FC-207 - Fix handling of truststore

README-CONFIG.md

@@ -82,7 +82,7 @@ The ant config task, **init-fortress-config**, uses the values found within the
  * fortress.enable.ldap.ssl.debug
  * fortress.trust.store
  * fortress.trust.store.password
- * fortress.trust.store.set.prop
+ * fortress.trust.store.onclasspath
  * fortress.config.realm
  * fortress.config.root
  * fortress.ldap.server.type

build-config.xml

@@ -329,7 +329,8 @@
          <replace file="${dst.bootstrap.conf}" token="@ENABLE_LDAP_SSL_DEBUG@" value="${enable.ldap.ssl.debug}"/>
          <replace file="${dst.bootstrap.conf}" token="@TRUST_STORE@" value="${trust.store}"/>
          <replace file="${dst.bootstrap.conf}" token="@TRUST_STORE_PW@" value="${trust.store.password}"/>
-         <replace file="${dst.bootstrap.conf}" token="@TRUST_STORE_SET_PROPW@" value="${trust.store.set.prop}"/>
+
+         <replace file="${dst.bootstrap.conf}" token="@TRUST_STORE_ONCLASSPATHW@" value="${trust.store.onclasspath}"/>
 
        <copy file="${src.remote.conf}" tofile="${dst.remote.conf}"/>
          <replace file="${dst.remote.conf}" token="@SUFFIX@" value="${suffix}"/>
@@ -358,7 +359,7 @@
          <replace file="${dst.remote.conf}" token="@ENABLE_LDAP_SSL_DEBUG@" value="${enable.ldap.ssl.debug}"/>
          <replace file="${dst.remote.conf}" token="@TRUST_STORE@" value="${trust.store}"/>
          <replace file="${dst.remote.conf}" token="@TRUST_STORE_PW@" value="${trust.store.password}"/>
-         <replace file="${dst.remote.conf}" token="@TRUST_STORE_SET_PROPW@" value="${trust.store.set.prop}"/>
+         <replace file="${dst.remote.conf}" token="@TRUST_STORE_ONCLASSPATHW@" value="${trust.store.onclasspath}"/>
          <replace file="${dst.remote.conf}" token="@KEY_STORE@" value="${key.store}"/>
          <replace file="${dst.remote.conf}" token="@KEY_STORE_PW@" value="${key.store.password}"/>
          <replace file="${dst.remote.conf}" token="@SERVER_TYPE@" value="${ldap.server.type}"/>

build.properties.example

@@ -61,7 +61,7 @@ ldap.port=10389
 # The trust store is picked up off the classpath i.e. fortress-home/config:
 #trust.store=mytruststore
 #trust.store.password=changeit
-#trust.store.set.prop=true
+#trust.store.onclasspath=true
 
 # These are the connection parameters used for LDAP service account:
 root.dn=uid=admin,ou=system

config/bootstrap/fortress.properties.src

@@ -26,7 +26,7 @@ enable.ldap.ssl=@ENABLE_LDAP_SSL@
 enable.ldap.ssl.debug=@ENABLE_LDAP_SSL_DEBUG@
 trust.store=@TRUST_STORE@
 trust.store.password=@TRUST_STORE_PW@
-trust.store.set.prop=@TRUST_STORE_SET_PROPW@
+trust.store.onclasspath=@TRUST_STORE_ONCLASSPATHW@
 
 # These credentials are used for read/write access to all nodes under suffix:
 admin.user=@ROOT_DN@

config/fortress.properties.src

@@ -34,7 +34,7 @@ enable.ldap.ssl=@ENABLE_LDAP_SSL@
 enable.ldap.ssl.debug=@ENABLE_LDAP_SSL_DEBUG@
 trust.store=@TRUST_STORE@
 trust.store.password=@TRUST_STORE_PW@
-trust.store.set.prop=@TRUST_STORE_SET_PROPW@
+trust.store.onclasspath=@TRUST_STORE_ONCLASSPATHW@
 
 # Used to enable STARTTLS on Connection to LDAP Server
 enable.ldap.starttls=false

slapd.properties.example

@@ -87,7 +87,7 @@ log.ops=logops bind writes compare
 # The trust store is picked up off the classpath i.e. fortress-home/config:
 #trust.store=mytruststore
 #trust.store.password=changeit
-#trust.store.set.prop=true
+#trust.store.onclasspath=true
 
 # These are needed for slapd startup SSL configuration:
 #ldap.uris=ldap://${ldap.host}:389 ldaps://${ldap.host}:${ldap.port}

src/main/java/org/apache/directory/fortress/core/GlobalIds.java

@@ -441,10 +441,9 @@ public final class GlobalIds
     public static final String ENABLE_LDAP_SSL_DEBUG = "enable.ldap.ssl.debug";
     public static final String TRUST_STORE = "trust.store";
     public static final String TRUST_STORE_PW = "trust.store.password";
-
-
     public static final String TRUST_STORE_ON_CLASSPATH = "trust.store.onclasspath";
-    public static final String SET_TRUST_STORE_PROP = "trust.store.set.prop";
+
+    // coordinates to the LDAP server:
     public static final String LDAP_HOST = "host";
     public static final String LDAP_PORT = "port";
 

src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java

@@ -159,7 +159,6 @@ private synchronized X509TrustManager[] getTrustManagers( final X509Certificate[
         CertificateException
     {
         String szTrustStoreOnClasspath = Config.getInstance().getProperty( GlobalIds.TRUST_STORE_ON_CLASSPATH );
-        LOG.info( CLS_NM + ".getTrustManagers trust.store.onclasspath: {}", szTrustStoreOnClasspath );
 
         // If false or null, read the truststore from a fully qualified filename.
         if( szTrustStoreOnClasspath != null && szTrustStoreOnClasspath.equalsIgnoreCase( "false" ))

src/main/java/org/apache/directory/fortress/core/ldap/LdapConnectionProvider.java

@@ -67,10 +67,7 @@ public class LdapConnectionProvider
     private static final String LDAP_LOG_POOL_MAX = "max.log.conn";
 
     private static final String ENABLE_LDAP_STARTTLS = "enable.ldap.starttls";
-
     private boolean IS_SSL;
-    private boolean IS_SET_TRUST_STORE_PROP;
-    private boolean IS_SSL_DEBUG;
 
     /**
      * The Admin connection pool
@@ -128,14 +125,6 @@ private void init()
             Config.getInstance().getProperty( GlobalIds.TRUST_STORE ) != null &&
             Config.getInstance().getProperty( GlobalIds.TRUST_STORE_PW ) != null );
 
-        IS_SET_TRUST_STORE_PROP = ( IS_SSL &&
-            Config.getInstance().getProperty( GlobalIds.SET_TRUST_STORE_PROP ) != null &&
-            Config.getInstance().getProperty( GlobalIds.SET_TRUST_STORE_PROP ).equalsIgnoreCase( "true" ) );
-
-        IS_SSL_DEBUG = ( ( Config.getInstance().getProperty( GlobalIds.ENABLE_LDAP_SSL_DEBUG ) != null ) && ( Config
-            .getInstance().getProperty( GlobalIds.ENABLE_LDAP_SSL_DEBUG ).equalsIgnoreCase( "true" ) ) );
-
-
         String host = Config.getInstance().getProperty( GlobalIds.LDAP_HOST, "localhost" );
         int port = Config.getInstance().getInt( GlobalIds.LDAP_PORT, 389 );
         int min = Config.getInstance().getInt( GlobalIds.LDAP_ADMIN_POOL_MIN, 1 );
@@ -144,18 +133,6 @@ private void init()
         int logmax = Config.getInstance().getInt( LDAP_LOG_POOL_MAX, 10 );
         LOG.info( "LDAP POOL:  host=[{}], port=[{}], min=[{}], max=[{}]", host, port, min, max );
 
-/*
-        if ( IS_SET_TRUST_STORE_PROP )
-        {
-            LOG.info( "Set JSSE truststore properties in Apache LDAP client:" );
-            LOG.info( "javax.net.ssl.trustStore: {}", Config.getInstance().getProperty( GlobalIds.TRUST_STORE ) );
-            LOG.info( "javax.net.debug: {}", IS_SSL_DEBUG );
-            System.setProperty( "javax.net.ssl.trustStore", Config.getInstance().getProperty( GlobalIds.TRUST_STORE ) );
-            System.setProperty( "javax.net.ssl.trustStorePassword", Config.getInstance().getProperty( GlobalIds
-                .TRUST_STORE_PW ) );
-            System.setProperty( "javax.net.debug", Boolean.valueOf( IS_SSL_DEBUG ).toString() );
-        }
-*/
         LdapConnectionConfig config = new LdapConnectionConfig();
         config.setLdapHost( host );
         config.setLdapPort( port );

src/main/java/org/apache/directory/fortress/core/rest/RestUtils.java

@@ -81,15 +81,6 @@ public final class RestUtils
     // static member contains this
     private static volatile RestUtils sINSTANCE = null;
 
-    /**
-     * Used to manage trust store properties.  If enabled, create SSL connection.
-     *
-     */
-    private static String trustStoreSetProp = "trust.store.set.prop";
-    private String trustStore;
-    private String trustStorePw;
-    private boolean isTrustStoreSetProp;
-
     // These members contain the http coordinates to a running fortress-rest instance:
     private String httpUid, httpPw, httpHost, httpPort, httpProtocol, fortressRestVersion, serviceName, uri;
 
@@ -128,22 +119,9 @@ private void init()
         httpHost = Config.getInstance().getProperty( "http.host" );
         httpPort = Config.getInstance().getProperty( "http.port" );
         httpProtocol = Config.getInstance().getProperty( "http.protocol", "http" );
-        trustStore = Config.getInstance().getProperty( "trust.store" );
-        trustStorePw = Config.getInstance().getProperty( "trust.store.password" );
-        isTrustStoreSetProp = (
-            Config.getInstance().getProperty( trustStoreSetProp ) != null &&
-            Config.getInstance().getProperty( trustStoreSetProp ).equalsIgnoreCase( "true" ) );
         fortressRestVersion = System.getProperty( "version" );
         serviceName = "fortress-rest-" + fortressRestVersion;
         uri = httpProtocol + "://" + httpHost + ":" + httpPort + "/" + serviceName + "/";
-
-        if ( isTrustStoreSetProp )
-        {
-            LOG.info( "Set JSSE truststore properties:" );
-            LOG.info( "javax.net.ssl.trustStore: {}", trustStore );
-            System.setProperty( "javax.net.ssl.trustStore", trustStore );
-            System.setProperty( "javax.net.ssl.trustStorePassword", trustStorePw );
-        }
     }
 
     private RestUtils(){

src/main/java/org/apache/directory/fortress/core/util/Config.java

@@ -66,7 +66,7 @@ public final class Config
     private static final String EXT_ENABLE_LDAP_SSL_DEBUG = "fortress.enable.ldap.ssl.debug";
     private static final String EXT_TRUST_STORE = "fortress.trust.store";
     private static final String EXT_TRUST_STORE_PW = "fortress.trust.store.password";
-    private static final String EXT_SET_TRUST_STORE_PROP = "fortress.trust.store.set.prop";
+    private static final String EXT_TRUST_STORE_ONCLASSPATH = "fortress.trust.store.onclasspath";
     private static final String EXT_CONFIG_REALM = "fortress.config.realm";
     private static final String EXT_CONFIG_ROOT_DN = "fortress.config.root";
     private static final String EXT_SERVER_TYPE = "fortress.ldap.server.type";
@@ -544,12 +544,12 @@ private void getExternalConfig()
             LOG.info( "getExternalConfig override name [{}]", GlobalIds.TRUST_STORE_PW );
         }
 
-        // Check to see if the trust store set parameter has been overridden by a system property:
-        szValue = System.getProperty( EXT_SET_TRUST_STORE_PROP );
+        // Check to see if the trust store onclasspath parameter has been overridden by a system property:
+        szValue = System.getProperty( EXT_TRUST_STORE_ONCLASSPATH );
         if( StringUtils.isNotEmpty( szValue ))
         {
-            config.setProperty( GlobalIds.SET_TRUST_STORE_PROP, szValue );
-            LOG.info( PREFIX, GlobalIds.SET_TRUST_STORE_PROP, szValue );
+            config.setProperty( GlobalIds.TRUST_STORE_ON_CLASSPATH, szValue );
+            LOG.info( PREFIX, GlobalIds.TRUST_STORE_ON_CLASSPATH, szValue );
         }
 
         // Check to see if the config realm name has been overridden by a system property:

src/test/resources/fortress.properties

@@ -26,7 +26,7 @@ enable.ldap.ssl=false
 enable.ldap.ssl.debug=flase
 trust.store=
 trust.store.password=
-trust.store.set.prop=
+trust.store.onclasspath=
 
 # These credentials are used for read/write access to all nodes under suffix:
 admin.user=uid=admin,ou=system