Package com.sun.enterprise.admin.servermgmt

Class KeystoreManager

    • Constructor Detail

      • KeystoreManager

        public KeystoreManager()

    • Method Detail

      • copyCertificates

        protected void copyCertificates​(File keyStore,
                                File trustStore,
                                DomainConfig config,
                                String masterPassword)
                         throws DomainException
        Copy certain certificates from the keystore into the truststore.
        Parameters:
        keyStore - keystore to copy from
        trustStore - the truststore to copy to
        config - the domain's configuration
        masterPassword - the master password for the truststore
        Throws:
        DomainException - if an error occured

      • updateCertificates

        protected void updateCertificates​(File trustStore,
                                  String masterPassword)
                           throws RepositoryException
        Cleans the given truststore of invalid certs and copies all valid certificates from the currently used JDK to the given trust store.
        Parameters:
        trustStore - the trust store to copy the certificates to.
        masterPassword - the password to the trust store.
        Throws:
        RepositoryException - if an error occured a RepositoryException will wrap the original exception

      • getValidCertificates

        protected Map<String,​Certificate> getValidCertificates​(KeyStore keyStore)
                                                      throws RepositoryException
        Gets the valid certs from the given KeyStore as a map by their alias
        Parameters:
        keyStore - the KeyStore to get the certs from
        Returns:
        map of valid certs. Key is alias of the cert
        Throws:
        RepositoryException

      • getInvalidCertificates

        protected Map<String,​Certificate> getInvalidCertificates​(KeyStore keyStore)
                                                        throws RepositoryException
        Gets the invalid certs from the given KeyStore as a map by their alias
        Parameters:
        keyStore - the KeyStore to get the certs from
        Returns:
        map of invalid certs. Kkey is alias of the cert
        Throws:
        RepositoryException

      • copyCert

        public void copyCert​(File keyStore,
                     File trustStore,
                     String alias,
                     String masterPassword)
              throws RepositoryException
        Copies a certificate from a keyStore to a trustStore.
        Parameters:
        keyStore - the key store to copy the certificate from.
        trustStore - the trust store to copy the certificate to.
        alias - the name of the certificate to copy.
        masterPassword - the password for the trust stores.
        Throws:
        RepositoryException

      • enforcePasswordComplexity

        protected void enforcePasswordComplexity​(char[] pw,
                                         String msgId)
        Throws an IllegalArgumentException if the password's complexity does not meet requirements
        Parameters:
        pw -
        msgId -

      • openKeyStore

        public KeyStore openKeyStore​(File source,
                             String storeType,
                             char[] pw)
                      throws KeyStoreException
        Loads a (JKS or PKCS#12) keystore. This method does not use the keytool, but instead the JAVA API
        Parameters:
        source - the path of the file to be opened and loaded into the keystore
        storeType - the type of the keystore to be read
        pw - the keystore password
        Returns:
        the keystore, if load was successful
        Throws:
        KeyStoreException

      • saveKeyStore

        public void saveKeyStore​(KeyStore keyStore,
                         File dest,
                         char[] pw)
                  throws KeyStoreException
        Saves the (modified) keystore. This method does not use the keytool, but instead the JAVA API
        Parameters:
        keyStore - the keystore to be written
        dest - path of the file the keystore is to be written to
        pw - keystore password
        Throws:
        KeyStoreException

      • addKeyPair

        public void addKeyPair​(File keyStore,
                       String storeType,
                       char[] storePw,
                       PrivateKey privKey,
                       Certificate[] certChain,
                       String alias)
                throws KeyStoreException
        Adds/updates a keypair to a keystore. This method does not use the keytool, but instead the JAVA API
        Parameters:
        keyStore - the keystore. Must not be null.
        storeType - the type of the keystore (JKS or PKCS#12)
        storePw - the keystore password. Since glassfish requires that keystore and key passwords are identical, this is also used as password for the private key
        privKey - the private key to be added to the store
        certChain - chain of certificates
        alias - the alis of the key to be used inside the keystore
        Throws:
        KeyStoreException - in case of problems

      • changeKeyStorePassword

        protected void changeKeyStorePassword​(String oldPassword,
                                      String newPassword,
                                      File keystore)
                               throws RepositoryException
        Changes the keystore password
        Parameters:
        oldPassword - the old keystore password
        newPassword - the new keystore password
        keystore - the keystore whose password is to be changed.
        Throws:
        RepositoryException

      • changeKeyStorePassword

        public void changeKeyStorePassword​(File keyStore,
                                   String storeType,
                                   char[] oldPw,
                                   char[] newPw)
                            throws KeyStoreException
        Changes the keystore's password and all contained keys'. This is done to ensure the convention used by glassfish: same password for the keystore and all keys inside.

        This method DOES NOT use the keytool, but manipulates the given file directly from JAVA.

        Parameters:
        keyStore - the destination keystore - may be null for an in-memory keystore
        storeType - the type of the keystore (JKS or PKCS#12)
        oldPw - the old password
        newPw - the new password
        Throws:
        KeyStoreException - in case of problems

      • changeKeyStorePassword

        public void changeKeyStorePassword​(File keyStore,
                                   String storeType,
                                   char[] oldPw,
                                   char[] newPw,
                                   boolean changeKeyPasswords)
                            throws KeyStoreException
        Changes the keystore's password and all contained keys'.

        NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using changeKeyStorePassword(java.io.File, java.lang.String, char[], char[]) instead

        This method DOES NOT use the keytool, but manipulates the given file directly from JAVA.

        Parameters:
        keyStore - the destination keystore - may be null for an in-memory keystore
        storeType - the type of the keystore (JKS or PKCS#12)
        oldPw - the old password
        newPw - the new password
        changeKeyPasswords - if true, all the keys contained in the keystore will have their passwords set to newStorePw as well
        Throws:
        KeyStoreException - in case of problems

      • changeKeyPassword

        public void changeKeyPassword​(File keyStore,
                              String storeType,
                              char[] storePw,
                              String alias,
                              char[] oldKeyPw,
                              char[] newKeyPw)
                       throws KeyStoreException
        Changes a private key's password. This method DOES NOT use the keytool, but manipulates the given file directly from JAVA. In addition, this method changes just the password of the key, not the keystore.

        NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using changeKeyStorePassword(java.io.File, java.lang.String, char[], char[]) instead

        Parameters:
        keyStore - the path of the keystore where the key with alias is to be modified
        storeType - - either "JKS" or "PKCS12"
        storePw - - must not be null
        alias - the alias of the key to be changed
        oldKeyPw - the old password
        newKeyPw - the new password
        Throws:
        KeyStoreException - in case of problems

      • readPemCertificateChain

        public Collection<? extends Certificate> readPemCertificateChain​(File pemFile)
                                                          throws KeyStoreException
        Reads X509 certificate(s) from the provided files
        Parameters:
        pemFile - path to the PEM (or .cer) file containing the X.509 certificate
        Returns:
        certificate chain loaded from the file, if successful
        Throws:
        KeyStoreException - in case of problems

      • changeS1ASAliasPassword

        protected void changeS1ASAliasPassword​(RepositoryConfig config,
                                       String storePassword,
                                       String oldKeyPassword,
                                       String newKeyPassword)
                                throws RepositoryException
        Changes the key password for the default cert whose alias is s1as. The assumption here is that the keystore password is not the same as the key password. This is due to the fact that the keystore password should first be changed followed next by the key password. The end result is that the keystore and s1as key both have the same passwords. This function will tolerate deletion of the s1as alias, but it will not tolerate changing the s1as key from something other than the database password.
        Parameters:
        config -
        storePassword - the keystore password
        oldKeyPassword - the old password for the s1as alias
        newKeyPassword - the new password for the s1as alias
        Throws:
        RepositoryException

      • changeSSLCertificateDatabasePassword

        protected void changeSSLCertificateDatabasePassword​(RepositoryConfig config,
                                                    String oldPassword,
                                                    String newPassword)
                                             throws RepositoryException
        Changes the password of the keystore, truststore and the key password of the s1as alias. It is expected that the key / truststores may not exist. This is due to the fact that the user may have deleted them and wishes to set up their own key/truststore
        Parameters:
        config - the configuration with details of the truststore location and master password
        oldPassword - the previous password
        newPassword - the new password
        Throws:
        RepositoryException