com.sun.enterprise.admin.servermgmt

Class KeystoreManager

java.lang.Object

com.sun.enterprise.admin.servermgmt.KeystoreManager

Direct Known Subclasses:

MasterPasswordFileManager, NodeKeystoreManager

public class KeystoreManager
extends Object

Author:

kebbs

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	KeystoreManager.KeytoolExecutor

Field Summary

Fields

Modifier and Type	Field and Description
protected PEFileLayout	_fileLayout
static String	CERTIFICATE_ALIAS
static String	DEFAULT_MASTER_PASSWORD
static String	INSTANCE_SECURE_ADMIN_ALIAS

Constructor Summary

Constructors

Constructor and Description
KeystoreManager()

Method Summary

Modifier and Type	Method and Description
void	addKeyPair(File keyStore, String storeType, char[] storePw, PrivateKey privKey, Certificate[] certChain, String alias) Adds/updates a keypair to a keystore.
void	addKeyPair(File keyStore, String storeType, char[] storePw, PrivateKey privKey, char[] keyPw, Certificate[] certChain, String alias) Adds/updates a keypair to a keystore.
void	changeKeyPassword(File keyStore, String storeType, char[] storePw, String alias, char[] oldKeyPw, char[] newKeyPw) Changes a private key's password.
void	changeKeyStorePassword(File keyStore, String storeType, char[] oldPw, char[] newPw) Changes the keystore's password and all contained keys'.
void	changeKeyStorePassword(File keyStore, String storeType, char[] oldPw, char[] newPw, boolean changeKeyPasswords) Changes the keystore's password and all contained keys'.
protected void	changeKeyStorePassword(String oldPassword, String newPassword, File keystore) Changes the keystore password
protected void	changeS1ASAliasPassword(RepositoryConfig config, String storePassword, String oldKeyPassword, String newKeyPassword) Changes the key password for the default cert whose alias is s1as.
protected void	changeSSLCertificateDatabasePassword(RepositoryConfig config, String oldPassword, String newPassword) Changes the password of the keystore, truststore and the key password of the s1as alias.
protected void	chmod(String args, File file)
protected void	copyCertificates(File keyStore, File trustStore, DomainConfig config, String masterPassword) Copy certain certificates from the keystore into the truststore.
protected void	copyCertificatesFromJdk(File trustStore, String masterPassword) Copies all non-expired certificates from the currently used JDK to the Payara trust store.
protected void	createKeyStore(File keystore, RepositoryConfig config, String masterPassword) Create the default SSL key store using keytool to generate a self signed certificate.
protected void	enforcePasswordComplexity(char[] pw, String msgId) Throws an IllegalArgumentException if the password's complexity does not meet requirements
protected static String	getCertificateDN(RepositoryConfig cfg, String CNSuffix)
static String	getDASCertDN(RepositoryConfig cfg)
protected PEFileLayout	getFileLayout(RepositoryConfig config)
static String	getInstanceCertDN(RepositoryConfig cfg)
protected Map<String,Certificate>	getValidCertificateAliases(KeyStore keyStore, String keyStorePassword)
KeyStore	openKeyStore(File source, String storeType, char[] pw) Loads a (JKS or PKCS#12) keystore.
Collection<? extends Certificate>	readPemCertificateChain(File pemFile) Reads X509 certificate(s) from the provided files
PrivateKey	readPlainPKCS8PrivateKey(File keyFile) Reads an unencrypted, PKCS#8 formattted and base64 encoded RSA private key from the given File
PrivateKey	readPlainPKCS8PrivateKey(InputStream is, String algo) Reads an unencrypted, PKCS#8 formattted and base64 encoded private key from the given InputStream using the specified algo
void	saveKeyStore(KeyStore keyStore, File dest, char[] pw) Saves the (modified) keystore.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CERTIFICATE_ALIAS

public static final String CERTIFICATE_ALIAS

See Also:

Constant Field Values

INSTANCE_SECURE_ADMIN_ALIAS

public static final String INSTANCE_SECURE_ADMIN_ALIAS

See Also:

Constant Field Values

DEFAULT_MASTER_PASSWORD

public static final String DEFAULT_MASTER_PASSWORD

See Also:

Constant Field Values

_fileLayout

protected PEFileLayout _fileLayout

Constructor Detail

KeystoreManager

public KeystoreManager()

Method Detail

getCertificateDN

protected static String getCertificateDN(RepositoryConfig cfg,
                                         String CNSuffix)

getFileLayout

protected PEFileLayout getFileLayout(RepositoryConfig config)

createKeyStore

protected void createKeyStore(File keystore,
                              RepositoryConfig config,
                              String masterPassword)
                       throws RepositoryException

Create the default SSL key store using keytool to generate a self signed certificate.

Parameters:

keystore -

config -

masterPassword -

Throws:

RepositoryException

copyCertificates

protected void copyCertificates(File keyStore,
                                File trustStore,
                                DomainConfig config,
                                String masterPassword)
                         throws DomainException

Copy certain certificates from the keystore into the truststore.

Parameters:

keyStore - keystore to copy from

trustStore - the truststore to copy to

config - the domain's configuration

masterPassword - the master password for the truststore

Throws:

DomainException - if an error occured

copyCertificatesFromJdk

protected void copyCertificatesFromJdk(File trustStore,
                                       String masterPassword)
                                throws RepositoryException

Copies all non-expired certificates from the currently used JDK to the Payara trust store.

Parameters:

trustStore - the trust store to copy the certificates to.

masterPassword - the password to the trust store.

Throws:

RepositoryException - if an error occured a RepositoryException will wrap the original exception

getValidCertificateAliases

protected Map<String,Certificate> getValidCertificateAliases(KeyStore keyStore,
                                                             String keyStorePassword)
                                                      throws RepositoryException

Throws:

RepositoryException

enforcePasswordComplexity

protected void enforcePasswordComplexity(char[] pw,
                                         String msgId)

Throws an IllegalArgumentException if the password's complexity does not meet requirements

Parameters:

pw -

msgId -

openKeyStore

public KeyStore openKeyStore(File source,
                             String storeType,
                             char[] pw)
                      throws KeyStoreException

Loads a (JKS or PKCS#12) keystore. This method does not use the keytool, but instead the JAVA API

Parameters:

source - the path of the file to be opened and loaded into the keystore

storeType - the type of the keystore to be read

pw - the keystore password

Returns:

the keystore, if load was successful

Throws:

KeyStoreException

saveKeyStore

public void saveKeyStore(KeyStore keyStore,
                         File dest,
                         char[] pw)
                  throws KeyStoreException

Saves the (modified) keystore. This method does not use the keytool, but instead the JAVA API

Parameters:

keyStore - the keystore to be written

dest - path of the file the keystore is to be written to

pw - keystore password

Throws:

KeyStoreException

addKeyPair

public void addKeyPair(File keyStore,
                       String storeType,
                       char[] storePw,
                       PrivateKey privKey,
                       Certificate[] certChain,
                       String alias)
                throws KeyStoreException

Adds/updates a keypair to a keystore. This method does not use the keytool, but instead the JAVA API

Parameters:

keyStore - the keystore. Must not be null.

storeType - the type of the keystore (JKS or PKCS#12)

storePw - the keystore password. Since glassfish requires that keystore and key passwords are identical, this is also used as password for the private key

privKey - the private key to be added to the store

certChain - chain of certificates

alias - the alis of the key to be used inside the keystore

Throws:

KeyStoreException - in case of problems

addKeyPair

public void addKeyPair(File keyStore,
                       String storeType,
                       char[] storePw,
                       PrivateKey privKey,
                       char[] keyPw,
                       Certificate[] certChain,
                       String alias)
                throws KeyStoreException

Adds/updates a keypair to a keystore. This method does not use the keytool, but instead the JAVA API

NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using addKeyPair(java.io.File, java.lang.String, char[], java.security.PrivateKey, java.security.cert.Certificate[], java.lang.String) instead

Parameters:

keyStore - the keystore. Must not be null.

storeType - the type of the keystore (JKS or PKCS#12).

storePw - the keystore password

privKey - the private key to be added to the store

keyPw - the private key's password.

certChain - chain of certificates

alias - the alis of the key to be used inside the keystore

Throws:

KeyStoreException - in case of problems

changeKeyStorePassword

protected void changeKeyStorePassword(String oldPassword,
                                      String newPassword,
                                      File keystore)
                               throws RepositoryException

Changes the keystore password

Parameters:

oldPassword - the old keystore password

newPassword - the new keystore password

keystore - the keystore whose password is to be changed.

Throws:

RepositoryException

changeKeyStorePassword

public void changeKeyStorePassword(File keyStore,
                                   String storeType,
                                   char[] oldPw,
                                   char[] newPw)
                            throws KeyStoreException

Changes the keystore's password and all contained keys'. This is done to ensure the convention used by glassfish: same password for the keystore and all keys inside.

This method DOES NOT use the keytool, but manipulates the given file directly from JAVA.

Parameters:

keyStore - the destination keystore - may be null for an in-memory keystore

storeType - the type of the keystore (JKS or PKCS#12)

oldPw - the old password

newPw - the new password

Throws:

KeyStoreException - in case of problems

changeKeyStorePassword

public void changeKeyStorePassword(File keyStore,
                                   String storeType,
                                   char[] oldPw,
                                   char[] newPw,
                                   boolean changeKeyPasswords)
                            throws KeyStoreException

Changes the keystore's password and all contained keys'.

NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using changeKeyStorePassword(java.io.File, java.lang.String, char[], char[]) instead

This method DOES NOT use the keytool, but manipulates the given file directly from JAVA.

Parameters:

keyStore - the destination keystore - may be null for an in-memory keystore

storeType - the type of the keystore (JKS or PKCS#12)

oldPw - the old password

newPw - the new password

changeKeyPasswords - if true, all the keys contained in the keystore will have their passwords set to newStorePw as well

Throws:

KeyStoreException - in case of problems

changeKeyPassword

public void changeKeyPassword(File keyStore,
                              String storeType,
                              char[] storePw,
                              String alias,
                              char[] oldKeyPw,
                              char[] newKeyPw)
                       throws KeyStoreException

Changes a private key's password. This method DOES NOT use the keytool, but manipulates the given file directly from JAVA. In addition, this method changes just the password of the key, not the keystore.

NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using changeKeyStorePassword(java.io.File, java.lang.String, char[], char[]) instead

Parameters:

keyStore - the path of the keystore where the key with alias is to be modified

storeType - - either "JKS" or "PKCS12"

storePw - - must not be null

alias - the alias of the key to be changed

oldKeyPw - the old password

newKeyPw - the new password

Throws:

KeyStoreException - in case of problems

readPlainPKCS8PrivateKey

public PrivateKey readPlainPKCS8PrivateKey(File keyFile)
                                    throws IOException,
                                           InvalidKeySpecException,
                                           NoSuchAlgorithmException

Reads an unencrypted, PKCS#8 formattted and base64 encoded RSA private key from the given File

Parameters:

keyFile - the file containing the private key

Returns:

the RSA private key

Throws:

IOException

InvalidKeySpecException

NoSuchAlgorithmException

readPlainPKCS8PrivateKey

public PrivateKey readPlainPKCS8PrivateKey(InputStream is,
                                           String algo)
                                    throws InvalidKeySpecException,
                                           NoSuchAlgorithmException

Reads an unencrypted, PKCS#8 formattted and base64 encoded private key from the given InputStream using the specified algo

Parameters:

is - the input stream containing the private key

algo - the algorithm used for the private key

Returns:

the RSA private key

Throws:

UncheckedIOException - if there is an error with the InputStream

InvalidKeySpecException - if the key used was not a valid with the algorithm

NoSuchAlgorithmException - if no provider exists for the specified algorithm

readPemCertificateChain

public Collection<? extends Certificate> readPemCertificateChain(File pemFile)
                                                          throws KeyStoreException

Reads X509 certificate(s) from the provided files

Parameters:

pemFile - path to the PEM (or .cer) file containing the X.509 certificate

Returns:

certificate chain loaded from the file, if successful

Throws:

KeyStoreException - in case of problems

changeS1ASAliasPassword

protected void changeS1ASAliasPassword(RepositoryConfig config,
                                       String storePassword,
                                       String oldKeyPassword,
                                       String newKeyPassword)
                                throws RepositoryException

Changes the key password for the default cert whose alias is s1as. The assumption here is that the keystore password is not the same as the key password. This is due to the fact that the keystore password should first be changed followed next by the key password. The end result is that the keystore and s1as key both have the same passwords. This function will tolerate deletion of the s1as alias, but it will not tolerate changing the s1as key from something other than the database password.

Parameters:

config -

storePassword - the keystore password

oldKeyPassword - the old password for the s1as alias

newKeyPassword - the new password for the s1as alias

Throws:

RepositoryException

changeSSLCertificateDatabasePassword

protected void changeSSLCertificateDatabasePassword(RepositoryConfig config,
                                                    String oldPassword,
                                                    String newPassword)
                                             throws RepositoryException

Changes the password of the keystore, truststore and the key password of the s1as alias. It is expected that the key / truststores may not exist. This is due to the fact that the user may have deleted them and wishes to set up their own key/truststore

Parameters:

config - the configuration with details of the truststore location and master password

oldPassword - the previous password

newPassword - the new password

Throws:

RepositoryException

chmod

protected void chmod(String args,
                     File file)
              throws IOException

Throws:

IOException

getDASCertDN

public static String getDASCertDN(RepositoryConfig cfg)

getInstanceCertDN

public static String getInstanceCertDN(RepositoryConfig cfg)