use of org.wso2.securevault.SecretResolver in project wso2-synapse by wso2.
the class ClientConnFactoryBuilder method getCustomSSLContexts.
/**
* Looks for a transport parameter named customSSLProfiles and initializes zero or more
* custom SSLContext instances. The syntax for defining custom SSL profiles is as follows.
* <p>
* <parameter name="customSSLProfiles>
* <profile>
* <servers>www.test.org:80, www.test2.com:9763</servers>
* <KeyStore>
* <Location>/path/to/identity/store</Location>
* <Type>JKS</Type>
* <Password>password</Password>
* <KeyPassword>password</KeyPassword>
* </KeyStore>
* <TrustStore>
* <Location>path/tp/trust/store</Location>
* <Type>JKS</Type>
* <Password>password</Password>
* </TrustStore>
* </profile>
* </parameter>
* <p>
* Any number of profiles can be defined under the customSSLProfiles parameter.
*
* @param transportOut transport out description
* @return a map of server addresses and SSL contexts
* @throws AxisFault if at least on SSL profile is not properly configured
*/
private Map<String, SSLContext> getCustomSSLContexts(TransportOutDescription transportOut) throws AxisFault {
TransportOutDescription customSSLProfileTransport = loadDynamicSSLConfig(transportOut);
Parameter customProfilesParam = customSSLProfileTransport.getParameter("customSSLProfiles");
if (customProfilesParam == null) {
return null;
}
if (log.isInfoEnabled()) {
log.info(name + " Loading custom SSL profiles for the HTTPS sender");
}
OMElement customProfilesElt = customProfilesParam.getParameterElement();
Utils.resolveOMElementChildValues(customProfilesElt);
SecretResolver secretResolver = SecretResolverFactory.create(customProfilesElt, true);
Iterator<?> profiles = customProfilesElt.getChildrenWithName(new QName("profile"));
Map<String, SSLContext> contextMap = new HashMap<String, SSLContext>();
while (profiles.hasNext()) {
OMElement profile = (OMElement) profiles.next();
OMElement serversElt = profile.getFirstChildWithName(new QName("servers"));
if (serversElt == null || serversElt.getText() == null) {
String msg = "Each custom SSL profile must define at least one host:port " + "pair under the servers element";
log.error(name + " " + msg);
throw new AxisFault(msg);
}
String[] servers = serversElt.getText().split(",");
OMElement ksElt = profile.getFirstChildWithName(new QName("KeyStore"));
OMElement trElt = profile.getFirstChildWithName(new QName("TrustStore"));
String noValCert = profile.getAttributeValue(new QName("novalidatecert"));
boolean novalidatecert = "true".equals(noValCert);
SSLContext sslContext = null;
try {
sslContext = createSSLContext(ksElt, trElt, novalidatecert, secretResolver);
} catch (AxisFault axisFault) {
String err = "Error occurred while creating SSL context for the servers " + serversElt.getText();
// This runtime exception stop the server startup But it will not affect for dynamic change
throw new InvalidConfigurationException(err, axisFault);
}
for (String server : servers) {
server = server.trim();
if (!contextMap.containsKey(server)) {
contextMap.put(server, sslContext);
} else {
if (log.isWarnEnabled()) {
log.warn(name + " Multiple SSL profiles were found for the server : " + server + ". Ignoring the excessive profiles.");
}
}
}
}
if (contextMap.size() > 0) {
if (log.isInfoEnabled()) {
log.info(name + " Custom SSL profiles initialized for " + contextMap.size() + " servers");
}
return contextMap;
}
return null;
}
use of org.wso2.securevault.SecretResolver in project wso2-synapse by wso2.
the class ClientConnFactoryBuilder method createSSLContext.
private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreElt, boolean novalidatecert) throws AxisFault {
KeyManager[] keymanagers = null;
TrustManager[] trustManagers = null;
SecretResolver resolver;
if (configurationContext != null && configurationContext.getAxisConfiguration() != null) {
resolver = configurationContext.getAxisConfiguration().getSecretResolver();
} else {
resolver = SecretResolverFactory.create(keyStoreElt, false);
}
if (keyStoreElt != null) {
String location = keyStoreElt.getFirstChildWithName(new QName("Location")).getText();
String type = keyStoreElt.getFirstChildWithName(new QName("Type")).getText();
OMElement passwordElement = keyStoreElt.getFirstChildWithName(new QName("Password"));
OMElement keyPasswordElement = keyStoreElt.getFirstChildWithName(new QName("KeyPassword"));
if (passwordElement == null) {
throw new AxisFault("Cannot proceed because Password element is missing in KeyStore");
}
if (keyPasswordElement == null) {
throw new AxisFault("Cannot proceed because KeyPassword element is missing in KeyStore");
}
String storePassword = SecureVaultValueReader.getSecureVaultValue(resolver, passwordElement);
String keyPassword = SecureVaultValueReader.getSecureVaultValue(resolver, keyPasswordElement);
FileInputStream fis = null;
try {
KeyStore keyStore = KeyStore.getInstance(type);
fis = new FileInputStream(location);
if (log.isDebugEnabled()) {
log.debug(name + " Loading Identity Keystore from : " + location);
}
keyStore.load(fis, storePassword.toCharArray());
KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmfactory.init(keyStore, keyPassword.toCharArray());
keymanagers = kmfactory.getKeyManagers();
} catch (GeneralSecurityException gse) {
log.error(name + " Error loading Keystore : " + location, gse);
throw new AxisFault("Error loading Keystore : " + location, gse);
} catch (IOException ioe) {
log.error(name + " Error opening Keystore : " + location, ioe);
throw new AxisFault("Error opening Keystore : " + location, ioe);
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException ignore) {
}
}
}
}
if (trustStoreElt != null) {
if (novalidatecert && log.isWarnEnabled()) {
log.warn(name + " Ignoring novalidatecert parameter since a truststore has been specified");
}
String location = trustStoreElt.getFirstChildWithName(new QName("Location")).getText();
String type = trustStoreElt.getFirstChildWithName(new QName("Type")).getText();
OMElement passwordElement = trustStoreElt.getFirstChildWithName(new QName("Password"));
if (passwordElement == null) {
throw new AxisFault("Cannot proceed because Password element is missing in TrustStore");
}
String storePassword = SecureVaultValueReader.getSecureVaultValue(resolver, passwordElement);
FileInputStream fis = null;
try {
KeyStore trustStore = KeyStore.getInstance(type);
fis = new FileInputStream(location);
if (log.isDebugEnabled()) {
log.debug(name + " Loading Trust Keystore from : " + location);
}
trustStore.load(fis, storePassword.toCharArray());
TrustManagerFactory trustManagerfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerfactory.init(trustStore);
trustManagers = trustManagerfactory.getTrustManagers();
} catch (GeneralSecurityException gse) {
log.error(name + " Error loading Key store : " + location, gse);
throw new AxisFault("Error loading Key store : " + location, gse);
} catch (IOException ioe) {
log.error(name + " Error opening Key store : " + location, ioe);
throw new AxisFault("Error opening Key store : " + location, ioe);
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException ignore) {
}
}
}
} else if (novalidatecert) {
if (log.isWarnEnabled()) {
log.warn(name + " Server certificate validation (trust) has been disabled. " + "DO NOT USE IN PRODUCTION!");
}
trustManagers = new TrustManager[] { new NoValidateCertTrustManager() };
}
try {
final Parameter sslpParameter = transportOut.getParameter("SSLProtocol");
final String sslProtocol = sslpParameter != null ? sslpParameter.getValue().toString() : "TLS";
SSLContext sslcontext = SSLContext.getInstance(sslProtocol);
sslcontext.init(keymanagers, trustManagers, null);
return sslcontext;
} catch (GeneralSecurityException gse) {
log.error(name + " Unable to create SSL context with the given configuration", gse);
throw new AxisFault("Unable to create SSL context with the given configuration", gse);
}
}
use of org.wso2.securevault.SecretResolver in project wso2-synapse by wso2.
the class VFSTransportListener method generateSecureVaultProperties.
/**
* Helper method to generate securevault properties from given transport configuration.
*
* @param inDescription
* @return properties
*/
private Properties generateSecureVaultProperties(TransportInDescription inDescription) {
Properties properties = new Properties();
SecretResolver secretResolver = getConfigurationContext().getAxisConfiguration().getSecretResolver();
for (Parameter parameter : inDescription.getParameters()) {
String propertyValue = parameter.getValue().toString();
OMElement paramElement = parameter.getParameterElement();
if (paramElement != null) {
if (secretResolver == null) {
throw new SecureVaultException("Cannot resolve secret password because axis2 secret resolver " + "is null");
}
propertyValue = MiscellaneousUtil.resolve(paramElement, secretResolver);
}
properties.setProperty(parameter.getName().toString(), propertyValue);
}
return properties;
}
use of org.wso2.securevault.SecretResolver in project carbon-business-process by wso2.
the class BPSAnalyticsConfiguration method initConfigurationFromFile.
/**
* Initialize the configuration object from the properties in the BPS Analytics config xml file.
*/
private void initConfigurationFromFile(File BPSAnalyticsConfigurationFile) {
SecretResolver secretResolver = null;
try (InputStream in = new FileInputStream(BPSAnalyticsConfigurationFile)) {
StAXOMBuilder builder = new StAXOMBuilder(in);
secretResolver = SecretResolverFactory.create(builder.getDocumentElement(), true);
} catch (Exception e) {
log.warn("Error occurred while retrieving secured BPS Analytics configuration.", e);
}
TBPSAnalytics tBPSAnalytics = bpsAnalyticsDocument.getBPSAnalytics();
if (tBPSAnalytics == null) {
return;
}
if (tBPSAnalytics.getAnalyticServer() != null) {
initAnalytics(secretResolver, tBPSAnalytics.getAnalyticServer());
}
if (tBPSAnalytics.getBPMN() != null) {
initBPMNAnalytics(tBPSAnalytics.getBPMN());
}
}
use of org.wso2.securevault.SecretResolver in project carbon-business-process by wso2.
the class UnifiedEndpointFactory method createEndpoint.
public UnifiedEndpoint createEndpoint(OMElement uEPConfigEle) throws AxisFault {
UnifiedEndpoint unifiedEndpoint = new UnifiedEndpoint();
EndpointReferenceHelper.fromOM(unifiedEndpoint, uEPConfigEle, AddressingConstants.Final.WSA_NAMESPACE);
OMElement metadataElem = uEPConfigEle.getFirstChildWithName(UnifiedEndpointConstants.METADATA_Q);
if (metadataElem != null) {
OMElement idElem = metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_ID_Q);
if (idElem != null) {
unifiedEndpoint.setUepId(idElem.getText());
} else {
log.error("UEP Configuration violation: " + UnifiedEndpointConstants.METADATA_ID_Q + " not found");
}
/**
* Discovery
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_DISCOVERY_Q) != null) {
extractDiscoveryConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_DISCOVERY_Q));
}
/**
* Timeout
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TIMEOUT_Q) != null) {
extractTimeoutConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TIMEOUT_Q));
}
/**
* WSDL Definitions
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_WSDL11_DEFINITIONS_Q) != null) {
unifiedEndpoint.setWsdl11Definitions(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_WSDL11_DEFINITIONS_Q));
}
/**
* MessageOutput
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MESSAGE_OUTPUT_Q) != null) {
extractMessageOutPutConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MESSAGE_OUTPUT_Q));
}
/**
* Transport
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q) != null) {
extractTransportConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q));
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_USERNAME_Q) != null) {
unifiedEndpoint.setAuthorizationUserName(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_USERNAME_Q).getText());
}
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q) != null) {
OMElement transport_auth_password = metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q);
String secretAlias = transport_auth_password.getAttributeValue(new QName(UnifiedEndpointConstants.SECURE_VAULT_NS, UnifiedEndpointConstants.SECRET_ALIAS_ATTR_NAME));
if (secretAlias != null && secretAlias.trim().length() > 0) {
secretAlias = secretAlias.trim();
SecretResolver secretResolver = SecretResolverFactory.create(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q), false);
/* Setting the secured password */
if (secretResolver != null && secretResolver.isInitialized() && secretResolver.isTokenProtected(secretAlias)) {
String adminPassword = secretResolver.resolve(secretAlias);
unifiedEndpoint.setAuthorizationPassword(adminPassword);
} else {
/* If secure vault is not configured properly, Reading plain text password */
unifiedEndpoint.setAuthorizationPassword(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q).getText());
}
} else {
unifiedEndpoint.setAuthorizationPassword(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q).getText());
}
}
}
/**
* Monitoring
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MONITORING_Q) != null) {
extractMetadataMonitoringConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MONITORING_Q));
}
/**
* QoS
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.QOS_Q) != null) {
extractQoSConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.QOS_Q));
}
/**
* Session
*/
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.SESSION_Q) != null) {
if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.SESSION_Q).getAttributeValue(UnifiedEndpointConstants.SESSION_TYPE_Q) != null) {
unifiedEndpoint.setSessionType(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.SESSION_Q).getAttributeValue(UnifiedEndpointConstants.SESSION_TYPE_Q));
}
}
}
return unifiedEndpoint;
}
Aggregations