From 3ba4a8a412fa60c947ecb3cee9d90fb24e590d54 Mon Sep 17 00:00:00 2001
From: Yannick Lecaillez <ylecaillez@forgerock.com>
Date: Wed, 18 Nov 2015 15:24:16 +0000
Subject: [PATCH] OPENDJ-2399: Start server fails if the jvm used does not contains an elliptic curve certificate provider.
---
opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java | 32 +++--
opendj-server-legacy/src/main/java/org/opends/server/util/Platform.java | 18 +++
opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java | 74 ++++++-----
opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java | 86 ++++++-------
opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java | 25 ++--
opendj-server-legacy/src/main/java/org/opends/server/util/SelectableCertificateKeyManager.java | 4
opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java | 63 +++-------
opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/ui/SecurityOptionsDialog.java | 9
opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/offline/OfflineInstaller.java | 5
opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java | 2
opendj-server-legacy/resource/config/config.ldif | 5
11 files changed, 161 insertions(+), 162 deletions(-)
diff --git a/opendj-server-legacy/resource/config/config.ldif b/opendj-server-legacy/resource/config/config.ldif
index db9e6bc..3cd90c9 100644
--- a/opendj-server-legacy/resource/config/config.ldif
+++ b/opendj-server-legacy/resource/config/config.ldif
@@ -335,7 +335,6 @@
ds-cfg-use-ssl: false
ds-cfg-ssl-client-auth-policy: optional
ds-cfg-ssl-cert-nickname: server-cert
-ds-cfg-ssl-cert-nickname: server-cert-ec
dn: cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config
objectClass: top
@@ -360,7 +359,6 @@
ds-cfg-use-ssl: true
ds-cfg-ssl-client-auth-policy: optional
ds-cfg-ssl-cert-nickname: server-cert
-ds-cfg-ssl-cert-nickname: server-cert-ec
ds-cfg-key-manager-provider: cn=JKS,cn=Key Manager Providers,cn=config
ds-cfg-trust-manager-provider: cn=JKS,cn=Trust Manager Providers,cn=config
@@ -384,7 +382,6 @@
ds-cfg-use-ssl: false
ds-cfg-ssl-client-auth-policy: optional
ds-cfg-ssl-cert-nickname: server-cert
-ds-cfg-ssl-cert-nickname: server-cert-ec
ds-cfg-config-file: config/http-config.json
ds-cfg-authentication-required: true
@@ -408,7 +405,6 @@
ds-cfg-use-ssl: false
ds-cfg-listen-port: 1689
ds-cfg-ssl-cert-nickname: server-cert
-ds-cfg-ssl-cert-nickname: server-cert-ec
dn: cn=Entry Caches,cn=config
objectClass: top
@@ -2460,7 +2456,6 @@
ds-cfg-listen-address: 0.0.0.0
ds-cfg-listen-port: 4444
ds-cfg-ssl-cert-nickname: admin-cert
-ds-cfg-ssl-cert-nickname: admin-cert-ec
ds-cfg-key-manager-provider: cn=Administration,cn=Key Manager Providers,cn=config
ds-cfg-trust-manager-provider: cn=Administration,cn=Trust Manager Providers,cn=config
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java
index 344706c..50f81ba 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java
@@ -26,6 +26,10 @@
*/
package org.opends.quicksetup;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Set;
+import java.util.TreeSet;
/**
* Class used to describe the Security Options specified by the user.
@@ -77,7 +81,7 @@
private CertificateType certificateType;
private String keyStorePath;
private String keyStorePassword;
- private String aliasToUse;
+ private Set<String> aliasesToUse = new TreeSet<>();
private SecurityOptions()
{
@@ -115,7 +119,8 @@
public static SecurityOptions createSelfSignedCertificateOptions(
boolean enableSSL, boolean enableStartTLS, int sslPort)
{
- return createSelfSignedCertificateOptions(enableSSL, enableStartTLS, sslPort, SELF_SIGNED_CERT_ALIAS);
+ return createSelfSignedCertificateOptions(enableSSL, enableStartTLS, sslPort,
+ Arrays.asList(SELF_SIGNED_CERT_ALIAS));
}
/**
@@ -128,16 +133,16 @@
* whether Start TLS is enabled or not.
* @param sslPort
* the value of the LDAPS port.
- * @param aliasToUse
- * the alias of the certificate in the key store to be used.
+ * @param aliasesToUse
+ * the aliases of the certificates in the key store to be used.
* @return a new instance of a SecurityOptions using a self-signed
* certificate.
*/
public static SecurityOptions createSelfSignedCertificateOptions(boolean enableSSL, boolean enableStartTLS,
- int sslPort, String aliasToUse)
+ int sslPort, Collection<String> aliasesToUse)
{
return createOptionsForCertificatType(
- CertificateType.SELF_SIGNED_CERTIFICATE, null, null, enableSSL, enableStartTLS, sslPort, aliasToUse);
+ CertificateType.SELF_SIGNED_CERTIFICATE, null, null, enableSSL, enableStartTLS, sslPort, aliasesToUse);
}
/**
@@ -153,15 +158,15 @@
* whether Start TLS is enabled or not.
* @param sslPort
* the value of the LDAPS port.
- * @param aliasToUse
- * the alias of the certificate in the key store to be used.
+ * @param aliasesToUse
+ * the aliases of the certificates in the key store to be used.
* @return a new instance of a SecurityOptions using a Java Key Store.
*/
public static SecurityOptions createJKSCertificateOptions(String keystorePath, String keystorePwd, boolean enableSSL,
- boolean enableStartTLS, int sslPort, String aliasToUse)
+ boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
{
return createOptionsForCertificatType(
- CertificateType.JKS, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasToUse);
+ CertificateType.JKS, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasesToUse);
}
/**
@@ -177,15 +182,15 @@
* whether Start TLS is enabled or not.
* @param sslPort
* the value of the LDAPS port.
- * @param aliasToUse
- * the alias of the certificate in the keystore to be used.
+ * @param aliasesToUse
+ * the aliases of the certificates in the keystore to be used.
* @return a new instance of a SecurityOptions using a JCE Key Store.
*/
public static SecurityOptions createJCEKSCertificateOptions(String keystorePath, String keystorePwd,
- boolean enableSSL, boolean enableStartTLS, int sslPort, String aliasToUse)
+ boolean enableSSL, boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
{
return createOptionsForCertificatType(
- CertificateType.JCEKS, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasToUse);
+ CertificateType.JCEKS, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasesToUse);
}
@@ -200,15 +205,15 @@
* whether Start TLS is enabled or not.
* @param sslPort
* the value of the LDAPS port.
- * @param aliasToUse
- * the alias of the certificate in the keystore to be used.
+ * @param aliasesToUse
+ * the aliases of the certificates in the keystore to be used.
* @return a new instance of a SecurityOptions using a PKCS#11 Key Store.
*/
public static SecurityOptions createPKCS11CertificateOptions(String keystorePwd, boolean enableSSL,
- boolean enableStartTLS, int sslPort, String aliasToUse)
+ boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
{
return createOptionsForCertificatType(
- CertificateType.PKCS11, null, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasToUse);
+ CertificateType.PKCS11, null, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasesToUse);
}
/**
@@ -224,15 +229,15 @@
* whether Start TLS is enabled or not.
* @param sslPort
* the value of the LDAPS port.
- * @param aliasToUse
- * the alias of the certificate in the keystore to be used.
+ * @param aliasesToUse
+ * the aliases of the certificates in the keystore to be used.
* @return a new instance of a SecurityOptions using a PKCS#12 Key Store.
*/
public static SecurityOptions createPKCS12CertificateOptions( String keystorePath, String keystorePwd,
- boolean enableSSL, boolean enableStartTLS, int sslPort, String aliasToUse)
+ boolean enableSSL, boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
{
return createOptionsForCertificatType(
- CertificateType.PKCS12, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasToUse);
+ CertificateType.PKCS12, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasesToUse);
}
/**
@@ -251,12 +256,12 @@
* Whether Start TLS is enabled or not.
* @param sslPort
* The value of the LDAPS port.
- * @param aliasToUse
- * The alias of the certificate in the keystore to be used.
+ * @param aliasesToUse
+ * The aliases of the certificates in the keystore to be used.
* @return a new instance of a SecurityOptions.
*/
public static SecurityOptions createOptionsForCertificatType(CertificateType certType, String keystorePath,
- String keystorePwd, boolean enableSSL, boolean enableStartTLS, int sslPort, String aliasToUse)
+ String keystorePwd, boolean enableSSL, boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
{
if (certType == CertificateType.NO_CERTIFICATE)
{
@@ -273,7 +278,7 @@
ops.setKeyStorePassword(keystorePwd);
}
ops.setCertificateType(certType);
- updateCertificateOptions(ops, enableSSL, enableStartTLS, sslPort, aliasToUse);
+ updateCertificateOptions(ops, enableSSL, enableStartTLS, sslPort, aliasesToUse);
return ops;
}
@@ -378,7 +383,7 @@
* @param aliasToUse the name of the alias to be used.
*/
private static void updateCertificateOptions(SecurityOptions ops,
- boolean enableSSL, boolean enableStartTLS, int sslPort, String aliasToUse)
+ boolean enableSSL, boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
{
if (!enableSSL && !enableStartTLS)
{
@@ -388,7 +393,7 @@
ops.setEnableSSL(enableSSL);
ops.setEnableStartTLS(enableStartTLS);
ops.setSslPort(sslPort);
- ops.setAliasToUse(aliasToUse);
+ ops.setAliasToUse(aliasesToUse);
}
/**
@@ -413,18 +418,19 @@
* Returns the alias of the certificate in the key store to be used.
* @return the alias of the certificate in the key store to be used.
*/
- public String getAliasToUse()
+ public Set<String> getAliasesToUse()
{
- return aliasToUse;
+ return aliasesToUse;
}
/**
- * Sets the certificate alias name.
- * @param aliasToUse the certificate alias name.
+ * Sets the certificates aliases name.
+ * @param aliasesToUse the certificates aliases name.
*/
- void setAliasToUse(String aliasToUse)
+ void setAliasToUse(Collection<String> aliasesToUse)
{
- this.aliasToUse = aliasToUse;
+ this.aliasesToUse.clear();
+ this.aliasesToUse.addAll(aliasesToUse);
}
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
index 94796da..a9d3ecf 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
@@ -845,7 +845,8 @@
argList.add("--adminConnectorPort");
argList.add(String.valueOf(getUserData().getAdminConnectorPort()));
- SecurityOptions sec = getUserData().getSecurityOptions();
+ final SecurityOptions sec = getUserData().getSecurityOptions();
+ configureCertificate(sec);
// TODO: even if the user does not configure SSL maybe we should choose
// a secure port that is not being used and that we can actually use.
if (sec.getEnableSSL())
@@ -957,7 +958,6 @@
invokeLongOperation(thread);
notifyListeners(getFormattedDoneWithLineBreak());
checkAbort();
- configureCertificate(sec);
}
private void configureCertificate(SecurityOptions sec) throws ApplicationException
@@ -979,7 +979,7 @@
String pwd = getSelfSignedCertificatePwd();
final CertificateManager certManager =
new CertificateManager(getSelfSignedKeystorePath(), CertificateManager.KEY_STORE_TYPE_JKS, pwd);
- for (String alias : SELF_SIGNED_CERT_ALIASES)
+ for (String alias : sec.getAliasesToUse())
{
final KeyType keyType = KeyType.getTypeOrDefault(alias);
certManager.generateSelfSignedCertificate(keyType, alias, getSelfSignedCertificateSubjectDN(keyType),
@@ -1030,11 +1030,12 @@
final String trustStoreType, final SecurityOptions sec) throws Exception
{
final String keystorePassword = sec.getKeystorePassword();
- final String keyStoreAlias = sec.getAliasToUse();
-
CertificateManager certManager = new CertificateManager(keyStorePath, keyStoreType, keystorePassword);
- SetupUtils.exportCertificate(certManager, keyStoreAlias, getTemporaryCertificatePath());
- configureTrustStore(trustStoreType, keyStoreAlias, keystorePassword);
+ for (String keyStoreAlias : sec.getAliasesToUse())
+ {
+ SetupUtils.exportCertificate(certManager, keyStoreAlias, getTemporaryCertificatePath());
+ configureTrustStore(trustStoreType, keyStoreAlias, keystorePassword);
+ }
}
private void configureTrustStore(final String type, final String keyStoreAlias, final String password)
@@ -1051,7 +1052,7 @@
private void addCertificateArguments(SecurityOptions sec, List<String> argList)
{
- final String aliasInKeyStore = sec.getAliasToUse();
+ final Collection<String> aliasInKeyStore = sec.getAliasesToUse();
switch (sec.getCertificateType())
{
@@ -1085,8 +1086,8 @@
}
}
- private void addCertificateArguments(List<String> argList, SecurityOptions sec, String aliasInKeyStore,
- String keyStoreDN, String trustStoreDN)
+ private static void addCertificateArguments(List<String> argList, SecurityOptions sec,
+ Collection<String> aliasesInKeyStore, String keyStoreDN, String trustStoreDN)
{
argList.add("-k");
argList.add(keyStoreDN);
@@ -1097,10 +1098,10 @@
argList.add("-m");
argList.add(sec.getKeystorePath());
}
- if (aliasInKeyStore != null)
+ for(String alias : aliasesInKeyStore)
{
argList.add("-a");
- argList.add(aliasInKeyStore);
+ argList.add(alias);
}
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/offline/OfflineInstaller.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/offline/OfflineInstaller.java
index 2a634e6..3934fc9 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/offline/OfflineInstaller.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/offline/OfflineInstaller.java
@@ -383,7 +383,10 @@
try {
for (String alias : SELF_SIGNED_CERT_ALIASES)
{
- cm.removeCertificate(alias);
+ if (cm.aliasInUse(alias))
+ {
+ cm.removeCertificate(alias);
+ }
}
} catch (KeyStoreException e) {
logger.info(LocalizableMessage.raw("Error deleting self signed certification", e));
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/ui/SecurityOptionsDialog.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/ui/SecurityOptionsDialog.java
index 1113555..3e4a065 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/ui/SecurityOptionsDialog.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/ui/SecurityOptionsDialog.java
@@ -39,6 +39,7 @@
import java.io.File;
import java.security.KeyStoreException;
import java.util.ArrayList;
+import java.util.Arrays;
import javax.swing.Box;
import javax.swing.ButtonGroup;
@@ -215,27 +216,27 @@
ops = SecurityOptions.createJKSCertificateOptions(
tfKeystorePath.getText(),
String.valueOf(tfKeystorePwd.getPassword()), enableSSL,
- enableStartTLS, sslPort, selectedAlias);
+ enableStartTLS, sslPort, Arrays.asList(selectedAlias));
}
else if (rbJCEKS.isSelected())
{
ops = SecurityOptions.createJCEKSCertificateOptions(
tfKeystorePath.getText(),
String.valueOf(tfKeystorePwd.getPassword()), enableSSL,
- enableStartTLS, sslPort, selectedAlias);
+ enableStartTLS, sslPort, Arrays.asList(selectedAlias));
}
else if (rbPKCS11.isSelected())
{
ops = SecurityOptions.createPKCS11CertificateOptions(
String.valueOf(tfKeystorePwd.getPassword()), enableSSL,
- enableStartTLS, sslPort, selectedAlias);
+ enableStartTLS, sslPort, Arrays.asList(selectedAlias));
}
else if (rbPKCS12.isSelected())
{
ops = SecurityOptions.createPKCS12CertificateOptions(
tfKeystorePath.getText(),
String.valueOf(tfKeystorePwd.getPassword()), enableSSL,
- enableStartTLS, sslPort, selectedAlias);
+ enableStartTLS, sslPort, Arrays.asList(selectedAlias));
}
else
{
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java
index b11bb41..1c46653 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java
@@ -1842,67 +1842,27 @@
case JKS:
cmdLine.add("--useJavaKeystore");
cmdLine.add(userData.getSecurityOptions().getKeystorePath());
- if (userData.getSecurityOptions().getKeystorePassword() != null)
- {
- cmdLine.add("--keyStorePassword");
- cmdLine.add(OBFUSCATED_VALUE);
- }
-
- if (userData.getSecurityOptions().getAliasToUse() != null)
- {
- cmdLine.add("--certNickname");
- cmdLine.add(userData.getSecurityOptions().getAliasToUse());
- }
+ addKeyStoreAndCert(userData.getSecurityOptions(), cmdLine);
break;
case JCEKS:
cmdLine.add("--useJCEKS");
cmdLine.add(userData.getSecurityOptions().getKeystorePath());
- if (userData.getSecurityOptions().getKeystorePassword() != null)
- {
- cmdLine.add("--keyStorePassword");
- cmdLine.add(OBFUSCATED_VALUE);
- }
-
- if (userData.getSecurityOptions().getAliasToUse() != null)
- {
- cmdLine.add("--certNickname");
- cmdLine.add(userData.getSecurityOptions().getAliasToUse());
- }
+ addKeyStoreAndCert(userData.getSecurityOptions(), cmdLine);
break;
case PKCS12:
cmdLine.add("--usePkcs12keyStore");
cmdLine.add(userData.getSecurityOptions().getKeystorePath());
- if (userData.getSecurityOptions().getKeystorePassword() != null)
- {
- cmdLine.add("--keyStorePassword");
- cmdLine.add(OBFUSCATED_VALUE);
- }
-
- if (userData.getSecurityOptions().getAliasToUse() != null)
- {
- cmdLine.add("--certNickname");
- cmdLine.add(userData.getSecurityOptions().getAliasToUse());
- }
+ addKeyStoreAndCert(userData.getSecurityOptions(), cmdLine);
break;
case PKCS11:
cmdLine.add("--usePkcs11Keystore");
- if (userData.getSecurityOptions().getKeystorePassword() != null)
- {
- cmdLine.add("--keyStorePassword");
- cmdLine.add(OBFUSCATED_VALUE);
- }
-
- if (userData.getSecurityOptions().getAliasToUse() != null)
- {
- cmdLine.add("--certNickname");
- cmdLine.add(userData.getSecurityOptions().getAliasToUse());
- }
+ addKeyStoreAndCert(userData.getSecurityOptions(), cmdLine);
break;
default:
@@ -1912,6 +1872,21 @@
return cmdLine;
}
+ private static void addKeyStoreAndCert(final SecurityOptions securityOptions, final List<String> cmdLine)
+ {
+ if (securityOptions.getKeystorePassword() != null)
+ {
+ cmdLine.add("--keyStorePassword");
+ cmdLine.add(OBFUSCATED_VALUE);
+ }
+
+ for(String alias : securityOptions.getAliasesToUse())
+ {
+ cmdLine.add("--certNickname");
+ cmdLine.add(alias);
+ }
+ }
+
/**
* Returns the list of equivalent command-lines that must be executed to
* enable or initialize replication as the setup does.
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
index d7598aa..3d1685d 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
@@ -203,6 +203,10 @@
/** The DN of the configuration entry defining the LDAPS connection handler. */
private static final String DN_LDAPS_CONNECTION_HANDLER = "cn=LDAPS Connection Handler," + DN_CONNHANDLER_BASE;
+ /** The DN of the configuration entry defining the HTTP connection handler. */
+ private static final String DN_HTTP_CONNECTION_HANDLER =
+ "cn=HTTP Connection Handler,cn=Connection Handlers,cn=config";
+
/** The DN of the configuration entry defining the JMX connection handler. */
private static final String DN_JMX_CONNECTION_HANDLER = "cn=JMX Connection Handler," + DN_CONNHANDLER_BASE;
@@ -272,7 +276,7 @@
private StringArgument rootPassword;
private StringArgument keyManagerProviderDN;
private StringArgument trustManagerProviderDN;
- private StringArgument certNickName;
+ private StringArgument certNickNames;
private StringArgument keyManagerPath;
private StringArgument serverRoot;
private StringArgument backendType;
@@ -439,11 +443,11 @@
null, null, INFO_CONFIGDS_DESCRIPTION_KEYMANAGER_PATH.get());
argParser.addArgument(keyManagerPath);
- certNickName = new StringArgument(
+ certNickNames = new StringArgument(
"certnickname", 'a', "certNickName",
- false, false, true, INFO_NICKNAME_PLACEHOLDER.get(),
+ false, true, true, INFO_NICKNAME_PLACEHOLDER.get(),
null, null, INFO_CONFIGDS_DESCRIPTION_CERTNICKNAME.get());
- argParser.addArgument(certNickName);
+ argParser.addArgument(certNickNames);
baseDNString = new StringArgument(
"basedn", OPTION_SHORT_BASEDN, OPTION_LONG_BASEDN,
@@ -883,6 +887,7 @@
putKeyManagerConfigAttribute(enableStartTLS, DN_LDAP_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_LDAPS_CONNECTION_HANDLER);
+ putKeyManagerConfigAttribute(ldapsPort, DN_HTTP_CONNECTION_HANDLER);
if (keyManagerPath.isPresent())
{
@@ -942,26 +947,29 @@
}
putTrustManagerAttribute(enableStartTLS, DN_LDAP_CONNECTION_HANDLER);
putTrustManagerAttribute(ldapsPort, DN_LDAPS_CONNECTION_HANDLER);
+ putTrustManagerAttribute(ldapsPort, DN_HTTP_CONNECTION_HANDLER);
}
- if (certNickName.isPresent())
+ if (certNickNames.isPresent())
{
- final StringConfigAttribute certNickNameAttr = new StringConfigAttribute(
+ final StringConfigAttribute certNickNamesAttr = new StringConfigAttribute(
ATTR_SSL_CERT_NICKNAME, INFO_LDAP_CONNHANDLER_DESCRIPTION_SSL_CERT_NICKNAME.get(),
- false, false, true, certNickName.getValue());
- updateCertNicknameEntry(ldapPort, DN_LDAP_CONNECTION_HANDLER, certNickNameAttr);
- updateCertNicknameEntry(ldapsPort, DN_LDAPS_CONNECTION_HANDLER, certNickNameAttr);
+ false, true, true, certNickNames.getValues());
+ updateCertNicknameEntry(ldapPort, DN_LDAP_CONNECTION_HANDLER, certNickNamesAttr);
+ updateCertNicknameEntry(ldapsPort, DN_LDAPS_CONNECTION_HANDLER, certNickNamesAttr);
+ updateCertNicknameEntry(certNickNames, DN_HTTP_CONNECTION_HANDLER, certNickNamesAttr);
- final StringConfigAttribute certNickNameJmxAttr = new StringConfigAttribute(
+ final StringConfigAttribute certNickNamesJmxAttr = new StringConfigAttribute(
ATTR_SSL_CERT_NICKNAME, INFO_JMX_CONNHANDLER_DESCRIPTION_SSL_CERT_NICKNAME.get(),
- false, false, true, certNickName.getValue());
- updateCertNicknameEntry(jmxPort, DN_JMX_CONNECTION_HANDLER, certNickNameJmxAttr);
+ false, false, true, certNickNames.getValues());
+ updateCertNicknameEntry(jmxPort, DN_JMX_CONNECTION_HANDLER, certNickNamesJmxAttr);
}
else
{
// Use the key manager specified for connection handlers
removeSSLCertNicknameAttribute(DN_LDAP_CONNECTION_HANDLER);
removeSSLCertNicknameAttribute(DN_LDAPS_CONNECTION_HANDLER);
+ removeSSLCertNicknameAttribute(DN_HTTP_CONNECTION_HANDLER);
removeSSLCertNicknameAttribute(DN_JMX_CONNECTION_HANDLER);
}
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java
index daa1a35..29e8f5c 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java
@@ -44,6 +44,7 @@
import java.io.OutputStream;
import java.io.PrintStream;
import java.security.KeyStoreException;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
@@ -901,18 +902,18 @@
certType = SecurityOptions.CertificateType.NO_CERTIFICATE;
}
- String certNickname = argParser.certNicknameArg.getValue();
+ Collection<String> certNicknames = argParser.certNicknameArg.getValues();
if (pathToCertificat != null)
{
- checkCertificateInKeystore(certType, pathToCertificat, pwd, certNickname, errorMessages, keystoreAliases);
- if (certNickname == null && !keystoreAliases.isEmpty())
+ checkCertificateInKeystore(certType, pathToCertificat, pwd, certNicknames, errorMessages, keystoreAliases);
+ if (certNicknames.isEmpty() && !keystoreAliases.isEmpty())
{
- certNickname = keystoreAliases.getFirst();
+ certNicknames = Arrays.asList(keystoreAliases.getFirst());
}
}
final SecurityOptions securityOptions = SecurityOptions.createOptionsForCertificatType(
- certType, pathToCertificat, pwd, enableSSL, enableStartTLS, sslPort, certNickname);
+ certType, pathToCertificat, pwd, enableSSL, enableStartTLS, sslPort, certNicknames);
uData.setSecurityOptions(securityOptions);
}
@@ -1860,8 +1861,8 @@
* the path of the key store.
* @param pwd
* the password (PIN) to access the key store.
- * @param certNickname
- * the certificate nickname that we are looking for (or null if we
+ * @param certNicknames
+ * the certificate nicknames that we are looking for (or null if we
* just one to get the one that is in the key store).
* @param errorMessages
* the list that will be updated with the errors encountered.
@@ -1870,7 +1871,7 @@
* store.
*/
public static void checkCertificateInKeystore(SecurityOptions.CertificateType type, String path, String pwd,
- String certNickname, Collection<LocalizableMessage> errorMessages, Collection<String> nicknameList)
+ Collection<String> certNicknames, Collection<LocalizableMessage> errorMessages, Collection<String> nicknameList)
{
boolean errorWithPath = false;
if (type != SecurityOptions.CertificateType.PKCS11)
@@ -1951,11 +1952,15 @@
{
Collections.addAll(nicknameList, aliases);
final String aliasString = joinAsString(", ", nicknameList);
- if (certNickname != null)
+ if (certNicknames.isEmpty() && aliases.length > 1)
+ {
+ errorMessages.add(ERR_INSTALLDS_MUST_PROVIDE_CERTNICKNAME.get(aliasString));
+ }
+ for (String certNickname : certNicknames)
{
// Check if the certificate alias is in the list.
boolean found = false;
- for (int i=0; i<aliases.length && !found; i++)
+ for (int i = 0; i < aliases.length && !found; i++)
{
found = aliases[i].equalsIgnoreCase(certNickname);
}
@@ -1964,10 +1969,6 @@
errorMessages.add(ERR_INSTALLDS_CERTNICKNAME_NOT_FOUND.get(aliasString));
}
}
- else if (aliases.length > 1)
- {
- errorMessages.add(ERR_INSTALLDS_MUST_PROVIDE_CERTNICKNAME.get(aliasString));
- }
}
}
catch (final KeyStoreException ke)
@@ -2028,7 +2029,7 @@
{
SecurityOptions securityOptions;
String path;
- String certNickname = argParser.certNicknameArg.getValue();
+ Collection<String> certNicknames = argParser.certNicknameArg.getValues();
String pwd = argParser.getKeyStorePassword();
if (pwd != null && pwd.length() == 0)
{
@@ -2109,8 +2110,7 @@
{
errorMessages.clear();
keystoreAliases.clear();
- checkCertificateInKeystore(type, path, pwd, certNickname,
- errorMessages, keystoreAliases);
+ checkCertificateInKeystore(type, path, pwd, certNicknames, errorMessages, keystoreAliases);
if (!errorMessages.isEmpty())
{
// Reset password: this might be a new keystore
@@ -2142,41 +2142,34 @@
{
println();
}
- certNickname = promptForCertificateNickname(keystoreAliases);
+ certNicknames = promptForCertificateNickname(keystoreAliases);
}
errorMessages.clear();
keystoreAliases.clear();
- checkCertificateInKeystore(type, path, pwd, certNickname, errorMessages,
+ checkCertificateInKeystore(type, path, pwd, certNicknames, errorMessages,
keystoreAliases);
firstTry = false;
}
- if (certNickname == null && !keystoreAliases.isEmpty())
+ if (certNicknames.isEmpty() && !keystoreAliases.isEmpty())
{
- certNickname = keystoreAliases.getFirst();
+ certNicknames = Arrays.asList(keystoreAliases.getFirst());
}
switch (type)
{
- case JKS:
- securityOptions = SecurityOptions.createJKSCertificateOptions(
- path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
- break;
- case JCEKS:
- securityOptions = SecurityOptions.createJCEKSCertificateOptions(
- path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
- break;
- case PKCS12:
- securityOptions = SecurityOptions.createPKCS12CertificateOptions(
- path, pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
- break;
- case PKCS11:
- securityOptions = SecurityOptions.createPKCS11CertificateOptions(
- pwd, enableSSL, enableStartTLS, ldapsPort, certNickname);
- break;
- default:
- throw new IllegalStateException(
- "Called createSecurityOptionsPrompting with invalid type: "+type);
+ case JKS:
+ return SecurityOptions.createJKSCertificateOptions(path, pwd, enableSSL, enableStartTLS, ldapsPort,
+ certNicknames);
+ case JCEKS:
+ return SecurityOptions.createJCEKSCertificateOptions(path, pwd, enableSSL, enableStartTLS, ldapsPort,
+ certNicknames);
+ case PKCS12:
+ return SecurityOptions.createPKCS12CertificateOptions(path, pwd, enableSSL, enableStartTLS, ldapsPort,
+ certNicknames);
+ case PKCS11:
+ return SecurityOptions.createPKCS11CertificateOptions(pwd, enableSSL, enableStartTLS, ldapsPort, certNicknames);
+ default:
+ throw new IllegalStateException("Called createSecurityOptionsPrompting with invalid type: " + type);
}
- return securityOptions;
}
/**
@@ -2351,10 +2344,10 @@
* the list of certificates the user must choose from.
* @return the chosen certificate nickname.
*/
- private String promptForCertificateNickname(List<String> nicknames)
+ private Collection<String> promptForCertificateNickname(List<String> nicknames)
{
- String nickname = null;
- while (nickname == null)
+ Collection<String> choosenNicknames = new ArrayList<>();
+ while (choosenNicknames.isEmpty())
{
for (final String n : nicknames)
{
@@ -2362,8 +2355,7 @@
{
if (confirmAction(INFO_INSTALLDS_PROMPT_CERTNICKNAME.get(n), true))
{
- nickname = n;
- break;
+ choosenNicknames.add(n);
}
}
catch (final ClientException ce)
@@ -2372,7 +2364,7 @@
}
}
}
- return nickname;
+ return choosenNicknames;
}
/**
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java
index cb5b71e..093fe51 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java
@@ -379,7 +379,7 @@
certNicknameArg = new StringArgument(
OPTION_LONG_CERT_NICKNAME.toLowerCase(),
OPTION_SHORT_CERT_NICKNAME, OPTION_LONG_CERT_NICKNAME,
- false, false, true, INFO_NICKNAME_PLACEHOLDER.get(), null,
+ false, true, true, INFO_NICKNAME_PLACEHOLDER.get(), null,
OPTION_LONG_CERT_NICKNAME,
INFO_INSTALLDS_DESCRIPTION_CERT_NICKNAME.get());
addDefaultArgument(certNicknameArg);
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/util/Platform.java b/opendj-server-legacy/src/main/java/org/opends/server/util/Platform.java
index ee94311..3d07de1 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/util/Platform.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/util/Platform.java
@@ -30,6 +30,8 @@
import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
@@ -118,6 +120,22 @@
}
/**
+ * Check whether or not, this key type is supported by the current JVM.
+ * @return true if this key type is supported, false otherwise.
+ */
+ public boolean isSupported()
+ {
+ try
+ {
+ return KeyPairGenerator.getInstance(keyAlgorithm.toUpperCase()) != null;
+ }
+ catch (NoSuchAlgorithmException e)
+ {
+ return false;
+ }
+ }
+
+ /**
* Get a KeyType based on the alias name.
*
* @param alias
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/util/SelectableCertificateKeyManager.java b/opendj-server-legacy/src/main/java/org/opends/server/util/SelectableCertificateKeyManager.java
index 370fa71..ec7712b 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/util/SelectableCertificateKeyManager.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/util/SelectableCertificateKeyManager.java
@@ -115,7 +115,7 @@
return clientAlias;
}
}
- logger.info(INFO_MISSING_KEY_TYPE_IN_ALIASES, componentName, aliases.toString(), Arrays.toString(keyType));
+ logger.debug(INFO_MISSING_KEY_TYPE_IN_ALIASES, componentName, aliases.toString(), Arrays.toString(keyType));
return null;
}
@@ -191,7 +191,7 @@
return serverAlias;
}
}
- logger.info(INFO_MISSING_KEY_TYPE_IN_ALIASES, componentName, aliases.toString(), Arrays.toString(keyType));
+ logger.debug(INFO_MISSING_KEY_TYPE_IN_ALIASES, componentName, aliases.toString(), Arrays.toString(keyType));
return null;
}
--
Gitblit v1.10.0