Fix for issue 3504 (setup --userJavaKeystore doesn't support JCEKS keystore).

jvergara

20.40.2008 0e9445463dbd065a765589a30dde204f4504bbd2

Fix for issue 3504 (setup --userJavaKeystore doesn't support JCEKS keystore).

Add the option to use JCEKS store type in setup.  The code is analogous to the one used for JKS.

 opends/src/messages/messages/quicksetup.properties

@@ -276,6 +276,10 @@
INFO_ERROR_ACCESSING_JKS_KEYSTORE=Could not access the JKS key store.  Check \
 that the contents of the file correspond to a valid JKS key store, that you \
 have access rights to it and that the provided PIN is valid.
INFO_ERROR_ACCESSING_JCEKS_KEYSTORE=Could not access the JCEKS key store.  \
 Check that the running Java installation supports JCEKS, that the contents of \
 the file correspond to a valid JCEKS key store, that you have access rights \
 to it and that the provided PIN is valid.
INFO_ERROR_ACCESSING_PKCS11_KEYSTORE=Could not access the PKCS#11 key store. \
 Check that is installed and that the provided PIN is valid.
INFO_ERROR_ACCESSING_PKCS12_KEYSTORE=Could not access the PKCS#12 key store. \
@@ -602,6 +606,12 @@
 certificate.
INFO_JKS_KEYSTORE_DOES_NOT_EXIST=No certificates for the Java Key Store could \
 be found.  Check that the provided path is valid.
INFO_JCEKS_CERTIFICATE=Use existing JCEKS File
INFO_JCEKS_CERTIFICATE_LABEL=JCEKS File
INFO_JCEKS_CERTIFICATE_TOOLTIP=Select this option if you have a JCEKS \
 certificate.
INFO_JCEKS_KEYSTORE_DOES_NOT_EXIST=No certificates for the Java Key Store could \
 be found.  Check that the provided path is valid.
INFO_KEYSTORE_PATH_DOES_NOT_EXIST=The provided key store path does not exist.
INFO_KEYSTORE_PATH_LABEL=Key Store Path:
INFO_KEYSTORE_PATH_NOT_A_FILE=The provided key store path is not a file.

 opends/src/messages/messages/tools.properties

@@ -2369,3 +2369,12 @@
 to read the file '%s' containing the list of ignored attributes: %s
INFO_LDIFDIFF_CANNOT_PARSE_STRING_AS_DN_1616=The string '%s' from file '%s' could \
 not be parsed as a dn
INFO_INSTALLDS_DESCRIPTION_USE_JCEKS_1617=Path of a JCEKS containing a \
 certificate to be used as the server certificate
INFO_INSTALLDS_CERT_OPTION_JCEKS_1618=Use an existing certificate located on a \
 JCEKS key store
INFO_INSTALLDS_PROMPT_JCEKS_PATH_1619=JCEKS Key Store path:
SEVERE_ERR_CONFIG_KEYMANAGER_CANNOT_CREATE_JCEKS_PROVIDER_1620=Error creating \
 JCEKS Key Provider configuration:  %s
SEVERE_ERR_CONFIG_KEYMANAGER_CANNOT_CREATE_JCEKS_TRUST_MANAGER_1621=Error \
 creating JCEKS Trust Manager configuration:  %s

 opends/src/quicksetup/org/opends/quicksetup/SecurityOptions.java

@@ -55,6 +55,10 @@
     */
    JKS,
    /**
     * Use an existing JCEKS keystore.
     */
    JCEKS,
    /**
     * Use an existing PKCS#11 keystore.
     */
    PKCS11,
@@ -130,6 +134,31 @@
  }

  /**
   * Creates a new instance of a SecurityOptions using a JCE Key Store.
   * @param keystorePath the path of the key store.
   * @param keystorePwd the password of the key store.
   * @param enableSSL whether SSL is enabled or not.
   * @param enableStartTLS whether Start TLS is enabled or not.
   * @param sslPort the value of the LDAPS port.
   * @param aliasToUse the alias of the certificate in the keystore to be used.
   * @return a new instance of a SecurityOptions using a JCE Key Store.
   */
  public static SecurityOptions createJCEKSCertificateOptions(
      String keystorePath,
      String keystorePwd, boolean enableSSL, boolean enableStartTLS,
      int sslPort, String aliasToUse)
  {
    SecurityOptions ops = new SecurityOptions();
    ops.setCertificateType(CertificateType.JCEKS);
    ops.setKeyStorePath(keystorePath);
    ops.setKeyStorePassword(keystorePwd);
    updateCertificateOptions(ops, enableSSL, enableStartTLS, sslPort,
        aliasToUse);
    return ops;
  }


  /**
   * Creates a new instance of a SecurityOptions using a PKCS#11 Key Store.
   * @param keystorePwd the password of the key store.
   * @param enableSSL whether SSL is enabled or not.

 opends/src/quicksetup/org/opends/quicksetup/installer/Installer.java

@@ -863,6 +863,16 @@
      argList.add("-a");
      argList.add(sec.getAliasToUse());
      break;
    case JCEKS:
      argList.add("-k");
      argList.add("cn=JCEKS,cn=Key Manager Providers,cn=config");
      argList.add("-t");
      argList.add("cn=JCEKS,cn=Trust Manager Providers,cn=config");
      argList.add("-m");
      argList.add(sec.getKeystorePath());
      argList.add("-a");
      argList.add(sec.getAliasToUse());
      break;
    case PKCS12:
      argList.add("-k");
      argList.add("cn=PKCS12,cn=Key Manager Providers,cn=config");
@@ -947,7 +957,7 @@
      {
        cmd.append(s);
      }
      nextPassword = s.equals("-w");
      nextPassword = "-w".equals(s);
    }
    LOG.log(Level.INFO, "configure DS cmd: "+cmd);
    final InstallerHelper helper = new InstallerHelper();
@@ -966,6 +976,9 @@
                ReturnCode.CONFIGURATION_ERROR,
                INFO_ERROR_CONFIGURING.get(), null);
          }
        } catch (ApplicationException aex)
        {
          ae = aex;
        } catch (Throwable t)
        {
          ae = new ApplicationException(
@@ -1044,6 +1057,24 @@
        f = new File(getTemporaryCertificatePath());
        f.delete();
        break;
      case JCEKS:
        certManager = new CertificateManager(
            sec.getKeystorePath(),
            CertificateManager.KEY_STORE_TYPE_JCEKS,
            sec.getKeystorePassword());
        exportCertificate(certManager, sec.getAliasToUse(),
            getTemporaryCertificatePath());

        trustManager = new CertificateManager(
            getTrustManagerPath(),
            CertificateManager.KEY_STORE_TYPE_JCEKS,
            sec.getKeystorePassword());
        trustManager.addCertificate(sec.getAliasToUse(),
            new File(getTemporaryCertificatePath()));
        createFile(getKeystorePinPath(), sec.getKeystorePassword());
        f = new File(getTemporaryCertificatePath());
        f.delete();
        break;
      case PKCS12:
        certManager = new CertificateManager(
            sec.getKeystorePath(),
@@ -1088,6 +1119,7 @@
    }
    catch (Throwable t)
    {
      LOG.log(Level.SEVERE, "Error configuring certificate: "+t, t);
      throw new ApplicationException(
          ReturnCode.CONFIGURATION_ERROR,
          getThrowableMsg(INFO_ERROR_CONFIGURING_CERTIFICATE.get(),
@@ -4709,6 +4741,10 @@
          }
        }
      }
      if (thread.getException() != null)
      {
        throw thread.getException();
      }
      if (canceled)
      {
        checkAbort();
@@ -4716,6 +4752,7 @@
    }
    catch (ApplicationException e)
    {
      LOG.log(Level.SEVERE, "Error: "+e, e);
      throw e;
    }
    catch (Throwable t)

 opends/src/quicksetup/org/opends/quicksetup/installer/ui/SecurityOptionsDialog.java

@@ -82,6 +82,7 @@
  private JLabel lKeystoreType;
  private JRadioButton rbPKCS11;
  private JRadioButton rbJKS;
  private JRadioButton rbJCEKS;
  private JRadioButton rbPKCS12;
  private JLabel lKeystorePath;
  private JTextField tfKeystorePath;
@@ -210,6 +211,13 @@
            String.valueOf(tfKeystorePwd.getPassword()), enableSSL,
            enableStartTLS, sslPort, selectedAlias);
      }
      else if (rbJCEKS.isSelected())
      {
        ops = SecurityOptions.createJCEKSCertificateOptions(
            tfKeystorePath.getText(),
            String.valueOf(tfKeystorePwd.getPassword()), enableSSL,
            enableStartTLS, sslPort, selectedAlias);
      }
      else if (rbPKCS11.isSelected())
      {
        ops = SecurityOptions.createPKCS11CertificateOptions(
@@ -381,6 +389,11 @@
        INFO_JKS_CERTIFICATE_TOOLTIP.get(),
        UIFactory.TextStyle.SECONDARY_FIELD_VALID);
    rbJKS.addActionListener(l);
    rbJCEKS = UIFactory.makeJRadioButton(
        INFO_JCEKS_CERTIFICATE_LABEL.get(),
        INFO_JCEKS_CERTIFICATE_TOOLTIP.get(),
        UIFactory.TextStyle.SECONDARY_FIELD_VALID);
    rbJCEKS.addActionListener(l);
    rbPKCS11 = UIFactory.makeJRadioButton(
        INFO_PKCS11_CERTIFICATE_LABEL.get(),
        INFO_PKCS11_CERTIFICATE_TOOLTIP.get(),
@@ -393,6 +406,7 @@
    rbPKCS12.addActionListener(l);
    ButtonGroup group2 = new ButtonGroup();
    group2.add(rbJKS);
    group2.add(rbJCEKS);
    group2.add(rbPKCS11);
    group2.add(rbPKCS12);
    lKeystoreType.setLabelFor(rbJKS);
@@ -538,6 +552,10 @@
    gbc.gridwidth = GridBagConstraints.RELATIVE;
    aux2Panel.add(Box.createHorizontalGlue(), gbc);
    gbc.gridwidth = GridBagConstraints.REMAINDER;
    aux2Panel.add(rbJCEKS, gbc);
    gbc.gridwidth = GridBagConstraints.RELATIVE;
    aux2Panel.add(Box.createHorizontalGlue(), gbc);
    gbc.gridwidth = GridBagConstraints.REMAINDER;
    aux2Panel.add(rbPKCS12, gbc);
    gbc.gridwidth = GridBagConstraints.RELATIVE;
    aux2Panel.add(Box.createHorizontalGlue(), gbc);
@@ -776,6 +794,13 @@
      tfKeystorePwd.setText(securityOptions.getKeystorePassword());
      break;

    case JCEKS:
      rbUseExistingCertificate.setSelected(true);
      rbJCEKS.setSelected(true);
      tfKeystorePath.setText(securityOptions.getKeystorePath());
      tfKeystorePwd.setText(securityOptions.getKeystorePassword());
      break;

    case PKCS11:
      rbUseExistingCertificate.setSelected(true);
      rbPKCS11.setSelected(true);
@@ -814,7 +839,8 @@
    }

    if (useSSL && rbUseExistingCertificate.isSelected() &&
        !rbJKS.isSelected() && !rbPKCS11.isSelected() && !rbPKCS12.isSelected())
        !rbJKS.isSelected() && !rbJCEKS.isSelected() &&
        !rbPKCS11.isSelected() && !rbPKCS12.isSelected())
    {
      rbJKS.setSelected(true);
    }
@@ -826,6 +852,7 @@
    lKeystoreType.setEnabled(
        rbUseExistingCertificate.isSelected() && useSSL);
    rbJKS.setEnabled(rbUseExistingCertificate.isSelected() && useSSL);
    rbJCEKS.setEnabled(rbUseExistingCertificate.isSelected() && useSSL);
    rbPKCS11.setEnabled(rbUseExistingCertificate.isSelected() && useSSL);
    rbPKCS12.setEnabled(rbUseExistingCertificate.isSelected() && useSSL);

@@ -927,7 +954,7 @@
        (cbEnableSSL.isSelected() || cbEnableStartTLS.isSelected()))
    {
      String path = tfKeystorePath.getText();
      if (rbJKS.isSelected() || rbPKCS12.isSelected())
      if (rbJKS.isSelected() || rbJCEKS.isSelected() || rbPKCS12.isSelected())
      {
        /* Check the path */
        if ((path == null) || (path.length() == 0))
@@ -970,6 +997,13 @@
                CertificateManager.KEY_STORE_TYPE_JKS,
                pwd);
          }
          else if (rbJCEKS.isSelected())
          {
            certManager = new CertificateManager(
                path,
                CertificateManager.KEY_STORE_TYPE_JCEKS,
                pwd);
          }
          else if (rbPKCS12.isSelected())
          {
            certManager = new CertificateManager(
@@ -1002,6 +1036,10 @@
              {
                errorMsgs.add(INFO_JKS_KEYSTORE_DOES_NOT_EXIST.get());
              }
              else if (rbJCEKS.isSelected())
              {
                errorMsgs.add(INFO_JCEKS_KEYSTORE_DOES_NOT_EXIST.get());
              }
              else
              {
                errorMsgs.add(INFO_PKCS12_KEYSTORE_DOES_NOT_EXIST.get());
@@ -1029,6 +1067,10 @@
            {
              errorMsgs.add(INFO_ERROR_ACCESSING_JKS_KEYSTORE.get());
            }
            else if (rbJCEKS.isSelected())
            {
              errorMsgs.add(INFO_ERROR_ACCESSING_JCEKS_KEYSTORE.get());
            }
            else
            {
              errorMsgs.add(INFO_ERROR_ACCESSING_PKCS12_KEYSTORE.get());

 opends/src/quicksetup/org/opends/quicksetup/ui/QuickSetupStepPanel.java

@@ -500,6 +500,10 @@
        certMsg = INFO_JKS_CERTIFICATE.get();
        break;

      case JCEKS:
        certMsg = INFO_JCEKS_CERTIFICATE.get();
        break;

      case PKCS11:
        certMsg = INFO_PKCS11_CERTIFICATE.get();
        break;

 opends/src/server/org/opends/server/tools/ConfigureDS.java

@@ -35,6 +35,7 @@
import java.util.LinkedList;
import java.util.Set;
import java.io.File;
import java.io.StringReader;

import javax.crypto.Cipher;

@@ -56,7 +57,10 @@
import org.opends.server.types.DirectoryException;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryEnvironmentConfig;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LDIFImportConfig;
import org.opends.server.util.LDIFReader;
import org.opends.server.util.SetupUtils;
import org.opends.server.util.args.ArgumentException;
import org.opends.server.util.args.ArgumentParser;
@@ -549,9 +553,12 @@
      if (keyManagerProviderDN.isPresent())
      {
        DN dn = null;
        DN JCEKSProviderDN = null;
        try
        {
          dn = DN.decode(keyManagerProviderDN.getValue());
          JCEKSProviderDN =
            DN.decode("cn=JCEKS,cn=Key Manager Providers,cn=config");
        }
        catch (DirectoryException de)
        {
@@ -563,16 +570,54 @@
          return 1;
        }

        try
        if (dn.equals(JCEKSProviderDN))
        {
          configHandler.getConfigEntry(dn);
          // Create the JCEKSProvider entry
          try
          {
            String ldif = "dn: cn=JCEKS,cn=Key Manager Providers,cn=config\n"+
            "objectClass: top\n"+
            "objectClass: ds-cfg-key-manager-provider\n"+
            "objectClass: ds-cfg-file-based-key-manager-provider\n"+
            "cn: JCEKS\n"+
            "ds-cfg-java-class: org.opends.server.extensions."+
                 "FileBasedKeyManagerProvider\n"+
            "ds-cfg-enabled: true\n"+
            "ds-cfg-key-store-type: JCEKS\n"+
            "ds-cfg-key-store-file: config/keystore.jceks\n"+
            "ds-cfg-key-store-pin-file: config/keystore.pin";

            LDIFImportConfig ldifImportConfig =
              new LDIFImportConfig(new StringReader(ldif));
            LDIFReader reader = new LDIFReader(ldifImportConfig);
            Entry providerConfigEntry;
            while ((providerConfigEntry = reader.readEntry()) != null)
            {
              configHandler.addEntry(providerConfigEntry, null);
            }
          }
          catch (Exception e)
          {
            Message message =
              ERR_CONFIG_KEYMANAGER_CANNOT_CREATE_JCEKS_PROVIDER.get(
                String.valueOf(e));
            System.err.println(wrapText(message, MAX_LINE_WIDTH));
            return 1;
          }
        }
        catch (Exception e)
        else
        {
          Message message = ERR_CONFIG_KEYMANAGER_CANNOT_GET_BASE.get(
              String.valueOf(e));
          System.err.println(wrapText(message, MAX_LINE_WIDTH));
          return 1;
          try
          {
            configHandler.getConfigEntry(dn);
          }
          catch (Exception e)
          {
            Message message = ERR_CONFIG_KEYMANAGER_CANNOT_GET_BASE.get(
                String.valueOf(e));
            System.err.println(wrapText(message, MAX_LINE_WIDTH));
            return 1;
          }
        }
      }

@@ -580,9 +625,12 @@
      if (trustManagerProviderDN.isPresent())
      {
        DN dn = null;
        DN JCEKSTrustManagerDN = null;
        try
        {
          dn = DN.decode(trustManagerProviderDN.getValue());
          JCEKSTrustManagerDN =
            DN.decode("cn=JCEKS,cn=Trust Manager Providers,cn=config");
        }
        catch (DirectoryException de)
        {
@@ -592,16 +640,51 @@
          return 1;
        }

        try
        if (dn.equals(JCEKSTrustManagerDN))
        {
          configHandler.getConfigEntry(dn);
        }
        catch (Exception e)
        {
          Message message = ERR_CONFIG_TRUSTMANAGER_CANNOT_GET_BASE.get(
          try
          {
            String ldif = "dn: cn=JCEKS,cn=Trust Manager Providers,cn=config\n"+
            "objectClass: top\n"+
            "objectClass: ds-cfg-trust-manager-provider\n"+
            "objectClass: ds-cfg-file-based-trust-manager-provider\n"+
            "cn: JKS\n"+
            "ds-cfg-java-class: org.opends.server.extensions."+
            "FileBasedTrustManagerProvider\n"+
            "ds-cfg-enabled: false\n"+
            "ds-cfg-trust-store-type: JCEKS\n"+
            "ds-cfg-trust-store-file: config/truststore\n";

            LDIFImportConfig ldifImportConfig =
              new LDIFImportConfig(new StringReader(ldif));
            LDIFReader reader = new LDIFReader(ldifImportConfig);
            Entry trustManagerConfigEntry;
            while ((trustManagerConfigEntry = reader.readEntry()) != null)
            {
              configHandler.addEntry(trustManagerConfigEntry, null);
            }
          }
          catch (Exception e)
          {
            Message message = ERR_CONFIG_KEYMANAGER_CANNOT_GET_BASE.get(
                String.valueOf(e));
          System.err.println(wrapText(message, MAX_LINE_WIDTH));
          return 1;
            System.err.println(wrapText(message, MAX_LINE_WIDTH));
            return 1;
          }
        }
        else
        {
          try
          {
            configHandler.getConfigEntry(dn);
          }
          catch (Exception e)
          {
            Message message = ERR_CONFIG_TRUSTMANAGER_CANNOT_GET_BASE.get(
                String.valueOf(e));
            System.err.println(wrapText(message, MAX_LINE_WIDTH));
            return 1;
          }
        }
      }


 opends/src/server/org/opends/server/tools/InstallDS.java

@@ -874,14 +874,34 @@
      String path = argParser.useJavaKeyStoreArg.getValue();
      checkCertificateInKeystore(SecurityOptions.CertificateType.JKS, path, pwd,
          certNickname, errorMessages, keystoreAliases);
      if ((certNickname == null) && !keystoreAliases.isEmpty())
      {
        certNickname = keystoreAliases.getFirst();
      }
      securityOptions = SecurityOptions.createJKSCertificateOptions(
          path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
    }
    else if (argParser.useJCEKSArg.isPresent())
    {
      String path = argParser.useJCEKSArg.getValue();
      checkCertificateInKeystore(SecurityOptions.CertificateType.JCEKS, path,
          pwd, certNickname, errorMessages, keystoreAliases);
      if ((certNickname == null) && !keystoreAliases.isEmpty())
      {
        certNickname = keystoreAliases.getFirst();
      }
      securityOptions = SecurityOptions.createJCEKSCertificateOptions(
          path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
    }
    else if (argParser.usePkcs12Arg.isPresent())
    {
      String path = argParser.usePkcs12Arg.getValue();
      checkCertificateInKeystore(SecurityOptions.CertificateType.PKCS12, path,
          pwd, certNickname, errorMessages, keystoreAliases);
      if ((certNickname == null) && !keystoreAliases.isEmpty())
      {
        certNickname = keystoreAliases.getFirst();
      }
      securityOptions = SecurityOptions.createPKCS12CertificateOptions(
          path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
    }
@@ -889,6 +909,10 @@
    {
      checkCertificateInKeystore(SecurityOptions.CertificateType.PKCS11, null,
          pwd, certNickname, errorMessages, keystoreAliases);
      if ((certNickname == null) && !keystoreAliases.isEmpty())
      {
        certNickname = keystoreAliases.getFirst();
      }
      securityOptions = SecurityOptions.createPKCS11CertificateOptions(
          pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
    }
@@ -1599,6 +1623,12 @@
        createSecurityOptionsPrompting(SecurityOptions.CertificateType.JKS,
            enableSSL, enableStartTLS, ldapsPort);
    }
    else if (argParser.useJCEKSArg.isPresent())
    {
      securityOptions =
        createSecurityOptionsPrompting(SecurityOptions.CertificateType.JCEKS,
            enableSSL, enableStartTLS, ldapsPort);
    }
    else if (argParser.usePkcs12Arg.isPresent())
    {
      securityOptions =
@@ -1623,12 +1653,14 @@
      {
        final int SELF_SIGNED = 1;
        final int JKS = 2;
        final int PKCS12 = 3;
        final int PKCS11 = 4;
        int[] indexes = {SELF_SIGNED, JKS, PKCS12, PKCS11};
        final int JCEKS = 3;
        final int PKCS12 = 4;
        final int PKCS11 = 5;
        int[] indexes = {SELF_SIGNED, JKS, JCEKS, PKCS12, PKCS11};
        Message[] msgs = {
            INFO_INSTALLDS_CERT_OPTION_SELF_SIGNED.get(),
            INFO_INSTALLDS_CERT_OPTION_JKS.get(),
            INFO_INSTALLDS_CERT_OPTION_JCEKS.get(),
            INFO_INSTALLDS_CERT_OPTION_PKCS12.get(),
            INFO_INSTALLDS_CERT_OPTION_PKCS11.get()
        };
@@ -1655,6 +1687,10 @@
            builder.setDefault(Message.raw(String.valueOf(JKS)),
                MenuResult.success(JKS));
            break;
          case JCEKS:
            builder.setDefault(Message.raw(String.valueOf(JCEKS)),
                MenuResult.success(JCEKS));
            break;
          case PKCS11:
            builder.setDefault(Message.raw(String.valueOf(PKCS11)),
                MenuResult.success(PKCS11));
@@ -1700,6 +1736,13 @@
            createSecurityOptionsPrompting(SecurityOptions.CertificateType.JKS,
                enableSSL, enableStartTLS, ldapsPort);
        }
        else if (certType == JCEKS)
        {
          securityOptions =
            createSecurityOptionsPrompting(
                SecurityOptions.CertificateType.JCEKS,
                enableSSL, enableStartTLS, ldapsPort);
        }
        else if (certType == PKCS12)
        {
          securityOptions =
@@ -1847,6 +1890,13 @@
              pwd);
          break;

          case JCEKS:
            certManager = new CertificateManager(
                path,
                CertificateManager.KEY_STORE_TYPE_JCEKS,
                pwd);
            break;

          case PKCS12:
          certManager = new CertificateManager(
              path,
@@ -1871,15 +1921,17 @@
          switch (type)
          {
          case JKS:
            errorMessages.add(INFO_PKCS11_KEYSTORE_DOES_NOT_EXIST.get());
            break;

          case PKCS12:
            errorMessages.add(INFO_JKS_KEYSTORE_DOES_NOT_EXIST.get());
            break;
          case PKCS11:
          case JCEKS:
            errorMessages.add(INFO_JCEKS_KEYSTORE_DOES_NOT_EXIST.get());
            break;
          case PKCS12:
            errorMessages.add(INFO_PKCS12_KEYSTORE_DOES_NOT_EXIST.get());
            break;
          case PKCS11:
            errorMessages.add(INFO_PKCS11_KEYSTORE_DOES_NOT_EXIST.get());
            break;
          default:
            throw new IllegalArgumentException("Invalid type: "+type);
          }
@@ -1922,7 +1974,9 @@
        case JKS:
          errorMessages.add(INFO_ERROR_ACCESSING_JKS_KEYSTORE.get());
          break;

        case JCEKS:
          errorMessages.add(INFO_ERROR_ACCESSING_JCEKS_KEYSTORE.get());
          break;
        case PKCS12:
          errorMessages.add(INFO_ERROR_ACCESSING_PKCS12_KEYSTORE.get());
          break;
@@ -1978,6 +2032,15 @@
        defaultPathValue = lastResetKeyStorePath;
      }
      break;
    case JCEKS:
      path = argParser.useJCEKSArg.getValue();
      pathPrompt = INFO_INSTALLDS_PROMPT_JCEKS_PATH.get();
      defaultPathValue = argParser.useJCEKSArg.getValue();
      if (defaultPathValue == null)
      {
        defaultPathValue = lastResetKeyStorePath;
      }
      break;
    case PKCS11:
      path = null;
      defaultPathValue = null;
@@ -2086,6 +2149,10 @@
        securityOptions = SecurityOptions.createJKSCertificateOptions(
        path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
        break;
      case JCEKS:
        securityOptions = SecurityOptions.createJCEKSCertificateOptions(
        path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
        break;
      case PKCS12:
        securityOptions = SecurityOptions.createPKCS12CertificateOptions(
            path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
@@ -2116,9 +2183,11 @@
      if (msg.getDescriptor().equals(INFO_KEYSTORE_PATH_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_KEYSTORE_PATH_NOT_A_FILE) ||
          msg.getDescriptor().equals(INFO_JKS_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_JCEKS_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_PKCS12_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_PKCS11_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_JKS_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_JCEKS_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_PKCS12_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_PKCS11_KEYSTORE))
      {
@@ -2142,9 +2211,11 @@
    for (Message msg : msgs)
    {
      if (msg.getDescriptor().equals(INFO_JKS_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_JCEKS_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_PKCS12_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_PKCS11_KEYSTORE_DOES_NOT_EXIST) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_JKS_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_JCEKS_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_PKCS12_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_ACCESSING_PKCS11_KEYSTORE) ||
          msg.getDescriptor().equals(INFO_ERROR_NO_KEYSTORE_PASSWORD) ||
@@ -2480,7 +2551,8 @@
      lastResetEnableStartTLS = sec.getEnableStartTLS();
      lastResetCertType = sec.getCertificateType();
      if (lastResetCertType == SecurityOptions.CertificateType.JKS ||
          lastResetCertType == SecurityOptions.CertificateType.PKCS11)
          lastResetCertType == SecurityOptions.CertificateType.JCEKS ||
          lastResetCertType == SecurityOptions.CertificateType.PKCS12)
      {
        lastResetKeyStorePath = sec.getKeystorePath();
      }

 opends/src/server/org/opends/server/tools/InstallDSArgumentParser.java

@@ -90,6 +90,7 @@
  StringArgument    directoryManagerDNArg;
  StringArgument    directoryManagerPwdStringArg;
  StringArgument    useJavaKeyStoreArg;
  StringArgument    useJCEKSArg;
  StringArgument    usePkcs12Arg;
  StringArgument    keyStorePasswordArg;
  StringArgument    certNicknameArg;
@@ -347,6 +348,12 @@
        INFO_INSTALLDS_DESCRIPTION_USE_JAVAKEYSTORE.get());
    addArgument(useJavaKeyStoreArg);

    useJCEKSArg = new StringArgument("useJCEKS".toLowerCase(),
        null, "useJCEKS", false, false,
        true, INFO_KEYSTOREPATH_PLACEHOLDER.get(), null, "useJCEKS",
        INFO_INSTALLDS_DESCRIPTION_USE_JCEKS.get());
    addArgument(useJCEKSArg);

    usePkcs12Arg = new StringArgument("usePkcs12keyStore".toLowerCase(),
        null, "usePkcs12keyStore", false, false,
        true, INFO_KEYSTOREPATH_PLACEHOLDER.get(), null, "usePkcs12keyStore",
@@ -652,6 +659,10 @@
    {
      certificateType++;
    }
    if (useJCEKSArg.isPresent())
    {
      certificateType++;
    }
    if (usePkcs11Arg.isPresent())
    {
      certificateType++;

 opends/src/server/org/opends/server/util/CertificateManager.java

@@ -46,8 +46,8 @@
/**
 * This class provides an interface for generating self-signed certificates and
 * certificate signing requests, and for importing, exporting, and deleting
 * certificates from a key store.  It supports JKS, PKCS11, and PKCS12 key store
 * types.
 * certificates from a key store.  It supports JKS, JCEKS PKCS11, and PKCS12 key
 * store types.
 * <BR><BR>
 * Note that for some operations, particularly those that require updating the
 * contents of a key store (including generating certificates and/or certificate
@@ -83,7 +83,10 @@
   */
  public static final String KEY_STORE_TYPE_JKS = "JKS";


  /**
   * The key store type value that should be used for the "JCEKS" key store.
   */
  public static final String KEY_STORE_TYPE_JCEKS = "JCEKS";

  /**
   * The key store type value that should be used for the "PKCS11" key store.
@@ -186,6 +189,7 @@
   *                       performed.
   * @param  keyStoreType  The key store type to use.  It should be one of
   *                       {@code KEY_STORE_TYPE_JKS},
   *                       {@code KEY_STORE_TYPE_JCEKS},
   *                       {@code KEY_STORE_TYPE_PKCS11}, or
   *                       {@code KEY_STORE_TYPE_PKCS12}.
   * @param  keyStorePIN   The PIN required to access the key store.  It must
@@ -231,6 +235,7 @@
      }
    }
    else if (keyStoreType.equals(KEY_STORE_TYPE_JKS) ||
        keyStoreType.equals(KEY_STORE_TYPE_JCEKS) ||
             keyStoreType.equals(KEY_STORE_TYPE_PKCS12))
    {
      File keyStoreFile = new File(keyStorePath);
@@ -261,6 +266,7 @@
      // FIXME -- Make this an internationalizeable string.
      throw new IllegalArgumentException("Invalid key store type -- it must " +
                  "be one of " + KEY_STORE_TYPE_JKS + ", " +
                  "be one of " + KEY_STORE_TYPE_JCEKS + ", " +
                  KEY_STORE_TYPE_PKCS11 + ", or " + KEY_STORE_TYPE_PKCS12);
    }

@@ -888,11 +894,13 @@
      return keyStore;
    }

    // For JKS and PKCS12 key stores, we should make sure the file exists, and
    // we'll need an input stream that we can use to read it.  For PKCS11 key
    // stores there won't be a file and the input stream should be null.
    // For JKS, JCEKS and PKCS12 key stores, we should make sure the file
    // exists, and we'll need an input stream that we can use to read it.
    // For PKCS11 key stores there won't be a file and the input stream should
    // be null.
    FileInputStream keyStoreInputStream = null;
    if (keyStoreType.equals(KEY_STORE_TYPE_JKS) ||
        keyStoreType.equals(KEY_STORE_TYPE_JCEKS) ||
        keyStoreType.equals(KEY_STORE_TYPE_PKCS12))
    {
      File keyStoreFile = new File(keyStorePath);