KeystoreManagerpublic class KeystoreManager extends Object
| Fields Summary |
|---|
| private static final String | KEYTOOL_CMD | | private static String | CERTIFICATE_DN_PREFIX | | private static String | CERTIFICATE_DN_SUFFIX | | private static String | _certificateDN | | public static final String | CERTIFICATE_ALIAS | | public static final String | DEFAULT_MASTER_PASSWORD | | private static final String | SKID_EXTENSION_SYSTEM_PROPERTY | | protected com.sun.enterprise.admin.servermgmt.pe.PEFileLayout | _fileLayout | | private static final com.sun.enterprise.util.i18n.StringManager | _strMgr |
| Constructors Summary |
|---|
public KeystoreManager()Creates a new instance of RepositoryManager
|
| Methods Summary |
|---|
| protected void | addToAsadminTrustStore(RepositoryConfig config, java.io.File certFile)
boolean newTruststore = false;
final PEFileLayout layout = getFileLayout(config);
//import the newly created certificate into the asadmin truststore
final File asadminTruststore = AsadminTruststore.getAsadminTruststore();
if (!asadminTruststore.exists()) {
newTruststore = true;
}
//The keystore alias name is the repository name. We want to avoid alias
//name conflicts since multiple domains are likely to live on the same
//machine.
String aliasName = layout.getRepositoryDir().getAbsolutePath();
//first delete the alias in case it already exists. This can happen for
//example if a domain is created, deleted, and re-created again.
String[] keytoolCmd = new String[] {
"-delete",
"-keystore", asadminTruststore.getAbsolutePath(),
"-alias", aliasName,
};
final String[] input = {AsadminTruststore.getAsadminTruststorePassword(),
AsadminTruststore.getAsadminTruststorePassword()}; // twice in case we are creating
KeytoolExecutor p = new KeytoolExecutor(keytoolCmd, 30, input);
try {
p.execute("trustStoreNotCreated", asadminTruststore);
} catch (RepositoryException ex) {
//ignore all exceptions. The alias most likely does not exist.
}
keytoolCmd = new String[] {
"-import",
"-noprompt",
"-keystore", asadminTruststore.getAbsolutePath(),
"-alias", aliasName, //alias is the domain name
"-file", certFile.getAbsolutePath(),
};
p = new KeytoolExecutor(keytoolCmd, 30, input);
p.execute("trustStoreNotCreated", asadminTruststore);
//If this is a newly created truststore, lock it down.
if (newTruststore) {
try {
chmod("600", asadminTruststore);
} catch (IOException ex) {
throw new RepositoryException(_strMgr.getString(
"trustStoreNotCreated", asadminTruststore), ex);
}
}
| | protected void | changeKeystorePassword(java.lang.String oldPassword, java.lang.String newPassword, java.io.File keystore)Changes the keystore password
if (!oldPassword.equals(newPassword)) {
//change truststore password from the default
String[] keytoolCmd = {
"-storepasswd",
"-keystore", keystore.getAbsolutePath(),
};
KeytoolExecutor p = new KeytoolExecutor(keytoolCmd, 30,
new String[] {oldPassword, newPassword, newPassword});
p.execute("keyStorePasswordNotChanged", keystore);
}
| | protected void | changeS1ASAliasPassword(RepositoryConfig config, java.lang.String storePassword, java.lang.String oldKeyPassword, java.lang.String newKeyPassword)Changes the key password for the default cert whose alias is s1as. The assumption
here is that the keystore password is not the same as the key password. This is
due to the fact that the keystore password should first be changed followed next
by the key password. The end result is that the keystore and s1as key both have
the same passwords. This function will tolerate deletion of the s1as alias, but
it will not tolerate changing the s1as key from something other than the
database password.
if (!storePassword.equals(oldKeyPassword) && !oldKeyPassword.equals(newKeyPassword)) {
final PEFileLayout layout = getFileLayout(config);
final File src = layout.getTrustStoreTemplate();
final File keystore = layout.getKeyStore();
//First see if the alias exists. The user could have deleted it. Any failure in the
//command indicates that the alias does not exist, so we return without error.
String[] keytoolCmd = {
"-list",
"-keystore", keystore.getAbsolutePath(),
"-alias", CERTIFICATE_ALIAS,
};
KeytoolExecutor p = new KeytoolExecutor(keytoolCmd, 30,
new String[] {storePassword});
try {
p.execute("s1asKeyPasswordNotChanged", keystore);
} catch (RepositoryException ex) {
return;
}
//change truststore password from the default
keytoolCmd = new String[] {
"-keypasswd",
"-keystore", keystore.getAbsolutePath(),
"-alias", CERTIFICATE_ALIAS,
};
p = new KeytoolExecutor(keytoolCmd, 30,
new String[] {storePassword, oldKeyPassword, newKeyPassword, newKeyPassword});
p.execute("s1asKeyPasswordNotChanged", keystore);
}
| | protected void | changeSSLCertificateDatabasePassword(RepositoryConfig config, java.lang.String oldPassword, java.lang.String newPassword)Changes the password of the keystore, truststore and the key password
of the s1as alias. It is expected that the key / truststores may not exist.
This is due to the fact that the user may have deleted them and wishes to set
up their own key/truststore
final PEFileLayout layout = getFileLayout(config);
File keystore = layout.getKeyStore();
File truststore = layout.getTrustStore();
if (keystore.exists()) {
//Change the password on the keystore
changeKeystorePassword(oldPassword, newPassword, keystore);
//Change the s1as alias password in the keystore...The assumption
//here is that the keystore password is not the same as the key password. This is
//due to the fact that the keystore password should first be changed followed next
//by the key password. The end result is that the keystore and s1as key both have
//the same passwords. This function will tolerate deletion of the s1as alias, but
//it will not tolerate changing the s1as key from something other than the
//database password.
try {
changeS1ASAliasPassword(config, newPassword, oldPassword, newPassword);
} catch (Exception ex) {
//For now we eat all exceptions and dump to stderr if the password
//alias could not be changed.
ex.printStackTrace();
}
}
if (truststore.exists()) {
//Change the password on the truststore
changeKeystorePassword(oldPassword, newPassword, truststore);
}
| | protected void | chmod(java.lang.String args, java.io.File file)
if (OS.isUNIX()) {
//args and file should never be null.
if (args == null || file == null) throw new IOException(_strMgr.getString("nullArg"));
if (!file.exists()) throw new IOException(_strMgr.getString("fileNotFound"));
// " +" regular expression for 1 or more spaces
final String[] argsString = args.split(" +");
List<String> cmdList = new ArrayList<String>();
cmdList.add("/bin/chmod");
for (String arg : argsString)
cmdList.add(arg);
cmdList.add(file.getAbsolutePath());
new ProcessBuilder(cmdList).start();
}
| | protected void | createKeyStore(RepositoryConfig config, java.lang.String masterPassword)Create the default SSL key store using keytool to generate a self signed certificate.
//Generate a new self signed certificate with s1as as the alias
final PEFileLayout layout = getFileLayout(config);
final File keystore = layout.getKeyStore();
//Create the default self signed cert
final String[] keytoolCmd = {
"-genkey",
"-keyalg", "RSA",
"-keystore", keystore.getAbsolutePath(),
"-alias", CERTIFICATE_ALIAS,
"-dname", getCertificateDN(config.getDisplayName()),
"-validity", "3650",
"-keypass", masterPassword,
"-storepass", masterPassword,
SKID_EXTENSION_SYSTEM_PROPERTY
};
KeytoolExecutor p = new KeytoolExecutor(keytoolCmd, 60);
p.execute("keystoreNotCreated", keystore);
| | protected void | createSSLCertificateDatabase(RepositoryConfig config, java.lang.String masterPassword)Creates the SSL certificate database. In the case of PE this is a keystore.jks
and a truststore.jks. In the case of SE/EE, this will be overridden to create
the NSS certificate database.
createKeyStore(config, masterPassword);
createTrustStore(config, masterPassword);
| | protected void | createTrustStore(RepositoryConfig config, java.lang.String masterPassword)Create the default SSL trust store. We take throws template cacerts.jks, change its password
to the master password, and then add in the self signed s1as certificate created earlier.
All this is done my exec'ing keytool
//copy the default truststore from the installation template directory
final PEFileLayout layout = getFileLayout(config);
final File src = layout.getTrustStoreTemplate();
final File truststore = layout.getTrustStore();
File certFile = null;
try {
FileUtils.copy(src, truststore);
} catch (IOException ioe) {
throw new RepositoryException(
_strMgr.getString("trustStoreNotCreated", truststore), ioe);
}
try {
String[] input = {masterPassword};
String[] keytoolCmd = null;
KeytoolExecutor p = null;
changeKeystorePassword(DEFAULT_MASTER_PASSWORD, masterPassword, truststore);
//export the newly created certificate from the keystore
certFile = new File(layout.getConfigRoot(), CERTIFICATE_ALIAS + ".cer");
keytoolCmd = new String[] {
"-export",
"-keystore", layout.getKeyStore().getAbsolutePath(),
"-alias", CERTIFICATE_ALIAS,
"-file", certFile.getAbsolutePath(),
};
p = new KeytoolExecutor(keytoolCmd, 30, input);
p.execute("trustStoreNotCreated", truststore);
//import the newly created certificate into the truststore
keytoolCmd = new String[] {
"-import",
"-noprompt",
"-keystore", truststore.getAbsolutePath(),
"-alias", CERTIFICATE_ALIAS,
"-file", certFile.getAbsolutePath(),
};
p = new KeytoolExecutor(keytoolCmd, 30, input);
p.execute("trustStoreNotCreated", truststore);
//import the newly created certificate into the asadmin truststore
addToAsadminTrustStore(config, certFile);
//clean up the exported cert file
certFile.delete();
certFile = null;
} finally {
if (certFile != null) {
certFile.delete();
}
}
| | protected java.lang.String | getCertificateDN(java.lang.String domainName)
if (_certificateDN == null) {
String hostName = null;
try {
hostName = NetUtils.getCanonicalHostName();
} catch (Exception ex) {
hostName = "localhost";
}
_certificateDN = CERTIFICATE_DN_PREFIX + hostName + CERTIFICATE_DN_SUFFIX;
}
return _certificateDN;
| | protected com.sun.enterprise.admin.servermgmt.pe.PEFileLayout | getFileLayout(RepositoryConfig config)
if (_fileLayout == null) {
_fileLayout = new PEFileLayout(config);
}
return _fileLayout;
|
|
