From 2cf46088b7e69b4f424a821291607afe6faa7e4f Mon Sep 17 00:00:00 2001
From: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Date: Fri, 30 Jul 2021 14:08:39 +0000
Subject: [PATCH] Add FIPS support (#176)
---
opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
index a654e32..84990d9 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
@@ -85,6 +85,7 @@
import com.forgerock.opendj.cli.FileBasedArgument;
import com.forgerock.opendj.cli.IntegerArgument;
import com.forgerock.opendj.cli.StringArgument;
+import com.forgerock.opendj.util.StaticUtils;
/**
* This class provides a very basic tool that can be used to configure some of
@@ -187,6 +188,8 @@
+ "ds-cfg-trust-store-type: JCEKS" + NEW_LINE
+ "ds-cfg-trust-store-file: config/truststore" + NEW_LINE;
+ private static final String DN_ADMIN_KEY_MANAGER = "cn=Administration,cn=Key Manager Providers," + DN_CONFIG_ROOT;
+
/** The DN of the configuration entry defining the LDAP connection handler. */
private static final String DN_LDAP_CONNECTION_HANDLER = "cn=LDAP Connection Handler," + DN_CONNHANDLER_BASE;
/** The DN of the configuration entry defining the Administration connector. */
@@ -878,6 +881,9 @@
putKeyManagerConfigAttribute(enableStartTLS, DN_LDAP_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_LDAPS_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_HTTP_CONNECTION_HANDLER);
+ if (StaticUtils.isFips()) {
+ putAdminKeyManagerConfigAttribute(ldapsPort, DN_ADMIN_KEY_MANAGER);
+ }
if (keyManagerPath.isPresent())
{
@@ -917,6 +923,39 @@
}
}
+ private void putAdminKeyManagerConfigAttribute(final Argument arg, final String attributeDN)
+ throws ConfigureDSException
+ {
+ if (arg.isPresent())
+ {
+ try
+ {
+ updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_TYPE);
+ updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_FILE);
+
+ updateConfigEntryWithObjectClasses(
+ attributeDN,
+ "top", "ds-cfg-pkcs11-key-manager-provider", "ds-cfg-key-manager-provider");
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYMANAGER_CLASS,
+ CoreSchema.getDirectoryStringSyntax(),
+ "org.opends.server.extensions.PKCS11KeyManagerProvider");
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYSTORE_PIN_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "config/keystore.pin");
+ }
+ catch (final Exception e)
+ {
+ throw new ConfigureDSException(e, ERR_CONFIGDS_CANNOT_UPDATE_KEYMANAGER_REFERENCE.get(e));
+ }
+ }
+ }
+
private void updateTrustManager() throws ConfigureDSException
{
if (trustManagerProviderDN.isPresent())
@@ -1127,6 +1166,15 @@
configHandler.replaceEntry(configEntry, Converters.from(newEntry));
}
+ /** Update a config entry with the provided objectCLass parameters. */
+ private void updateConfigEntryWithObjectClasses(String entryDn, Object...objectCLasses)
+ throws DirectoryException, ConfigException
+ {
+ org.forgerock.opendj.ldap.Entry configEntry = configHandler.getEntry(DN.valueOf(entryDn));
+ final org.forgerock.opendj.ldap.Entry newEntry = putAttribute(configEntry, ATTR_OBJECTCLASS, CoreSchema.getOIDSyntax(), objectCLasses);
+ configHandler.replaceEntry(configEntry, newEntry, true);
+ }
+
/**
* Duplicate the provided entry, and put an attribute to the duplicated entry.
* <p>
@@ -1158,7 +1206,7 @@
{
if (t.hasNameOrOID(attrName))
{
- entry.getUserAttributes().remove(t);
+ duplicateEntry.getUserAttributes().remove(t);
return duplicateEntry;
}
}
@@ -1167,7 +1215,7 @@
{
if (t.hasNameOrOID(attrName))
{
- entry.getOperationalAttributes().remove(t);
+ duplicateEntry.getOperationalAttributes().remove(t);
return duplicateEntry;
}
}
--
Gitblit v1.10.0