ReplSessionSecurity.java revision 3cde706b9c2ad1b6a32c5b0d55e4f0add35d315d
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
/**
* This class represents the security configuration for replication protocol
* sessions. It contains all the configuration required to use SSL, and it
* determines whether encryption should be enabled for a session to a given
* replication server.
*/
public final class ReplSessionSecurity
{
/**
* Whether replication sessions use SSL encryption.
*/
private final boolean sslEncryption;
/**
* The names of the local certificates to use, or null if none is specified.
*/
/**
* The set of enabled SSL protocols, or null for the default set.
*/
private final String sslProtocols[];
/**
* The set of enabled SSL cipher suites, or null for the default set.
*/
private final String sslCipherSuites[];
/**
* Create a ReplSessionSecurity instance from a provided multimaster domain
* configuration.
*
* @throws ConfigException
* If the supplied configuration was not valid.
*/
public ReplSessionSecurity() throws ConfigException
{
// Currently use global settings from the crypto manager.
}
/**
* Create a ReplSessionSecurity instance from the supplied configuration
* values.
*
* @param sslCertNicknames
* The names of the local certificates to use, or null if none is
* specified.
* @param sslProtocols
* The protocols that should be enabled, or null if the default
* protocols should be used.
* @param sslCipherSuites
* The cipher suites that should be enabled, or null if the default
* cipher suites should be used.
* @param sslEncryption
* Whether replication sessions use SSL encryption.
* @throws ConfigException
* If the supplied configuration was not valid.
*/
final boolean sslEncryption) throws ConfigException
{
{
this.sslProtocols = null;
}
else
{
}
{
this.sslCipherSuites = null;
}
else
{
}
this.sslEncryption = sslEncryption;
this.sslCertNicknames = sslCertNicknames;
}
/**
* Create a new protocol session in the client role on the provided socket.
*
* @param socket
* The connected socket.
* @param soTimeout
* The socket timeout option to use for the protocol session.
* @return The new protocol session.
* @throws ConfigException
* If the protocol session could not be established due to a
* configuration problem.
* @throws IOException
* If the protocol session could not be established for some other
* reason.
*/
{
boolean hasCompleted = false;
try
{
// Create a new SSL context every time to make sure we pick up the
// latest contents of the trust store.
final SSLContext sslContext = cryptoManager.getSslContext(REPLICATION_CLIENT_NAME, sslCertNicknames);
secureSocket.setUseClientMode(true);
if (sslProtocols != null)
{
}
if (sslCipherSuites != null)
{
}
// Force TLS negotiation now.
hasCompleted = true;
}
finally
{
if (!hasCompleted)
{
}
}
}
/**
* Create a new protocol session in the server role on the provided socket.
*
* @param socket
* The connected socket.
* @param soTimeout
* The socket timeout option to use for the protocol session.
* @return The new protocol session.
* @throws ConfigException
* If the protocol session could not be established due to a
* configuration problem.
* @throws IOException
* If the protocol session could not be established for some other
* reason.
*/
{
boolean hasCompleted = false;
try
{
// Create a new SSL context every time to make sure we pick up the
// latest contents of the trust store.
final SSLContext sslContext = cryptoManager.getSslContext(REPLICATION_SERVER_NAME, sslCertNicknames);
secureSocket.setUseClientMode(false);
secureSocket.setNeedClientAuth(true);
if (sslProtocols != null)
{
}
if (sslCipherSuites != null)
{
}
// Force TLS negotiation now.
hasCompleted = true;
}
catch (final SSLException e)
{
// This is probably a connection attempt from an unexpected client
// log that to warn the administrator.
return null;
}
finally
{
if (!hasCompleted)
{
}
}
}
/**
* Determine whether sessions to a given replication server should be
* encrypted.
*
* @return true if sessions to the given replication server should be
* encrypted, or false if they should not be encrypted.
*/
public boolean isSslEncryption()
{
// Currently use global settings from the crypto manager.
return sslEncryption;
}
/** {@inheritDoc} */
{
}
}