use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.
the class AMCertStore method getConnection.
/**
* Return ldap connection for ldap certificate store, or null if an error occured when connecting.
*/
synchronized Connection getConnection() {
if (ldapconn == null) {
/*
* Setup the LDAP certificate directory service context for
* use in verification of the users certificates.
*/
String serverName = storeParam.getServerName();
int port = storeParam.getPort();
LDAPConnectionFactory factory;
// Regardless of SSL on connection, we will use authentication
SimpleBindRequest authenticatedRequest = LDAPRequests.newSimpleBindRequest(storeParam.getUser(), storeParam.getPassword().toCharArray());
Options options = Options.defaultOptions().set(AUTHN_BIND_REQUEST, authenticatedRequest);
if (storeParam.isSecure()) {
debug.message("AMCertStore.getConnection: initial connection factory using ssl.");
try {
options = options.set(SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
ldapconn = new LDAPConnectionFactory(serverName, port, options);
debug.message("AMCertStore.getConnection: SSLSocketFactory called");
} catch (GeneralSecurityException e) {
debug.error("AMCertStore.getConnection: Error getting SSL Context", e);
return null;
}
} else {
// non-ssl
ldapconn = new LDAPConnectionFactory(serverName, port, options);
}
}
try {
return ldapconn.getConnection();
} catch (LdapException e) {
debug.error("AMCertStore.getConnection: Exception in connection to LDAP server", e);
return null;
}
}
use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.
the class AMCRLStore method getCRLByLdapURI.
/**
* It gets the new CRL from ldap server.
* If it is ldap URI, the URI has to be a dn that can be accessed
* with ldap anonymous bind.
* (example : ldap://server:port/uid=ca,o=company.com)
* This dn entry has to have CRL in attribute certificaterevocationlist
* or certificaterevocationlist;binary.
*
* @param uri
*/
private byte[] getCRLByLdapURI(String uri) {
if (debug.messageEnabled()) {
debug.message("AMCRLStore.getCRLByLdapURI: uri = " + uri);
}
LDAPUrl url;
LDAPConnectionFactory factory;
byte[] crl = null;
try {
url = LDAPUrl.valueOf(uri);
} catch (LocalizedIllegalArgumentException e) {
debug.error("AMCRLStore.getCRLByLdapURI(): Could not parse uri: {}", uri, e);
return null;
}
debug.message("AMCRLStore.getCRLByLdapURI: url.dn = {}", url.getName());
// Check ldap over SSL
if (url.isSecure()) {
try {
factory = new LDAPConnectionFactory(url.getHost(), url.getPort(), Options.defaultOptions().set(LDAPConnectionFactory.SSL_CONTEXT, new SSLContextBuilder().getSSLContext()));
} catch (GeneralSecurityException e) {
debug.error("AMCRLStore.getCRLByLdapURI: Error getting SSL Context", e);
return null;
}
} else {
// non-ssl
factory = new LDAPConnectionFactory(url.getHost(), url.getPort());
}
try (Connection ldc = factory.getConnection()) {
ConnectionEntryReader results = ldc.search(url.asSearchRequest().addControl(TransactionIdControl.newControl(AuditRequestContext.createSubTransactionIdValue())));
if (!results.hasNext()) {
debug.error("verifyCertificate - No CRL distribution Point configured");
return null;
}
if (results.isReference()) {
debug.warning("Getting CRL but got LDAP reference: {}", results.readReference());
return null;
}
SearchResultEntry entry = results.readEntry();
/*
* Retrieve the certificate revocation list if available.
*/
Attribute crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST);
if (crlAttribute == null) {
crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST_BINARY);
if (crlAttribute == null) {
debug.error("verifyCertificate - No CRL distribution Point configured");
return null;
}
}
crl = crlAttribute.firstValue().toByteArray();
} catch (Exception e) {
debug.error("getCRLByLdapURI : Error in getting CRL", e);
}
return crl;
}
use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.
the class AddAMSDKIdRepoPlugin method getLDAPConnection.
private ConnectionFactory getLDAPConnection(DSEntry ds) throws Exception {
BindRequest bindRequest = LDAPRequests.newSimpleBindRequest(bindDN, bindPwd.toCharArray());
Options options = Options.defaultOptions().set(CONNECT_TIMEOUT, new Duration((long) 300, TimeUnit.MILLISECONDS)).set(AUTHN_BIND_REQUEST, bindRequest);
if (ds.ssl) {
options = options.set(SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
}
return new LDAPConnectionFactory(ds.host, ds.port, options);
}
use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.
the class AjaxPage method getConnection.
protected Connection getConnection(String host, int port, String bindDN, char[] bindPwd, int timeout, boolean isSSl) throws GeneralSecurityException, LdapException {
Options ldapOptions = Options.defaultOptions().set(CONNECT_TIMEOUT, new Duration((long) timeout, TimeUnit.SECONDS)).set(AUTHN_BIND_REQUEST, LDAPRequests.newSimpleBindRequest(bindDN, bindPwd));
if (isSSl) {
ldapOptions = ldapOptions.set(SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
}
ConnectionFactory factory = new LDAPConnectionFactory(host, port, ldapOptions);
return factory.getConnection();
}
use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.
the class LDAPAuthUtils method createConnectionPool.
private ConnectionFactory createConnectionPool(Map<String, ConnectionFactory> connectionPools, String bindingUser, char[] bindingPwd) throws LdapException, LDAPUtilException {
ConnectionFactory connPool;
try {
String configName = servers.toString() + ":" + bindingUser;
connPool = connectionPools.get(configName);
if (connPool == null) {
synchronized (connectionPools) {
connPool = connectionPools.get(configName);
Options options = Options.defaultOptions().set(REQUEST_TIMEOUT, new Duration((long) operationsTimeout, TimeUnit.MILLISECONDS));
if (connPool == null) {
if (debug.messageEnabled()) {
debug.message("Create ConnectionPool for servers:\n" + servers);
}
// Since connection pool for search and authentication
// are different, each gets half the configured size
int min = minDefaultPoolSize / 2 + 1;
int max = maxDefaultPoolSize / 2;
if (min >= max) {
min = max - 1;
}
Set<LDAPURL> primaryUrls = convertToLDAPURLs(primaryServers);
Set<LDAPURL> secondaryUrls = convertToLDAPURLs(secondaryServers);
if (poolSize != null && !poolSize.isEmpty()) {
String tmpmin = null;
String tmpmax = null;
for (String val : poolSize) {
// host:port:min:max
StringTokenizer stz = new StringTokenizer(val, ":");
if (stz.countTokens() == 4) {
LDAPURL url = LDAPURL.valueOf(stz.nextToken() + ":" + stz.nextToken());
if (primaryUrls.contains(url) || secondaryUrls.contains(url)) {
tmpmin = stz.nextToken();
tmpmax = stz.nextToken();
break;
}
}
}
if (tmpmin != null) {
try {
min = Integer.parseInt(tmpmin);
max = Integer.parseInt(tmpmax);
if (max < min) {
debug.error("ldap connection pool max size is less than min size");
min = minDefaultPoolSize;
max = maxDefaultPoolSize;
}
} catch (NumberFormatException ex) {
debug.error("Invalid ldap connection pool size", ex);
min = minDefaultPoolSize;
max = maxDefaultPoolSize;
}
}
}
if (debug.messageEnabled()) {
debug.message("LDAPAuthUtils.LDAPAuthUtils: min=" + min + ", max=" + max);
}
if (isSecure) {
SSLContextBuilder builder = new SSLContextBuilder();
if (trustAll) {
builder.setTrustManager(TrustManagers.trustAll());
}
SSLContext sslContext = builder.getSSLContext();
options.set(SSL_CONTEXT, sslContext);
if (useStartTLS) {
options.set(SSL_USE_STARTTLS, true);
}
}
final ConnectionFactory connFactory;
ConnectionFactory primaryCf = newFailoverConnectionPool(primaryUrls, bindingUser, bindingPwd, max, heartBeatInterval, heartBeatTimeUnit, options);
if (secondaryServers.isEmpty()) {
connFactory = primaryCf;
} else {
ConnectionFactory secondaryCf = newFailoverConnectionPool(secondaryUrls, bindingUser, bindingPwd, max, heartBeatInterval, heartBeatTimeUnit, options);
connFactory = Connections.newFailoverLoadBalancer(asList(primaryCf, secondaryCf), options);
}
ShutdownManager shutdownMan = com.sun.identity.common.ShutdownManager.getInstance();
shutdownMan.addShutdownListener(new ShutdownListener() {
public void shutdown() {
connFactory.close();
}
});
connPool = connFactory;
connectionPools.put(configName, connPool);
}
}
}
} catch (GeneralSecurityException gse) {
debug.error("Unable to create connection pool", gse);
throw new LDAPUtilException(gse);
}
return connPool;
}
Aggregations