use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.
the class IssueCertificateCmd method execute.
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public void execute() {
if (StringUtils.isEmpty(getCsr()) && getDomains().isEmpty()) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Please provide the domains or the CSR, none of them are provided");
}
final Certificate certificate = caManager.issueCertificate(getCsr(), getDomains(), getAddresses(), getValidityDuration(), getProvider());
if (certificate == null) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to issue client certificate with given provider");
}
final CertificateResponse certificateResponse = new CertificateResponse();
try {
certificateResponse.setCertificate(CertUtils.x509CertificateToPem(certificate.getClientCertificate()));
if (certificate.getPrivateKey() != null) {
certificateResponse.setPrivateKey(CertUtils.privateKeyToPem(certificate.getPrivateKey()));
}
if (certificate.getCaCertificates() != null) {
certificateResponse.setCaCertificate(CertUtils.x509CertificatesToPem(certificate.getCaCertificates()));
}
} catch (final IOException e) {
LOG.error("Failed to generate and convert client certificate(s) to PEM due to error: ", e);
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to process and return client certificate");
}
certificateResponse.setResponseName(getCommandName());
setResponseObject(certificateResponse);
}
use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.
the class VirtualMachineManagerImpl method setupAgentSecurity.
private void setupAgentSecurity(final Host vmHost, final Map<String, String> sshAccessDetails, final VirtualMachine vm) throws AgentUnavailableException, OperationTimedoutException {
final String csr = caManager.generateKeyStoreAndCsr(vmHost, sshAccessDetails);
if (org.apache.commons.lang3.StringUtils.isNotEmpty(csr)) {
final Map<String, String> ipAddressDetails = new HashMap<>(sshAccessDetails);
ipAddressDetails.remove(NetworkElementCommand.ROUTER_NAME);
final Certificate certificate = caManager.issueCertificate(csr, Arrays.asList(vm.getHostName(), vm.getInstanceName()), new ArrayList<>(ipAddressDetails.values()), CAManager.CertValidityPeriod.value(), null);
final boolean result = caManager.deployCertificate(vmHost, certificate, false, sshAccessDetails);
if (!result) {
s_logger.error("Failed to setup certificate for system vm: " + vm.getInstanceName());
}
} else {
s_logger.error("Failed to setup keystore and generate CSR for system vm: " + vm.getInstanceName());
}
}
use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.
the class RootCAProvider method generateCertificate.
// /////////////////////////////////////////////////////////
// ///////////// Root CA Private Methods ///////////////////
// /////////////////////////////////////////////////////////
private Certificate generateCertificate(final List<String> domainNames, final List<String> ipAddresses, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
if (domainNames == null || domainNames.size() < 1 || StringUtils.isEmpty(domainNames.get(0))) {
throw new CloudRuntimeException("No domain name is specified, cannot generate certificate");
}
final String subject = "CN=" + domainNames.get(0);
final KeyPair keyPair = CertUtils.generateRandomKeyPair(CAManager.CertKeySize.value());
final X509Certificate clientCertificate = CertUtils.generateV3Certificate(caCertificate, caKeyPair, keyPair.getPublic(), subject, CAManager.CertSignatureAlgorithm.value(), validityDays, domainNames, ipAddresses);
return new Certificate(clientCertificate, keyPair.getPrivate(), Collections.singletonList(caCertificate));
}
use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.
the class RootCAProvider method loadManagementKeyStore.
private boolean loadManagementKeyStore() {
if (managementKeyStore != null) {
return true;
}
final Certificate serverCertificate = issueCertificate(Collections.singletonList(NetUtils.getHostName()), NetUtils.getAllDefaultNicIps(), getCaValidityDays());
if (serverCertificate == null || serverCertificate.getPrivateKey() == null) {
throw new CloudRuntimeException("Failed to generate management server certificate and load management server keystore");
}
LOG.info("Creating new management server certificate and keystore");
try {
managementKeyStore = KeyStore.getInstance("JKS");
managementKeyStore.load(null, null);
managementKeyStore.setCertificateEntry(caAlias, caCertificate);
managementKeyStore.setKeyEntry(managementAlias, serverCertificate.getPrivateKey(), getKeyStorePassphrase(), new X509Certificate[] { serverCertificate.getClientCertificate(), caCertificate });
} catch (final CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException e) {
LOG.error("Failed to load root CA management-server keystore due to exception: ", e);
return false;
}
return managementKeyStore != null;
}
use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.
the class CAManagerImpl method provisionCertificate.
@Override
@ActionEvent(eventType = EventTypes.EVENT_CA_CERTIFICATE_PROVISION, eventDescription = "provisioning certificate for host", async = true)
public boolean provisionCertificate(final Host host, final Boolean reconnect, final String caProvider) {
if (host == null) {
throw new CloudRuntimeException("Unable to find valid host to renew certificate for");
}
CallContext.current().setEventDetails("host id: " + host.getId());
CallContext.current().putContextParameter(Host.class, host.getUuid());
final String csr;
try {
csr = generateKeyStoreAndCsr(host, null);
if (StringUtils.isEmpty(csr)) {
return false;
}
final Certificate certificate = issueCertificate(csr, Arrays.asList(host.getName(), host.getPrivateIpAddress()), Arrays.asList(host.getPrivateIpAddress(), host.getPublicIpAddress(), host.getStorageIpAddress()), CAManager.CertValidityPeriod.value(), caProvider);
return deployCertificate(host, certificate, reconnect, null);
} catch (final AgentUnavailableException | OperationTimedoutException e) {
LOG.error("Host/agent is not available or operation timed out, failed to setup keystore and generate CSR for host/agent id=" + host.getId() + ", due to: ", e);
throw new CloudRuntimeException("Failed to generate keystore and get CSR from the host/agent id=" + host.getId());
}
}
Aggregations