/*******************************************************************************
* This file is part of OpenNMS(R).
*
* Copyright (C) 2010-2011 The OpenNMS Group, Inc.
* OpenNMS(R) is Copyright (C) 1999-2011 The OpenNMS Group, Inc.
*
* OpenNMS(R) is a registered trademark of The OpenNMS Group, Inc.
*
* OpenNMS(R) is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published
* by the Free Software Foundation, either version 3 of the License,
* or (at your option) any later version.
*
* OpenNMS(R) is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with OpenNMS(R). If not, see:
* http://www.gnu.org/licenses/
*
* For more information contact:
* OpenNMS(R) Licensing <license@opennms.org>
* http://www.opennms.org/
* http://www.opennms.com/
*******************************************************************************/
package org.opennms.protocols.jmx.connectors;
import org.opennms.core.utils.InetAddressUtils;
import org.opennms.core.utils.ParameterMap;
import org.opennms.core.utils.ThreadCategory;
import javax.management.MBeanServerConnection;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.net.ssl.*;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
/**
* <p>JMXSecureConnectionFactory class.</p>
*
* @author ranger
* @version $Id: $
*/
public class JMXSecureConnectionFactory {
static ThreadCategory log = ThreadCategory.getInstance(JMXSecureConnectionFactory.class);
/**
* <p>getMBeanServerConnection</p>
*
* @param propertiesMap a {@link java.util.Map} object.
* @param address a {@link java.net.InetAddress} object.
* @return a {@link org.opennms.protocols.jmx.connectors.Jsr160ConnectionWrapper} object.
*/
public static Jsr160ConnectionWrapper getMBeanServerConnection(Map<?, ?> propertiesMap, InetAddress address) {
Jsr160ConnectionWrapper connectionWrapper = null;
JMXServiceURL url = null;
String factory = ParameterMap.getKeyedString(propertiesMap, "factory", "SASL");
int port = ParameterMap.getKeyedInteger(propertiesMap, "port", 11162);
String protocol = ParameterMap.getKeyedString(propertiesMap, "protocol", "jmxmp");
String urlPath = ParameterMap.getKeyedString(propertiesMap, "urlPath", "");
String sunCacao = ParameterMap.getKeyedString(propertiesMap, "sunCacao", "false");
// RMI and JMXMP use different URL schemes
try {
if (protocol.equalsIgnoreCase("jmxmp")) {
// Create an JMXMP connector client and
// connect it to the JMXMP connector server
//
url = new JMXServiceURL(protocol, InetAddressUtils.str(address), port, urlPath);
} else {
// Fallback, building a URL for RMI
url = new JMXServiceURL("service:jmx:" + protocol + ":///jndi/" + protocol + "://" + InetAddressUtils.str(address) + ":" + port + urlPath);
}
} catch (MalformedURLException e) {
log.error("JMXServiceURL exception: " + url + ". Error message: " + e.getMessage());
}
log.debug("Set JMXServiceURL: " + url);
// configure and create Simple Authentication and Security Layer
if (factory.equals("SASL")) {
try {
String username = ParameterMap.getKeyedString(propertiesMap, "username", null);
String password = ParameterMap.getKeyedString(propertiesMap, "password", null);
HashMap<String, Object> env = new HashMap<String, Object>();
// TODO: We can have a deadlock here
while (true) {
AnyServerX509TrustManager tm;
KeyStore ks;
try {
ks = KeyStore.getInstance(KeyStore.getDefaultType());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
// X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
tm = new AnyServerX509TrustManager();
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory ssf = ctx.getSocketFactory();
env.put("jmx.remote.tls.socket.factory", ssf);
} catch (Throwable e) {
log.error("Something bad occured: " + e.getMessage());
throw e;
}
Security.addProvider(new com.sun.security.sasl.Provider());
String[] creds;
if (sunCacao.equals("true"))
creds = new String[]{"com.sun.cacao.user\001" + username, password};
else
creds = new String[]{username, password};
env.put("jmx.remote.profiles", "TLS SASL/PLAIN");
env.put("jmx.remote.credentials", creds);
JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null);
// Connect and invoke an operation on the remote MBeanServer
try {
connector.connect(env);
} catch (SSLException e) {
log.warn("SSLException occured. Error message: " + e.getMessage());
} catch (SecurityException x) {
log.error("Security exception: bad credentials. Error message: " + x.getMessage());
}
MBeanServerConnection connection = connector.getMBeanServerConnection();
connectionWrapper = new Jsr160ConnectionWrapper(connector, connection);
break;
}
} catch (Throwable e) {
log.error("Unable to get MBeanServerConnection: " + url + ". Error message: " + e.getMessage());
}
}
return connectionWrapper;
}
private static class AnyServerX509TrustManager implements X509TrustManager {
// Documented in X509TrustManager
public X509Certificate[] getAcceptedIssuers() {
// since client authentication is not supported by this
// trust manager, there's no certificate authority trusted
// for authenticating peers
return new X509Certificate[0];
}
// Documented in X509TrustManager
public void checkClientTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
// this trust manager is dedicated to server authentication
throw new CertificateException("not supported");
}
// Documented in X509TrustManager
public void checkServerTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
// any certificate sent by the server is automatically accepted
}
}
}