Пример #1
0
  protected static void setupTls() {
    // Note that the settings below are conditional, so you can
    // override then with "java -Djavax...=Y... ConnectorServerAgent..."
    // It's definitely not safe to use -D to set passwords, though,
    // but it's useful for prototyping.

    String keyStore = spaceWideRegistry.getTlosSWConfigInfo().getJmxParams().getKeyStore();
    String trustStore = spaceWideRegistry.getTlosSWConfigInfo().getJmxParams().getTrustStore();
    String password = spaceWideRegistry.getTlosSWConfigInfo().getJmxParams().getPassword();

    if (System.getProperty("javax.net.ssl.trustStore") == null)
      System.setProperty("javax.net.ssl.trustStore", keyStore);
    if (System.getProperty("javax.net.ssl.keyStorePassword") == null)
      System.setProperty("javax.net.ssl.keyStorePassword", password);
    if (System.getProperty("javax.net.ssl.keyStore") == null)
      System.setProperty("javax.net.ssl.keyStore", trustStore);

    /*
     * The method above is the simplest (IMO therefore the best) method if
     * your application doesn't use certs for any other purpose. You should
     * use the instance-based TLS configuration method if your app uses
     * certs for any other purpose (i.e., it could fetch web pages over
     * https, or be a TLS Soap client, etc., or it could run multiple TLS
     * JMXConnectorServers).
     *
     * The instance-based method allocates a SSLSocketFactory based on the
     * SSLContext instance which you instantiate and configure, so you can
     * configure multiple SSLSocketFactories with different SSLContext
     * instances. This all applies to any standard JSSE TLS application, but
     * for JMX, you associate the allocated SSLSocketFactory to the
     * Connector with:
     *
     * env.put("jmx.remote.tls.socket.factory", yourFactory);
     */

    env.put("jmx.remote.profiles", "TLS");
    // env.put("jmx.remote.tls.enabled.protocols", "TLSv1");
    // env.put("jmx.remote.tls.enabled.cipher.suites",
    // "SSL_RSA_WITH_NULL_MD5");
    // Most users will probably want to use the default TLS
    // protocols and suites.
    env.put("jmx.remote.tls.need.client.authentication", Boolean.toString(isRequireClientAuth()));
    // Comment out the line above if you don't want to require
    // clients to have their own certs.

    // if ((new File("access.properties")).isFile())
    // env.put("jmx.remote.x.access.file", "access.properties");
    // IF file "access.properties" is present in $PWD (from where server
    // is started), it must have keys of permitted client cert subjects,
    // and values of "readwrite" or "readonly".
    // N.b. You MUST ESCAPE all spaces, colons, and equal signes in the
    // subject with backslashes!
    // Example record:
    // CN\=proto\ client\ 1,OU\=RND,O\=Fake\ Corp.,C\=US readwrite
  }
Пример #2
0
public class JMXTLSServer {

  private static MBeanServer mbeanServer;
  private static JMXConnectorServer jConnectorServer;
  private static Map<String, String> env = new HashMap<String, String>();

  private static SpaceWideRegistry spaceWideRegistry = SpaceWideRegistry.getInstance();

  private static Logger logger = SpaceWideRegistry.getGlobalLogger();

  /**
   * This function is designed for descrete testing procedures. DO NOT USE for server functionality.
   *
   * @author Serkan Taş 12.09.2012
   * @param spaceWideRegistry
   */
  public static void initialize(SpaceWideRegistry spaceWideRegistry) {
    JMXTLSServer.spaceWideRegistry = spaceWideRegistry;
    // initialize();
  }

  public static void initialize(String MBeanArray[], String MBeanTypeArray[]) {

    try {
      setupTls();

      logger.info("");
      logger.info("############# MBean Server ##################");

      logger.info("Create the MBean server...");
      mbeanServer = MBeanServerFactory.createMBeanServer();

      logger.info("Created !");

      for (int i = 0; i < MBeanArray.length; i++) {
        ObjectName mbeanName = new ObjectName("MBeans:type=" + MBeanTypeArray[i]);
        logger.info(MBeanArray[i] + " MBean is created ...");
        mbeanServer.createMBean(
            JMXServer.class.getPackage().getName() + ".beans." + MBeanArray[i],
            mbeanName,
            null,
            null);
      }

      logger.info(ResourceMapper.SECTION_DIVISON_KARE);
      logger.info("");
      logger.info("######### JMXMP-TLS Connector Server ############");
      logger.info("");

      // Create a JMXMP-TLS connector server
      //
      logger.info("Create a JMXMP-TLS connector server... > ");

      // hardcoded ip : localhost port : 5555
      int port =
          TlosSpaceWide.getSpaceWideRegistry()
              .getTlosSWConfigInfo()
              .getJmxParams()
              .getJmxTlsPort()
              .getPortNumber();
      if (port <= 0) {
        port = 5555;
      }

      logger.info("Using port number : " + port);

      String ipAddress =
          TlosSpaceWide.getSpaceWideRegistry().getServerConfig().getServerParams().getIpAddress();
      if (ipAddress == null || ipAddress.equals("")) {
        ipAddress = null;
      }

      logger.info("Using ip address : " + ipAddress);

      JMXServiceURL url = new JMXServiceURL("jmxmp", ipAddress, port);
      jConnectorServer = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbeanServer);

      logger.info("Created !");

      // Start the JMXMP-TLS connector server
      //
      logger.info("Start the JMXMP-TLS connector server... > ");
      jConnectorServer.start();

      logger.info("Started !");
      logger.info("Waiting for incoming connections...");
      logger.info("#############################################");
      logger.info("");

      String jmxUserName =
          "" + new Random(new Long(Calendar.getInstance().getTimeInMillis())).nextLong();
      Thread.sleep(10);
      String jmxPassWord =
          "" + new Random(new Long(Calendar.getInstance().getTimeInMillis())).nextLong();

      JmxUser jmxUser = new JmxUser();
      jmxUser.setJmxClientAuthanticationId(jmxUserName);
      jmxUser.setJmxClientAuthanticationKey(jmxPassWord);

      TlosSpaceWide.getSpaceWideRegistry().setJmxUser(jmxUser);

    } catch (MalformedURLException mue) {
      logger.error("### MalformedURLException ###");
      mue.printStackTrace();
      try {
        jConnectorServer.stop();
      } catch (IOException e) {
        e.printStackTrace();
      }
    } catch (SecurityException e) {
      // System.out.println(" ### SecurityException ### ");
      logger.error("### SecurityException ###");
      e.printStackTrace();
      System.exit(-1);
    } catch (BindException e) {
      // System.out.println(" ### BindException ### ");
      logger.error("### BindException ###");
      e.printStackTrace();
      System.exit(-1);
    } catch (Exception e) {
      // System.out.println(" ### Unclassified Error ### ");
      logger.error("### Unclassified Error ###");
      e.printStackTrace();
      System.exit(-1);
    }
  }

  public static void disconnect() {
    try {

      logger.info("Closing jmx server...");

      String[] connIdList = jConnectorServer.getConnectionIds();

      logger.info("Current active JMXMP-TLS client count : " + connIdList.length);
      logger.info("Waiting for the connections to be closed...");

      int counter = 0;

      while (true) {
        if (jConnectorServer.getConnectionIds().length == 0 || counter++ == 20) {
          break;
        }
        try {
          Thread.sleep(1000);
          System.out.print(".");
        } catch (InterruptedException e) {
          e.printStackTrace();
        }
      }

      if (counter == 20) {
        logger.info("Client(s) are not disconnected, terminated by server !");
      } else {
        logger.info("Client(s) disconnected !");
      }

      jConnectorServer.stop();

      logger.info("Closed !");
      logger.info("Releasing MBean Server...");

      MBeanServerFactory.releaseMBeanServer(mbeanServer);

      logger.info("Released !");

    } catch (IOException e) {
      e.printStackTrace();
    }
  }

  public static boolean authorizeAgent(JmxAgentUser jmxAgentUser) {

    SWAgent clientSideSwAgent = XmlUtils.convertToSwAgent(jmxAgentUser.getSwAgentXML());

    SWAgent serverSideSwAgent =
        TlosSpaceWide.getSpaceWideRegistry()
            .getAgentManagerReference()
            .getSwAgentsCache()
            .get(jmxAgentUser.getAgentId() + "");

    if (serverSideSwAgent == null
        || !clientSideSwAgent.getJmxUser().equals(serverSideSwAgent.getJmxUser())
        || !clientSideSwAgent.getJmxPassword().equals(serverSideSwAgent.getJmxPassword())) {
      return false;
    }
    return true;
  }

  public static boolean authorizeWeb(JmxUser jmxUser) {

    if (jmxUser == null) {
      logger.error("jmxUser is null !");
      return false;
    }

    String clientAuthanticationId =
        TlosSpaceWide.getSpaceWideRegistry().getJmxUser().getJmxClientAuthanticationId();
    String jmxClientAuthanticationKey =
        TlosSpaceWide.getSpaceWideRegistry().getJmxUser().getJmxClientAuthanticationKey();

    if (!clientAuthanticationId.equals(jmxUser.getJmxClientAuthanticationId())
        || !jmxClientAuthanticationKey.equals(jmxUser.getJmxClientAuthanticationKey())) {
      // return false;
    }
    return true;
  }

  protected static void setupTls() {
    // Note that the settings below are conditional, so you can
    // override then with "java -Djavax...=Y... ConnectorServerAgent..."
    // It's definitely not safe to use -D to set passwords, though,
    // but it's useful for prototyping.

    String keyStore = spaceWideRegistry.getTlosSWConfigInfo().getJmxParams().getKeyStore();
    String trustStore = spaceWideRegistry.getTlosSWConfigInfo().getJmxParams().getTrustStore();
    String password = spaceWideRegistry.getTlosSWConfigInfo().getJmxParams().getPassword();

    if (System.getProperty("javax.net.ssl.trustStore") == null)
      System.setProperty("javax.net.ssl.trustStore", keyStore);
    if (System.getProperty("javax.net.ssl.keyStorePassword") == null)
      System.setProperty("javax.net.ssl.keyStorePassword", password);
    if (System.getProperty("javax.net.ssl.keyStore") == null)
      System.setProperty("javax.net.ssl.keyStore", trustStore);

    /*
     * The method above is the simplest (IMO therefore the best) method if
     * your application doesn't use certs for any other purpose. You should
     * use the instance-based TLS configuration method if your app uses
     * certs for any other purpose (i.e., it could fetch web pages over
     * https, or be a TLS Soap client, etc., or it could run multiple TLS
     * JMXConnectorServers).
     *
     * The instance-based method allocates a SSLSocketFactory based on the
     * SSLContext instance which you instantiate and configure, so you can
     * configure multiple SSLSocketFactories with different SSLContext
     * instances. This all applies to any standard JSSE TLS application, but
     * for JMX, you associate the allocated SSLSocketFactory to the
     * Connector with:
     *
     * env.put("jmx.remote.tls.socket.factory", yourFactory);
     */

    env.put("jmx.remote.profiles", "TLS");
    // env.put("jmx.remote.tls.enabled.protocols", "TLSv1");
    // env.put("jmx.remote.tls.enabled.cipher.suites",
    // "SSL_RSA_WITH_NULL_MD5");
    // Most users will probably want to use the default TLS
    // protocols and suites.
    env.put("jmx.remote.tls.need.client.authentication", Boolean.toString(isRequireClientAuth()));
    // Comment out the line above if you don't want to require
    // clients to have their own certs.

    // if ((new File("access.properties")).isFile())
    // env.put("jmx.remote.x.access.file", "access.properties");
    // IF file "access.properties" is present in $PWD (from where server
    // is started), it must have keys of permitted client cert subjects,
    // and values of "readwrite" or "readonly".
    // N.b. You MUST ESCAPE all spaces, colons, and equal signes in the
    // subject with backslashes!
    // Example record:
    // CN\=proto\ client\ 1,OU\=RND,O\=Fake\ Corp.,C\=US readwrite
  }

  /**
   * Only used if running with TLS mode.
   *
   * <p>If you want to run TLS mode without Client certs, just override this class and override this
   * method to return false.
   *
   * @returns true (unless this method is overridden).
   */
  protected static boolean isRequireClientAuth() {
    return true;
  }
}