opendssecurity.xml revision d81978a0815d5b8a75633c35e3e1f8708d36f017
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
! add the following below this CDDL HEADER, with the fields enclosed
! by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
! Copyright 2008 Sun Microsystems, Inc.
! -->
<stax>
<!-- **************************************************** -->
<!-- generate a certificate -->
<!-- **************************************************** -->
<function name="genCertificate" scope="local">
<function-prolog>
This function generates a server certificate
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="dname" type="optional"
default="'cn=server,O=Sun Microsystems,C=US'">
<function-arg-description>
Certificate subject
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystore" type="optional" default="'keystore'">
<function-arg-description>
Path for the key store file
</function-arg-description>
</function-arg-def>
<function-arg-def name="storepass" type="optional"
default="'servercert'">
<function-arg-description>
Password to protect the contents of the key store
</function-arg-description>
</function-arg-def>
<function-arg-def name="keypass" type="optional" default="'servercert'">
<function-arg-description>
Password to protect the private key on the key store: keypass
</function-arg-description>
</function-arg-def>
<function-arg-def name="storetype" type="optional" default="'JKS'">
<function-arg-description>
The storetype. can be JKS or PKCS12
</function-arg-description>
</function-arg-def>
<function-arg-def name="expectedRC" type="optional" default="0">
<function-arg-description>
Expected return code value. Default value is 0.
Wildcard 'noCheck' to not check the RC
</function-arg-description>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!-- Local variables -->
<script>
if dsPath:
arg1 = '-genkey -alias %s -keyalg rsa -dname "%s"' % (certAlias,dname)
arg2 = '-keystore %s -storepass %s' % (keystore,storepass)
arg3 = '-keypass %s -storetype %s' % (keypass,storetype)
args = '%s %s %s' % (arg1,arg2,arg3)
</script>
<call function="'runCommand'">
{ 'name' : 'Generate a Certificate',
'location' : location,
'arguments' : args,
'path' : dsConfigPath,
'expectedRC': expectedRC,
'fileFd' : fileFd
}
</call>
<return>STAXResult</return>
</sequence>
</function>
<!-- **************************************************** -->
<!-- Self signed a certificate -->
<!-- **************************************************** -->
<function name="SelfSignCertificate" scope="local">
<function-prolog>
This function self-signs a certificate
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystore" type="optional" default="'keystore'">
<function-arg-description>
Path for the key store file
</function-arg-description>
</function-arg-def>
<function-arg-def name="storepass" type="optional"
default="'servercert'">
<function-arg-description>
Password to protect the contents of the key store
</function-arg-description>
</function-arg-def>
<function-arg-def name="keypass" type="optional" default="'servercert'">
<function-arg-description>
Password to protect the private key on the key store: keypass
</function-arg-description>
</function-arg-def>
<function-arg-def name="storetype" type="optional" default="'JKS'">
<function-arg-description>
The storetype. can be JKS or PKCS12
</function-arg-description>
</function-arg-def>
<function-arg-def name="expectedRC" type="optional" default="0">
<function-arg-description>
Expected return code value. Default value is 0.
Wildcard 'noCheck' to not check the RC
</function-arg-description>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!-- Local variables -->
<script>
if dsPath:
arg1 = '-selfcert -alias %s -keystore "%s"' % (certAlias,keystore)
arg2 = '-keypass "%s" -storepass "%s" -storetype "%s"' % \
(keypass,storepass,storetype)
args = '%s %s' % (arg1,arg2)
</script>
<call function="'runCommand'" >
{ 'name' : 'Generate a Self-Signed Server Certificate',
'location' : location,
'arguments' : args,
'path' : dsConfigPath,
'expectedRC': expectedRC,
'fileFd' : fileFd
}
</call>
<return>STAXResult</return>
</sequence>
</function>
<!-- **************************************************** -->
<!-- Export a certificate -->
<!-- **************************************************** -->
<function name="ExportCertificate" scope="local">
<function-prolog>
This function exports a certificate
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystore" type="optional" default="'keystore'">
<function-arg-description>
Path for the key store file
</function-arg-description>
</function-arg-def>
<function-arg-def name="storepass" type="optional"
default="'servercert'">
<function-arg-description>
Password to protect the contents of the key store
</function-arg-description>
</function-arg-def>
<function-arg-def name="format" type="optional">
<function-arg-description>
Format of the certificate. By default, it's in binary encoding
</function-arg-description>
</function-arg-def>
<function-arg-def name="storetype" type="optional" default="'JKS'">
<function-arg-description>
The storetype. can be JKS or PKCS12
</function-arg-description>
</function-arg-def>
<function-arg-def name="outputfile" type="required">
<function-arg-description>
Output file to store certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="expectedRC" type="optional" default="0">
<function-arg-description>
Expected return code value. Default value is 0.
Wildcard 'noCheck' to not check the RC
</function-arg-description>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!-- Local variables -->
<script>
if dsPath:
STAFCmdParams=''
if format:
STAFCmdParams='-%s' % (format)
arg1 = '-export -alias %s -file %s' % (certAlias,outputfile)
arg2 = '-keystore "%s" -storepass "%s" -storetype %s %s' % \
(keystore,storepass,storetype,STAFCmdParams)
args = '%s %s' % (arg1,arg2)
</script>
<call function="'runCommand'">
{ 'name' : 'Export a Certificate',
'location' : location,
'arguments' : args,
'path' : dsConfigPath,
'expectedRC' : expectedRC,
'fileFd' : fileFd
}
</call>
<return>STAXResult</return>
</sequence>
</function>
<!-- **************************************************** -->
<!-- Import a certificate -->
<!-- **************************************************** -->
<function name="ImportCertificate" scope="local">
<function-prolog>
This function imports a certificate
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystore" type="optional" default="'keystore'">
<function-arg-description>
Path for the key store file
</function-arg-description>
</function-arg-def>
<function-arg-def name="storepass" type="optional"
default="'servercert'">
<function-arg-description>
Password to protect the contents of the key store
</function-arg-description>
</function-arg-def>
<function-arg-def name="storetype" type="optional" default="'JKS'">
<function-arg-description>
The storetype. can be JKS or PKCS12
</function-arg-description>
</function-arg-def>
<function-arg-def name="inputfile" type="required">
<function-arg-description>
Certificate to import
</function-arg-description>
</function-arg-def>
<function-arg-def name="expectedRC" type="optional" default="0">
<function-arg-description>
Expected return code value. Default value is 0.
Wildcard 'noCheck' to not check the RC
</function-arg-description>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!-- Local variables -->
<script>
if dsPath:
arg1 = '-import -alias %s -file %s' % (certAlias,inputfile)
arg2 = '-keystore "%s" -storepass "%s"' % (keystore,storepass)
arg3 = '-storetype %s -noprompt' % storetype
args = '%s %s %s' % (arg1,arg2,arg3)
</script>
<call function="'runCommand'">
{ 'name' : 'Import a Certificate',
'location' : location,
'arguments' : args,
'path' : dsConfigPath,
'expectedRC' : expectedRC,
'fileFd' : fileFd
}
</call>
<return>STAXResult</return>
</sequence>
</function>
<!-- **************************************************** -->
<!-- get MD5 and SHA1 values -->
<!-- **************************************************** -->
<function name="getFingerprint" scope="local">
<function-prolog>
This function returns the fingerprint MD5 or SHA1
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystore" type="optional" default="'keystore'">
<function-arg-description>
Path for the key store file
</function-arg-description>
</function-arg-def>
<function-arg-def name="storepass" type="optional"
default="'servercert'">
<function-arg-description>
Password to protect the contents of the key store
</function-arg-description>
</function-arg-def>
<function-arg-def name="fingerprint" type="optional" default="'MD5'">
<function-arg-description>
fingerprint. can be MD5 or SHA1
</function-arg-description>
</function-arg-def>
<function-arg-def name="expectedRC" type="optional" default="0">
<function-arg-description>
Expected return code value. Default value is 0.
Wildcard 'noCheck' to not check the RC
</function-arg-description>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!-- Local variables -->
<script>
if dsPath:
args = '-list -v -keystore "%s" -storepass "%s" -alias "%s"' % \
(keystore,storepass,certAlias)
</script>
<call function="'runCommand'">
{ 'name' : 'getFingerprint',
'location' : location,
'arguments' : args,
'path' : dsConfigPath,
'expectedRC': expectedRC,
'fileFd' : fileFd
}
</call>
<return>STAXResult</return>
</sequence>
</function>
<!-- ################################################## -->
<!-- configure SSL -->
<!-- ################################################## -->
<function name="configureSSL" scope="local">
<function-prolog>
This function makes the configuration changes for SSL
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
<function-arg-property name="type" value="filepath"/>
</function-arg-def>
<function-arg-def name="dsInstanceHost" type="optional"
default="STAXServiceMachine">
<function-arg-description>
Directory server hostname or IP address
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsInstancePort" type="required">
<function-arg-description>
Directory server port number
</function-arg-description>
<function-arg-property name="type" value="Port number"/>
</function-arg-def>
<function-arg-def name="dsInstanceDn" type="required">
<function-arg-description>
Bind DN
</function-arg-description>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
<function-arg-property name="type" value="DN"/>
</function-arg-def>
<function-arg-def name="dsInstancePswd" type="required">
<function-arg-description>
Bind password
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystorePin" type="optional"
default="'servercert'">
<function-arg-description>
Keystore pin
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="customKeyMgr" type="optional" default="''">
<function-arg-description>
Name for a new key manager
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="customTrustMgr" type="optional" default="''">
<function-arg-description>
Name for a new trust manager
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="extraParams" type="optional">
<function-arg-description>
Optional extra parameters for specific test cases
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!--- configure Key Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Configure Key Manager Provider',
'fileFd' : fileFd
}
</call>
<if expr="len(customKeyMgr.strip()) != 0">
<sequence>
<script>
opt1 = '--type file-based --set enabled:true'
opt3 = '--set key-store-pin:%s --set key-store-type:JKS' % \
keystorePin
opts = '%s %s %s' % (opt1,opt2,opt3)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'create-key-manager-provider',
'objectType' : 'provider-name',
'objectName' : customKeyMgr,
'optionsString' : opts,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
<else>
<sequence>
<script>
opt2 = '--reset key-store-pin-file'
opt3 = '--set key-store-pin:%s --set enabled:true' % keystorePin
opts = '%s %s %s' % (opt1,opt2,opt3)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
'optionsString' : opts,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</else>
</if>
<!--- configure Trust Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Configure Trust Manager Provider',
'fileFd' : fileFd
}
</call>
<if expr="len(customTrustMgr.strip()) != 0">
<sequence>
<script>
opt1 = '--type blind --set enabled:true'
opt2 = '--set java-class:'
opts = '%s %s%s' % (opt1,opt2,opt3)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'create-trust-manager-provider',
'objectType' : 'provider-name',
'objectName' : customTrustMgr,
'optionsString' : opts,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
<else>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-trust-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : 'Blind Trust',
'optionsString' : '--set enabled:true',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</else>
</if>
<!--- Enable LDAPS Connection Handler -->
<call function="'writeMessage'">
{
'content' : 'Enabling LDAPS Connection Handler - Keystore type',
'fileFd' : fileFd
}
</call>
<script>
option1='--set ssl-cert-nickname:%s' % certAlias
if customTrustMgr:
option2='--set trust-manager-provider:"%s"' % (customTrustMgr)
else:
option2='--set trust-manager-provider:"Blind Trust"'
if customKeyMgr:
option3='--set key-manager-provider:"%s"' % (customKeyMgr)
else:
option3='--set key-manager-provider:"%s"' % (keystoreType)
option4='--set listen-port:%s' % DIRECTORY_INSTANCE_SSL_PORT
option5='--set enabled:true --set use-ssl:true'
optionsString='%s %s %s %s %s' % (option1,option2,option3,option4,option5)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAPS Connection Handler',
'optionsString' : optionsString,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</function>
<!-- ################################################## -->
<!-- configureTLS -->
<!-- ################################################## -->
<function name="configureTLS" scope="local">
<function-prolog>
This function makes the configuration changes for startTLS
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
<function-arg-property name="type" value="filepath"/>
</function-arg-def>
<function-arg-def name="dsInstanceHost" type="optional"
default="STAXServiceMachine">
<function-arg-description>
Directory server hostname or IP address
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsInstancePort" type="required">
<function-arg-description>
Directory server port number
</function-arg-description>
<function-arg-property name="type" value="Port number"/>
</function-arg-def>
<function-arg-def name="dsInstanceDn" type="required">
<function-arg-description>
Bind DN
</function-arg-description>
<function-arg-property name="type" value="DN"/>
</function-arg-def>
<function-arg-def name="dsInstancePswd" type="required">
<function-arg-description>
Bind password
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystorePin" type="optional"
default="'servercert'">
<function-arg-description>
Keystore pin
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="extraParams" type="optional">
<function-arg-description>
Optional extra parameters for specific test cases
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!--- configure Key Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Configure Key Manager Provider',
'fileFd' : fileFd
}
</call>
<script>
opt2 = '--reset key-store-pin-file'
opt3 = '--set key-store-pin:%s --set enabled:true' % keystorePin
opts = '%s %s%s' % (opt1,opt2,opt3)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
'optionsString' : opts,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- configure Trust Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Configure Trust Manager Provider',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-trust-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : 'Blind Trust',
'optionsString' : '--set enabled:true',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Enable StartTLS -->
<call function="'writeMessage'">
{
'content' : 'Enabling StartTLS',
'fileFd' : fileFd
}
</call>
<script>
option1='--set ssl-cert-nickname:%s' % certAlias
option2='--set trust-manager-provider:"Blind Trust" '
option3='--set key-manager-provider:"%s"' % (keystoreType)
option4='--set allow-start-tls:true'
optionsString='%s %s %s %s' % (option1,option2,option3,option4)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAP Connection Handler',
'optionsString' : optionsString,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</function>
<!-- ################################################## -->
<!-- configure SSL and TLS -->
<!-- ################################################## -->
<function name="configureSSL_TLS" scope="local">
<function-prolog>
This function makes the configuration changes for SSL and TLS
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
<function-arg-property name="type" value="filepath"/>
</function-arg-def>
<function-arg-def name="dsInstanceHost" type="optional"
default="STAXServiceMachine">
<function-arg-description>
Directory server hostname or IP address
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsInstancePort" type="required">
<function-arg-description>
Directory server port number
</function-arg-description>
<function-arg-property name="type" value="Port number"/>
</function-arg-def>
<function-arg-def name="dsInstanceDn" type="required">
<function-arg-description>
Bind DN
</function-arg-description>
<function-arg-property name="type" value="DN"/>
</function-arg-def>
<function-arg-def name="dsInstancePswd" type="required">
<function-arg-description>
Bind password
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="certAlias" type="optional"
default="'server-cert'">
<function-arg-description>
Alias certificate
</function-arg-description>
</function-arg-def>
<function-arg-def name="keystorePin" type="optional"
default="'servercert'">
<function-arg-description>
Keystore pin
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="extraParams" type="optional">
<function-arg-description>
Optional extra parameters for specific test cases
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!--- configure Key Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Configure Key Manager Provider',
'fileFd' : fileFd
}
</call>
<script>
opt2 = '--reset key-store-pin-file'
opt3 = '--reset key-store-pin-file --set key-store-pin:%s' % \
keystorePin
opt4 = '--set enabled:true'
opts = '%s %s %s %s' % (opt1,opt2,opt3,opt4)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
'optionsString' : opts,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- configure Trust Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Configure Trust Manager Provider',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-trust-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : 'Blind Trust',
'optionsString' : '--set enabled:true',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Enable LDAPS Connection Handler -->
<call function="'writeMessage'">
{
'content' : 'Enabling LDAPS Connection Handler - Keystore type',
'fileFd' : fileFd
}
</call>
<script>
option1='--set ssl-cert-nickname:%s' % certAlias
option2='--set trust-manager-provider:"Blind Trust"'
option3='--set key-manager-provider:"%s"' % (keystoreType)
option4='--set listen-port:%s' % DIRECTORY_INSTANCE_SSL_PORT
option5='--set enabled:true --set use-ssl:true'
optionsString='%s %s %s %s %s' % (option1,option2,option3,option4,option5)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAPS Connection Handler',
'optionsString' : optionsString,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Enable StartTLS -->
<call function="'writeMessage'">
{
'content' : 'Enabling StartTLS',
'fileFd' : fileFd
}
</call>
<script>
option1='--set ssl-cert-nickname:%s' % certAlias
option2='--set trust-manager-provider:"Blind Trust" '
option3='--set key-manager-provider:"%s"' % (keystoreType)
option4='--set allow-start-tls:true'
optionsString='%s %s %s %s' % (option1,option2,option3,option4)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAP Connection Handler',
'optionsString' : optionsString,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</function>
<!-- ################################################## -->
<!-- Unconfigure SSL -->
<!-- ################################################## -->
<function name="unconfigureSSL" scope="local">
<function-prolog>
This function reverses the configuration changes for SSL
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
<function-arg-property name="type" value="filepath"/>
</function-arg-def>
<function-arg-def name="dsInstanceHost" type="optional"
default="STAXServiceMachine">
<function-arg-description>
Directory server hostname or IP address
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsInstancePort" type="required">
<function-arg-description>
Directory server port number
</function-arg-description>
<function-arg-property name="type" value="Port number"/>
</function-arg-def>
<function-arg-def name="dsInstanceDn" type="required">
<function-arg-description>
Bind DN
</function-arg-description>
<function-arg-property name="type" value="DN"/>
</function-arg-def>
<function-arg-def name="dsInstancePswd" type="required">
<function-arg-description>
Bind password
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="customKeyMgr" type="optional" default="''">
<function-arg-description>
Name for a new key manager
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="customTrustMgr" type="optional" default="''">
<function-arg-description>
Name for a new trust manager
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="extraParams" type="optional">
<function-arg-description>
Optional extra parameters for specific test cases
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!--- Disable LDAPS Connection Handler -->
<call function="'writeMessage'">
{
'content' : 'Disabling LDAPS Connection Handler',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAPS Connection Handler',
'optionsString' : '--set enabled:false --set use-ssl:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<script>
opt1 = '--reset key-manager-provider --reset trust-manager-provider'
opt2 = '--reset ssl-cert-nickname'
opts = '%s %s' % (opt1,opt2)
</script>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAPS Connection Handler',
'optionsString' : opts,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Disable SSL Trust Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Disabling SSL Trust Manager Provider',
'fileFd' : fileFd
}
</call>
<if expr="len(customTrustMgr.strip()) != 0">
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'delete-trust-manager-provider',
'objectType' : 'provider-name',
'objectName' : customTrustMgr,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<else>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-trust-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : 'Blind Trust',
'optionsString' : '--set enabled:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</else>
</if>
<!--- Disable Key Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Disabling Key Manager Provider',
'fileFd' : fileFd
}
</call>
<if expr="len(customKeyMgr.strip()) != 0">
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'delete-key-manager-provider',
'objectType' : 'provider-name',
'objectName' : customKeyMgr,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<else>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
'optionsString' : '--set enabled:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</else>
</if>
</sequence>
</function>
<!-- ################################################## -->
<!-- unconfigureTLS -->
<!-- ################################################## -->
<function name="unconfigureTLS" scope="local">
<function-prolog>
This function reverses the configuration changes for startTLS
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
<function-arg-property name="type" value="filepath"/>
</function-arg-def>
<function-arg-def name="dsInstanceHost" type="optional"
default="STAXServiceMachine">
<function-arg-description>
Directory server hostname or IP address
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsInstancePort" type="required">
<function-arg-description>
Directory server port number
</function-arg-description>
<function-arg-property name="type" value="Port number"/>
</function-arg-def>
<function-arg-def name="dsInstanceDn" type="required">
<function-arg-description>
Bind DN
</function-arg-description>
<function-arg-property name="type" value="DN"/>
</function-arg-def>
<function-arg-def name="dsInstancePswd" type="required">
<function-arg-description>
Bind password
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="extraParams" type="optional">
<function-arg-description>
Optional extra parameters for specific test cases
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!--- Disable StartTLS -->
<call function="'writeMessage'">
{
'content' : 'Disabling StartTLS',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAP Connection Handler',
'optionsString' : ' --set allow-start-tls:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Disable SSL Trust Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Disabling SSL Trust Manager Provider',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-trust-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : 'Blind Trust',
'optionsString' : '--set enabled:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Disable Key Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Disabling Key Manager Provider',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
'optionsString' : '--set enabled:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</function>
<!-- ################################################## -->
<!-- Unconfigure SSL and TLS -->
<!-- ################################################## -->
<function name="unconfigureSSL_TLS" scope="local">
<function-prolog>
This function reverses the configuration changes for SSL and TLS
</function-prolog>
<function-map-args>
<function-arg-def name="location" type="required">
<function-arg-description>
Location of target host
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsPath" type="required">
<function-arg-description>
Pathname to installation root
</function-arg-description>
<function-arg-property name="type" value="filepath"/>
</function-arg-def>
<function-arg-def name="dsInstanceHost" type="optional"
default="STAXServiceMachine">
<function-arg-description>
Directory server hostname or IP address
</function-arg-description>
<function-arg-property name="type" value="hostname"/>
</function-arg-def>
<function-arg-def name="dsInstancePort" type="required">
<function-arg-description>
Directory server port number
</function-arg-description>
<function-arg-property name="type" value="Port number"/>
</function-arg-def>
<function-arg-def name="dsInstanceDn" type="required">
<function-arg-description>
Bind DN
</function-arg-description>
<function-arg-property name="type" value="DN"/>
</function-arg-def>
<function-arg-def name="dsInstancePswd" type="required">
<function-arg-description>
Bind password
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="extraParams" type="optional">
<function-arg-description>
Optional extra parameters for specific test cases
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
<function-arg-def name="fileFd" type="required">
<function-arg-description>
output file descriptor
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!--- Disable LDAPS Connection Handler -->
<call function="'writeMessage'">
{
'content' : 'Disabling LDAPS Connection Handler',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAPS Connection Handler',
'optionsString' : '--set enabled:false --set use-ssl:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Disable StartTLS -->
<call function="'writeMessage'">
{
'content' : 'Disabling StartTLS',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name',
'objectName' : 'LDAP Connection Handler',
'optionsString' : ' --set allow-start-tls:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Disable SSL Trust Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Disabling SSL Trust Manager Provider',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-trust-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : 'Blind Trust',
'optionsString' : '--set enabled:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!--- Disable Key Manager Provider -->
<call function="'writeMessage'">
{
'content' : 'Disabling Key Manager Provider',
'fileFd' : fileFd
}
</call>
<call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
'dsInstancePort' : dsInstancePort,
'dsInstanceDn' : dsInstanceDn,
'dsInstancePswd' : dsInstancePswd,
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
'optionsString' : '--set enabled:false',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</function>
</stax>