLE_CONNECTION, friendlyName);
enabled = false;
}
final SortedSet<String> aliases = new TreeSet<>(config.getSSLCertNickname());
final KeyManager[] keyManagers;
if (aliases.isEmpty()) {
keyManagers = keyManagerProvider.getKeyManagers();
} else {
final Iterator<String> it = aliases.iterator();
while (it.hasNext()) {
if (!keyManagerProvider.containsKeyWithAlias(it.next())) {
logger.error(ERR_KEYSTORE_DOES_NOT_CONTAIN_ALIAS, aliases, friendlyName);
it.remove();
}
}
if (aliases.isEmpty()) {
logger.warn(INFO_DISABLE_CONNECTION, friendlyName);
enabled = false;
}
keyManagers =
SelectableCertificateKeyManager.wrap(keyManagerProvider.getKeyManagers(), aliases);
}
DN trustMgrDN = config.getTrustManagerProviderDN();
TrustManagerProvider<?> trustManagerProvider =
DirectoryServer.getTrustManagerProvider(trustMgrDN);
if (trustManagerProvider == null) {
trustManagerProvider = new NullTrustManagerProvider();
}
SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
sslContext.init(keyManagers, trustManagerProvider.getTrustManagers(), null);
return sslContext;
}
/**
* Starts a secure RMI connector, with a client that doesn't have to present a certificate, on the
* local MBean server. This method assumes that the common registry was successfully started.
*
* <p>If the connector is already started, this method simply returns without doing anything.
*
* @throws Exception if an error occurs
*/
private void startConnectorNoClientCertificate() throws Exception {
try {
//
// Environment map
HashMap<String, Object> env = new HashMap<String, Object>();
// ---------------------
// init an ssl context
// ---------------------
DirectoryRMIClientSocketFactory rmiClientSockeyFactory = null;
DirectoryRMIServerSocketFactory rmiServerSockeyFactory = null;
if (jmxConnectionHandler.isUseSSL()) {
if (debugEnabled()) {
TRACER.debugVerbose("SSL connection");
}
// ---------------------
// SERVER SIDE
// ---------------------
//
// Get a Server socket factory
KeyManager[] keyManagers;
KeyManagerProvider provider =
DirectoryServer.getKeyManagerProvider(jmxConnectionHandler.getKeyManagerProviderDN());
if (provider == null) {
keyManagers = new NullKeyManagerProvider().getKeyManagers();
} else {
String nickname = jmxConnectionHandler.getSSLServerCertNickname();
if (nickname == null) {
keyManagers = provider.getKeyManagers();
} else {
keyManagers = SelectableCertificateKeyManager.wrap(provider.getKeyManagers(), nickname);
}
}
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(keyManagers, null, null);
SSLSocketFactory ssf = ctx.getSocketFactory();
//
// set the Server socket factory in the JMX map
rmiServerSockeyFactory = new DirectoryRMIServerSocketFactory(ssf, false);
env.put("jmx.remote.rmi.server.socket.factory", rmiServerSockeyFactory);
// ---------------------
// CLIENT SIDE : Rmi stores the client stub in the
// registry
// ---------------------
// Set the Client socket factory in the JMX map
rmiClientSockeyFactory = new DirectoryRMIClientSocketFactory(false);
env.put("jmx.remote.rmi.client.socket.factory", rmiClientSockeyFactory);
} else {
if (debugEnabled()) {
TRACER.debugVerbose("UNSECURE CONNECTION");
}
}
//
// specify the rmi JMX authenticator to be used
if (debugEnabled()) {
TRACER.debugVerbose("Add RmiAuthenticator into JMX map");
}
rmiAuthenticator = new RmiAuthenticator(jmxConnectionHandler);
env.put(JMXConnectorServer.AUTHENTICATOR, rmiAuthenticator);
//
// Create the JMX Service URL
String uri = "org.opends.server.protocols.jmx.client-unknown";
String serviceUrl =
"service:jmx:rmi:///jndi/rmi://"
+ registryClientAddress
+ ":"
+ jmxConnectionHandler.getListenPort()
+ "/"
+ uri;
JMXServiceURL url = new JMXServiceURL(serviceUrl);
//
// Create and start the connector
if (debugEnabled()) {
TRACER.debugVerbose("Create and start the JMX RMI connector");
}
OpendsRMIJRMPServerImpl opendsRmiConnectorServer =
new OpendsRMIJRMPServerImpl(
jmxConnectionHandler.getRmiPort(),
rmiClientSockeyFactory,
rmiServerSockeyFactory,
env);
jmxRmiConnectorNoClientCertificate =
new RMIConnectorServer(url, env, opendsRmiConnectorServer, mbs);
jmxRmiConnectorNoClientCertificate.start();
//
// Register the connector into the RMI registry
// TODO Should we do that?
ObjectName name = new ObjectName(jmxRmiConnectorNoClientCertificateName);
mbs.registerMBean(jmxRmiConnectorNoClientCertificate, name);
rmiVersion = opendsRmiConnectorServer.getVersion();
if (debugEnabled()) {
TRACER.debugVerbose("JMX RMI connector Started");
}
} catch (Exception e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
throw e;
}
}