}
// Get the Directory Server configuration handler and use it to make the
// appropriate configuration changes.
ConfigHandler configHandler = directoryServer.getConfigHandler();
// Check that the key manager provided is valid.
if (keyManagerProviderDN.isPresent())
{
DN dn = null;
DN JCEKSProviderDN = null;
try
{
dn = DN.decode(keyManagerProviderDN.getValue());
JCEKSProviderDN =
DN.decode("cn=JCEKS,cn=Key Manager Providers,cn=config");
}
catch (DirectoryException de)
{
Message message =
ERR_CONFIGDS_CANNOT_PARSE_KEYMANAGER_PROVIDER_DN.get(
keyManagerProviderDN.getValue(),
de.getMessageObject());
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
if (dn.equals(JCEKSProviderDN))
{
// Create the JCEKSProvider entry
try
{
String ldif = "dn: cn=JCEKS,cn=Key Manager Providers,cn=config\n"+
"objectClass: top\n"+
"objectClass: ds-cfg-key-manager-provider\n"+
"objectClass: ds-cfg-file-based-key-manager-provider\n"+
"cn: JCEKS\n"+
"ds-cfg-java-class: org.nasutekds.server.extensions."+
"FileBasedKeyManagerProvider\n"+
"ds-cfg-enabled: true\n"+
"ds-cfg-key-store-type: JCEKS\n"+
"ds-cfg-key-store-file: config/keystore.jceks\n"+
"ds-cfg-key-store-pin-file: config/keystore.pin";
LDIFImportConfig ldifImportConfig =
new LDIFImportConfig(new StringReader(ldif));
LDIFReader reader = new LDIFReader(ldifImportConfig);
Entry providerConfigEntry;
while ((providerConfigEntry = reader.readEntry()) != null)
{
configHandler.addEntry(providerConfigEntry, null);
}
}
catch (Exception e)
{
Message message =
ERR_CONFIG_KEYMANAGER_CANNOT_CREATE_JCEKS_PROVIDER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
else
{
try
{
configHandler.getConfigEntry(dn);
}
catch (Exception e)
{
Message message = ERR_CONFIG_KEYMANAGER_CANNOT_GET_BASE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
}
// Check that the trust manager provided is valid.
if (trustManagerProviderDN.isPresent())
{
DN dn = null;
DN JCEKSTrustManagerDN = null;
try
{
dn = DN.decode(trustManagerProviderDN.getValue());
JCEKSTrustManagerDN =
DN.decode("cn=JCEKS,cn=Trust Manager Providers,cn=config");
}
catch (DirectoryException de)
{
Message message = ERR_CONFIGDS_CANNOT_PARSE_TRUSTMANAGER_PROVIDER_DN.
get(trustManagerProviderDN.getValue(), de.getMessageObject());
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
if (dn.equals(JCEKSTrustManagerDN))
{
try
{
String ldif = "dn: cn=JCEKS,cn=Trust Manager Providers,cn=config\n"+
"objectClass: top\n"+
"objectClass: ds-cfg-trust-manager-provider\n"+
"objectClass: ds-cfg-file-based-trust-manager-provider\n"+
"cn: JCEKS\n"+
"ds-cfg-java-class: org.nasutekds.server.extensions."+
"FileBasedTrustManagerProvider\n"+
"ds-cfg-enabled: false\n"+
"ds-cfg-trust-store-type: JCEKS\n"+
"ds-cfg-trust-store-file: config/truststore\n";
LDIFImportConfig ldifImportConfig =
new LDIFImportConfig(new StringReader(ldif));
LDIFReader reader = new LDIFReader(ldifImportConfig);
Entry trustManagerConfigEntry;
while ((trustManagerConfigEntry = reader.readEntry()) != null)
{
configHandler.addEntry(trustManagerConfigEntry, null);
}
}
catch (Exception e)
{
Message message = ERR_CONFIG_KEYMANAGER_CANNOT_GET_BASE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
else
{
try
{
configHandler.getConfigEntry(dn);
}
catch (Exception e)
{
Message message = ERR_CONFIG_TRUSTMANAGER_CANNOT_GET_BASE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
}
// Check that the keystore path values are valid.
if (keyManagerPath.isPresent())
{
if (!keyManagerProviderDN.isPresent())
{
Message message = ERR_CONFIGDS_KEYMANAGER_PROVIDER_DN_REQUIRED.get(
keyManagerProviderDN.getLongIdentifier(),
keyManagerPath.getLongIdentifier());
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If one or more base DNs were specified, then update the config
// accordingly.
if (baseDNs != null)
{
try
{
DN jeBackendDN = DN.decode(DN_JE_BACKEND);
ConfigEntry configEntry = configHandler.getConfigEntry(jeBackendDN);
DNConfigAttribute baseDNAttr =
new DNConfigAttribute(
ATTR_BACKEND_BASE_DN,
INFO_CONFIG_BACKEND_ATTR_DESCRIPTION_BASE_DNS.get(),
true, true, false, baseDNs);
configEntry.putConfigAttribute(baseDNAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_BASE_DN.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If an LDAP port was specified, then update the config accordingly.
if (ldapPort.isPresent())
{
try
{
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
IntegerConfigAttribute portAttr =
new IntegerConfigAttribute(ATTR_LISTEN_PORT,
INFO_LDAP_CONNHANDLER_DESCRIPTION_LISTEN_PORT.get(),
true, false, true, true, 1, true,
65535, ldapPort.getIntValue());
configEntry.putConfigAttribute(portAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_LDAP_PORT.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If an Admin Connector port was specified, then update the config
// accordingly.
if (adminConnectorPort.isPresent())
{
try
{
DN adminConnectorDN = DN.decode(DN_ADMIN_CONNECTOR);
ConfigEntry configEntry =
configHandler.getConfigEntry(adminConnectorDN);
IntegerConfigAttribute portAttr =
new IntegerConfigAttribute(ATTR_LISTEN_PORT,
INFO_LDAP_CONNHANDLER_DESCRIPTION_LISTEN_PORT.get(),
true, false, true, true, 1, true,
65535,
adminConnectorPort.getIntValue());
configEntry.putConfigAttribute(portAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_ADMIN_CONNECTOR_PORT.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If an LDAPS port was specified, then update the config accordingly.
if (ldapsPort.isPresent())
{
try
{
DN ldapListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
IntegerConfigAttribute portAttr =
new IntegerConfigAttribute(ATTR_LISTEN_PORT,
INFO_LDAP_CONNHANDLER_DESCRIPTION_LISTEN_PORT.get(),
true, false, true, true, 1, true,
65535, ldapsPort.getIntValue());
configEntry.putConfigAttribute(portAttr);
BooleanConfigAttribute enablePortAttr =
new BooleanConfigAttribute(ATTR_CONNECTION_HANDLER_ENABLED,
INFO_LDAPS_CONNHANDLER_DESCRIPTION_ENABLE.get(),
true, true);
configEntry.putConfigAttribute(enablePortAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_LDAPS_PORT.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If an JMX port was specified, then update the config accordingly.
if (jmxPort.isPresent())
{
try
{
DN jmxListenerDN = DN.decode(DN_JMX_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(jmxListenerDN);
IntegerConfigAttribute portAttr =
new IntegerConfigAttribute(
ATTR_LISTEN_PORT,
INFO_JMX_CONNHANDLER_DESCRIPTION_LISTEN_PORT.get(),
true, false, true, true, 1, true,
65535, jmxPort.getIntValue());
configEntry.putConfigAttribute(portAttr);
BooleanConfigAttribute enablePortAttr =
new BooleanConfigAttribute(ATTR_CONNECTION_HANDLER_ENABLED,
INFO_JMX_CONNHANDLER_DESCRIPTION_ENABLE.get(),
true, true);
configEntry.putConfigAttribute(enablePortAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_JMX_PORT.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// Start TLS configuration
if (enableStartTLS.isPresent())
{
try
{
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
BooleanConfigAttribute startTLS =
new BooleanConfigAttribute(ATTR_ALLOW_STARTTLS,
INFO_LDAP_CONNHANDLER_DESCRIPTION_ALLOW_STARTTLS.get(),
true, true);
configEntry.putConfigAttribute(startTLS);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_ENABLE_STARTTLS.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// Key manager provider
if (keyManagerProviderDN.isPresent())
{
if (enableStartTLS.isPresent() || ldapsPort.isPresent())
{
try
{
// Enable the key manager
DN dn = DN.decode(keyManagerProviderDN.getValue());
ConfigEntry configEntry = configHandler.getConfigEntry(dn);
BooleanConfigAttribute enableAttr =
new BooleanConfigAttribute(ATTR_KEYMANAGER_ENABLED,
INFO_CONFIG_KEYMANAGER_DESCRIPTION_ENABLED.get(),
true, true);
configEntry.putConfigAttribute(enableAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_ENABLE_KEYMANAGER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
try
{
if (enableStartTLS.isPresent())
{
// Use the key manager specified for the LDAP connection handler.
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
StringConfigAttribute keyManagerProviderAttr =
new StringConfigAttribute(ATTR_KEYMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_KEYMANAGER_DN.get(),
false, false, true, keyManagerProviderDN.getValue());
configEntry.putConfigAttribute(keyManagerProviderAttr);
}
if (ldapsPort.isPresent())
{
// Use the key manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapsListenerDN);
StringConfigAttribute keyManagerProviderAttr =
new StringConfigAttribute(ATTR_KEYMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_KEYMANAGER_DN.get(),
false, false,
true, keyManagerProviderDN.getValue());
configEntry.putConfigAttribute(keyManagerProviderAttr);
}
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_KEYMANAGER_REFERENCE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
if (keyManagerPath.isPresent())
{
try
{
// Enable the key manager
DN dn = DN.decode(keyManagerProviderDN.getValue());
ConfigEntry configEntry = configHandler.getConfigEntry(dn);
StringConfigAttribute pathAttr =
new StringConfigAttribute(ATTR_KEYSTORE_FILE,
INFO_FILE_KEYMANAGER_DESCRIPTION_FILE.get(), true, true, true,
keyManagerPath.getValue());
configEntry.putConfigAttribute(pathAttr);
}
catch (Exception e)
{
String message = String.valueOf(e);
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
}
if (trustManagerProviderDN.isPresent())
{
if (enableStartTLS.isPresent() || ldapsPort.isPresent())
{
// Enable the trust manager
try
{
DN dn = DN.decode(trustManagerProviderDN.getValue());
ConfigEntry configEntry = configHandler.getConfigEntry(dn);
BooleanConfigAttribute enableAttr =
new BooleanConfigAttribute(ATTR_TRUSTMANAGER_ENABLED,
ERR_CONFIG_TRUSTMANAGER_DESCRIPTION_ENABLED.get(),
true, true);
configEntry.putConfigAttribute(enableAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_ENABLE_TRUSTMANAGER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
try
{
if (enableStartTLS.isPresent())
{
// Use the trust manager specified for the LDAP connection handler.
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
StringConfigAttribute trustManagerProviderAttr =
new StringConfigAttribute(ATTR_TRUSTMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_TRUSTMANAGER_DN.get(),
false, false,
true, trustManagerProviderDN.getValue());
configEntry.putConfigAttribute(trustManagerProviderAttr);
}
if (ldapsPort.isPresent())
{
// Use the trust manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapsListenerDN);
StringConfigAttribute trustManagerProviderAttr =
new StringConfigAttribute(ATTR_TRUSTMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_TRUSTMANAGER_DN.get(),
false, false,
true, trustManagerProviderDN.getValue());
configEntry.putConfigAttribute(trustManagerProviderAttr);
}
}
catch (Exception e)
{
Message message =
ERR_CONFIGDS_CANNOT_UPDATE_TRUSTMANAGER_REFERENCE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
if (certNickName.isPresent())
{
try
{
StringConfigAttribute certNickNameAttr =
new StringConfigAttribute(
ATTR_SSL_CERT_NICKNAME,
INFO_LDAP_CONNHANDLER_DESCRIPTION_SSL_CERT_NICKNAME.get(),
false, false, true, certNickName.getValue());
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
if (ldapPort.isPresent())
{
// Use the key manager specified for the LDAP connection handler.
configEntry.putConfigAttribute(certNickNameAttr);
}
else
{
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
// Use the key manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(ldapsListenerDN);
if (ldapsPort.isPresent())
{
configEntry.putConfigAttribute(certNickNameAttr);
}
else
{
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
certNickNameAttr = new StringConfigAttribute(ATTR_SSL_CERT_NICKNAME,
INFO_JMX_CONNHANDLER_DESCRIPTION_SSL_CERT_NICKNAME.get(),
false, false, true, certNickName.getValue());
// Use the key manager specified for the JMX connection handler.
DN jmxListenerDN = DN.decode(DN_JMX_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(jmxListenerDN);
if (jmxPort.isPresent())
{
configEntry.putConfigAttribute(certNickNameAttr);
}
else
{
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_CERT_NICKNAME.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
else
{
try
{
// Use the key manager specified for the LDAP connection handler.
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
// Use the key manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(ldapsListenerDN);
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
// Use the key manager specified for the JMX connection handler.
DN jmxListenerDN = DN.decode(DN_JMX_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(jmxListenerDN);
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_CERT_NICKNAME.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If a root user DN and password were specified, then update the config
// accordingly.
if (rootDN != null)
{
try
{
DN rootUserDN = DN.decode(DN_ROOT_USER);
ConfigEntry configEntry = configHandler.getConfigEntry(rootUserDN);
DNConfigAttribute bindDNAttr =
new DNConfigAttribute(
ATTR_ROOTDN_ALTERNATE_BIND_DN,
INFO_CONFIG_ROOTDN_DESCRIPTION_ALTERNATE_BIND_DN.get(),
false, true, false,
rootDN);
configEntry.putConfigAttribute(bindDNAttr);
byte[] rootPWBytes = getBytes(rootPW);
String encodedPassword =
SaltedSHA512PasswordStorageScheme.encodeOffline(rootPWBytes);
StringConfigAttribute bindPWAttr =
new StringConfigAttribute(ATTR_USER_PASSWORD, Message.EMPTY,
false, false, false, encodedPassword);
configEntry.putConfigAttribute(bindPWAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_ROOT_USER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// Check that the cipher specified is supported. This is intended to
// fix issues with JVM that do not support the default cipher (see
// issue 3075 for instance).
CryptoManagerCfgDefn cryptoManager = CryptoManagerCfgDefn.getInstance();
StringPropertyDefinition prop =
cryptoManager.getKeyWrappingTransformationPropertyDefinition();
String defaultCipher = null;
DefaultBehaviorProvider p = prop.getDefaultBehaviorProvider();
if (p instanceof DefinedDefaultBehaviorProvider)
{
Collection<?> defaultValues =
((DefinedDefaultBehaviorProvider)p).getDefaultValues();
if (!defaultValues.isEmpty())
{
defaultCipher = defaultValues.iterator().next().toString();
}
}
if (defaultCipher != null)
{
// Check that the default cipher is supported by the JVM.
try
{
Cipher.getInstance(defaultCipher);
}
catch (GeneralSecurityException ex)
{
// The cipher is not supported: try to find an alternative one.
String alternativeCipher = getAlternativeCipher();
if (alternativeCipher != null)
{
try
{
DN cipherDN = DN.decode(DN_CRYPTO_MANAGER);
ConfigEntry configEntry = configHandler.getConfigEntry(cipherDN);
// Set the alternative cipher
StringConfigAttribute keyWrappingTransformation =
new StringConfigAttribute(
ATTR_CRYPTO_CIPHER_KEY_WRAPPING_TRANSFORMATION,
Message.EMPTY, false, false, true, alternativeCipher);
configEntry.putConfigAttribute(keyWrappingTransformation);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_CRYPTO_MANAGER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
}
}
// Write the updated configuration.
try
{
configHandler.writeUpdatedConfig();
Message message = INFO_CONFIGDS_WROTE_UPDATED_CONFIG.get();
out.println(wrapText(message, MAX_LINE_WIDTH));
}
catch (DirectoryException de)