Search in sources :

Example 1 with Certificate

use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.

the class IssueCertificateCmd method execute.

// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public void execute() {
    if (StringUtils.isEmpty(getCsr()) && getDomains().isEmpty()) {
        throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Please provide the domains or the CSR, none of them are provided");
    }
    final Certificate certificate = caManager.issueCertificate(getCsr(), getDomains(), getAddresses(), getValidityDuration(), getProvider());
    if (certificate == null) {
        throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to issue client certificate with given provider");
    }
    final CertificateResponse certificateResponse = new CertificateResponse();
    try {
        certificateResponse.setCertificate(CertUtils.x509CertificateToPem(certificate.getClientCertificate()));
        if (certificate.getPrivateKey() != null) {
            certificateResponse.setPrivateKey(CertUtils.privateKeyToPem(certificate.getPrivateKey()));
        }
        if (certificate.getCaCertificates() != null) {
            certificateResponse.setCaCertificate(CertUtils.x509CertificatesToPem(certificate.getCaCertificates()));
        }
    } catch (final IOException e) {
        LOG.error("Failed to generate and convert client certificate(s) to PEM due to error: ", e);
        throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to process and return client certificate");
    }
    certificateResponse.setResponseName(getCommandName());
    setResponseObject(certificateResponse);
}
Also used : ServerApiException(org.apache.cloudstack.api.ServerApiException) CertificateResponse(org.apache.cloudstack.api.response.CertificateResponse) IOException(java.io.IOException) Certificate(org.apache.cloudstack.framework.ca.Certificate)

Example 2 with Certificate

use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.

the class VirtualMachineManagerImpl method setupAgentSecurity.

private void setupAgentSecurity(final Host vmHost, final Map<String, String> sshAccessDetails, final VirtualMachine vm) throws AgentUnavailableException, OperationTimedoutException {
    final String csr = caManager.generateKeyStoreAndCsr(vmHost, sshAccessDetails);
    if (org.apache.commons.lang3.StringUtils.isNotEmpty(csr)) {
        final Map<String, String> ipAddressDetails = new HashMap<>(sshAccessDetails);
        ipAddressDetails.remove(NetworkElementCommand.ROUTER_NAME);
        final Certificate certificate = caManager.issueCertificate(csr, Arrays.asList(vm.getHostName(), vm.getInstanceName()), new ArrayList<>(ipAddressDetails.values()), CAManager.CertValidityPeriod.value(), null);
        final boolean result = caManager.deployCertificate(vmHost, certificate, false, sshAccessDetails);
        if (!result) {
            s_logger.error("Failed to setup certificate for system vm: " + vm.getInstanceName());
        }
    } else {
        s_logger.error("Failed to setup keystore and generate CSR for system vm: " + vm.getInstanceName());
    }
}
Also used : LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) Certificate(org.apache.cloudstack.framework.ca.Certificate)

Example 3 with Certificate

use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.

the class RootCAProvider method generateCertificate.

// /////////////////////////////////////////////////////////
// ///////////// Root CA Private Methods ///////////////////
// /////////////////////////////////////////////////////////
private Certificate generateCertificate(final List<String> domainNames, final List<String> ipAddresses, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
    if (domainNames == null || domainNames.size() < 1 || StringUtils.isEmpty(domainNames.get(0))) {
        throw new CloudRuntimeException("No domain name is specified, cannot generate certificate");
    }
    final String subject = "CN=" + domainNames.get(0);
    final KeyPair keyPair = CertUtils.generateRandomKeyPair(CAManager.CertKeySize.value());
    final X509Certificate clientCertificate = CertUtils.generateV3Certificate(caCertificate, caKeyPair, keyPair.getPublic(), subject, CAManager.CertSignatureAlgorithm.value(), validityDays, domainNames, ipAddresses);
    return new Certificate(clientCertificate, keyPair.getPrivate(), Collections.singletonList(caCertificate));
}
Also used : KeyPair(java.security.KeyPair) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(org.apache.cloudstack.framework.ca.Certificate)

Example 4 with Certificate

use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.

the class RootCAProvider method loadManagementKeyStore.

private boolean loadManagementKeyStore() {
    if (managementKeyStore != null) {
        return true;
    }
    final Certificate serverCertificate = issueCertificate(Collections.singletonList(NetUtils.getHostName()), NetUtils.getAllDefaultNicIps(), getCaValidityDays());
    if (serverCertificate == null || serverCertificate.getPrivateKey() == null) {
        throw new CloudRuntimeException("Failed to generate management server certificate and load management server keystore");
    }
    LOG.info("Creating new management server certificate and keystore");
    try {
        managementKeyStore = KeyStore.getInstance("JKS");
        managementKeyStore.load(null, null);
        managementKeyStore.setCertificateEntry(caAlias, caCertificate);
        managementKeyStore.setKeyEntry(managementAlias, serverCertificate.getPrivateKey(), getKeyStorePassphrase(), new X509Certificate[] { serverCertificate.getClientCertificate(), caCertificate });
    } catch (final CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException e) {
        LOG.error("Failed to load root CA management-server keystore due to exception: ", e);
        return false;
    }
    return managementKeyStore != null;
}
Also used : CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.apache.cloudstack.framework.ca.Certificate)

Example 5 with Certificate

use of org.apache.cloudstack.framework.ca.Certificate in project cloudstack by apache.

the class CAManagerImpl method provisionCertificate.

@Override
@ActionEvent(eventType = EventTypes.EVENT_CA_CERTIFICATE_PROVISION, eventDescription = "provisioning certificate for host", async = true)
public boolean provisionCertificate(final Host host, final Boolean reconnect, final String caProvider) {
    if (host == null) {
        throw new CloudRuntimeException("Unable to find valid host to renew certificate for");
    }
    CallContext.current().setEventDetails("host id: " + host.getId());
    CallContext.current().putContextParameter(Host.class, host.getUuid());
    final String csr;
    try {
        csr = generateKeyStoreAndCsr(host, null);
        if (StringUtils.isEmpty(csr)) {
            return false;
        }
        final Certificate certificate = issueCertificate(csr, Arrays.asList(host.getName(), host.getPrivateIpAddress()), Arrays.asList(host.getPrivateIpAddress(), host.getPublicIpAddress(), host.getStorageIpAddress()), CAManager.CertValidityPeriod.value(), caProvider);
        return deployCertificate(host, certificate, reconnect, null);
    } catch (final AgentUnavailableException | OperationTimedoutException e) {
        LOG.error("Host/agent is not available or operation timed out, failed to setup keystore and generate CSR for host/agent id=" + host.getId() + ", due to: ", e);
        throw new CloudRuntimeException("Failed to generate keystore and get CSR from the host/agent id=" + host.getId());
    }
}
Also used : OperationTimedoutException(com.cloud.exception.OperationTimedoutException) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) AgentUnavailableException(com.cloud.exception.AgentUnavailableException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.apache.cloudstack.framework.ca.Certificate) ActionEvent(com.cloud.event.ActionEvent)

Aggregations

Certificate (org.apache.cloudstack.framework.ca.Certificate)11 X509Certificate (java.security.cert.X509Certificate)7 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)5 IOException (java.io.IOException)3 Test (org.junit.Test)3 KeyPair (java.security.KeyPair)2 ArrayList (java.util.ArrayList)2 ActionEvent (com.cloud.event.ActionEvent)1 AgentUnavailableException (com.cloud.exception.AgentUnavailableException)1 OperationTimedoutException (com.cloud.exception.OperationTimedoutException)1 Host (com.cloud.host.Host)1 SSHKeyPairVO (com.cloud.user.SSHKeyPairVO)1 SSHCmdHelper (com.cloud.utils.ssh.SSHCmdHelper)1 StringReader (java.io.StringReader)1 InetAddress (java.net.InetAddress)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 CertificateException (java.security.cert.CertificateException)1 HashMap (java.util.HashMap)1 LinkedHashMap (java.util.LinkedHashMap)1