// Use the key manager specified for the LDAP connection handler.
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
StringConfigAttribute keyManagerProviderAttr =
new StringConfigAttribute(ATTR_KEYMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_KEYMANAGER_DN.get(),
false, false, true, keyManagerProviderDN.getValue());
configEntry.putConfigAttribute(keyManagerProviderAttr);
}
if (ldapsPort.isPresent())
{
// Use the key manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapsListenerDN);
StringConfigAttribute keyManagerProviderAttr =
new StringConfigAttribute(ATTR_KEYMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_KEYMANAGER_DN.get(),
false, false,
true, keyManagerProviderDN.getValue());
configEntry.putConfigAttribute(keyManagerProviderAttr);
}
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_KEYMANAGER_REFERENCE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
if (keyManagerPath.isPresent())
{
try
{
// Enable the key manager
DN dn = DN.decode(keyManagerProviderDN.getValue());
ConfigEntry configEntry = configHandler.getConfigEntry(dn);
StringConfigAttribute pathAttr =
new StringConfigAttribute(ATTR_KEYSTORE_FILE,
INFO_FILE_KEYMANAGER_DESCRIPTION_FILE.get(), true, true, true,
keyManagerPath.getValue());
configEntry.putConfigAttribute(pathAttr);
}
catch (Exception e)
{
String message = String.valueOf(e);
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
}
if (trustManagerProviderDN.isPresent())
{
if (enableStartTLS.isPresent() || ldapsPort.isPresent())
{
// Enable the trust manager
try
{
DN dn = DN.decode(trustManagerProviderDN.getValue());
ConfigEntry configEntry = configHandler.getConfigEntry(dn);
BooleanConfigAttribute enableAttr =
new BooleanConfigAttribute(ATTR_TRUSTMANAGER_ENABLED,
ERR_CONFIG_TRUSTMANAGER_DESCRIPTION_ENABLED.get(),
true, true);
configEntry.putConfigAttribute(enableAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_ENABLE_TRUSTMANAGER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
try
{
if (enableStartTLS.isPresent())
{
// Use the trust manager specified for the LDAP connection handler.
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
StringConfigAttribute trustManagerProviderAttr =
new StringConfigAttribute(ATTR_TRUSTMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_TRUSTMANAGER_DN.get(),
false, false,
true, trustManagerProviderDN.getValue());
configEntry.putConfigAttribute(trustManagerProviderAttr);
}
if (ldapsPort.isPresent())
{
// Use the trust manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapsListenerDN);
StringConfigAttribute trustManagerProviderAttr =
new StringConfigAttribute(ATTR_TRUSTMANAGER_DN,
INFO_LDAP_CONNHANDLER_DESCRIPTION_TRUSTMANAGER_DN.get(),
false, false,
true, trustManagerProviderDN.getValue());
configEntry.putConfigAttribute(trustManagerProviderAttr);
}
}
catch (Exception e)
{
Message message =
ERR_CONFIGDS_CANNOT_UPDATE_TRUSTMANAGER_REFERENCE.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
if (certNickName.isPresent())
{
try
{
StringConfigAttribute certNickNameAttr =
new StringConfigAttribute(
ATTR_SSL_CERT_NICKNAME,
INFO_LDAP_CONNHANDLER_DESCRIPTION_SSL_CERT_NICKNAME.get(),
false, false, true, certNickName.getValue());
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
if (ldapPort.isPresent())
{
// Use the key manager specified for the LDAP connection handler.
configEntry.putConfigAttribute(certNickNameAttr);
}
else
{
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
// Use the key manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(ldapsListenerDN);
if (ldapsPort.isPresent())
{
configEntry.putConfigAttribute(certNickNameAttr);
}
else
{
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
certNickNameAttr = new StringConfigAttribute(ATTR_SSL_CERT_NICKNAME,
INFO_JMX_CONNHANDLER_DESCRIPTION_SSL_CERT_NICKNAME.get(),
false, false, true, certNickName.getValue());
// Use the key manager specified for the JMX connection handler.
DN jmxListenerDN = DN.decode(DN_JMX_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(jmxListenerDN);
if (jmxPort.isPresent())
{
configEntry.putConfigAttribute(certNickNameAttr);
}
else
{
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_CERT_NICKNAME.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
else
{
try
{
// Use the key manager specified for the LDAP connection handler.
DN ldapListenerDN = DN.decode(DN_LDAP_CONNECTION_HANDLER);
ConfigEntry configEntry =
configHandler.getConfigEntry(ldapListenerDN);
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
// Use the key manager specified for the LDAPS connection handler.
DN ldapsListenerDN = DN.decode(DN_LDAPS_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(ldapsListenerDN);
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
// Use the key manager specified for the JMX connection handler.
DN jmxListenerDN = DN.decode(DN_JMX_CONNECTION_HANDLER);
configEntry = configHandler.getConfigEntry(jmxListenerDN);
configEntry.removeConfigAttribute(
ATTR_SSL_CERT_NICKNAME.toLowerCase());
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_CERT_NICKNAME.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// If a root user DN and password were specified, then update the config
// accordingly.
if (rootDN != null)
{
try
{
DN rootUserDN = DN.decode(DN_ROOT_USER);
ConfigEntry configEntry = configHandler.getConfigEntry(rootUserDN);
DNConfigAttribute bindDNAttr =
new DNConfigAttribute(
ATTR_ROOTDN_ALTERNATE_BIND_DN,
INFO_CONFIG_ROOTDN_DESCRIPTION_ALTERNATE_BIND_DN.get(),
false, true, false,
rootDN);
configEntry.putConfigAttribute(bindDNAttr);
byte[] rootPWBytes = getBytes(rootPW);
String encodedPassword =
SaltedSHA512PasswordStorageScheme.encodeOffline(rootPWBytes);
StringConfigAttribute bindPWAttr =
new StringConfigAttribute(ATTR_USER_PASSWORD, Message.EMPTY,
false, false, false, encodedPassword);
configEntry.putConfigAttribute(bindPWAttr);
}
catch (Exception e)
{
Message message = ERR_CONFIGDS_CANNOT_UPDATE_ROOT_USER.get(
String.valueOf(e));
err.println(wrapText(message, MAX_LINE_WIDTH));
return 1;
}
}
// Check that the cipher specified is supported. This is intended to
// fix issues with JVM that do not support the default cipher (see
// issue 3075 for instance).
CryptoManagerCfgDefn cryptoManager = CryptoManagerCfgDefn.getInstance();
StringPropertyDefinition prop =
cryptoManager.getKeyWrappingTransformationPropertyDefinition();
String defaultCipher = null;
DefaultBehaviorProvider p = prop.getDefaultBehaviorProvider();
if (p instanceof DefinedDefaultBehaviorProvider)
{
Collection<?> defaultValues =
((DefinedDefaultBehaviorProvider)p).getDefaultValues();
if (!defaultValues.isEmpty())
{
defaultCipher = defaultValues.iterator().next().toString();
}
}
if (defaultCipher != null)
{
// Check that the default cipher is supported by the JVM.
try
{
Cipher.getInstance(defaultCipher);
}
catch (GeneralSecurityException ex)
{
// The cipher is not supported: try to find an alternative one.
String alternativeCipher = getAlternativeCipher();
if (alternativeCipher != null)
{
try
{
DN cipherDN = DN.decode(DN_CRYPTO_MANAGER);
ConfigEntry configEntry = configHandler.getConfigEntry(cipherDN);
// Set the alternative cipher
StringConfigAttribute keyWrappingTransformation =
new StringConfigAttribute(
ATTR_CRYPTO_CIPHER_KEY_WRAPPING_TRANSFORMATION,
Message.EMPTY, false, false, true, alternativeCipher);
configEntry.putConfigAttribute(keyWrappingTransformation);
}
catch (Exception e)