|
version 1.152, 2004/10/17 20:40:12
|
version 1.153, 2004/12/07 22:45:05
|
|
|
|
| #include <Pegasus/Common/ModuleController.h> | #include <Pegasus/Common/ModuleController.h> |
| #include <Pegasus/ControlProviders/ConfigSettingProvider/ConfigSettingProvider.h> | #include <Pegasus/ControlProviders/ConfigSettingProvider/ConfigSettingProvider.h> |
| #include <Pegasus/ControlProviders/UserAuthProvider/UserAuthProvider.h> | #include <Pegasus/ControlProviders/UserAuthProvider/UserAuthProvider.h> |
| |
#include <Pegasus/ControlProviders/CertificateProvider/CertificateProvider.h> |
| #include <Pegasus/ControlProviders/ProviderRegistrationProvider/ProviderRegistrationProvider.h> | #include <Pegasus/ControlProviders/ProviderRegistrationProvider/ProviderRegistrationProvider.h> |
| #include <Pegasus/ControlProviders/NamespaceProvider/NamespaceProvider.h> | #include <Pegasus/ControlProviders/NamespaceProvider/NamespaceProvider.h> |
| | |
|
|
|
| controlProviderReceiveMessageCallback, | controlProviderReceiveMessageCallback, |
| 0, 0); | 0, 0); |
| | |
| |
// ATTN: Are we allowing this to run if sslClientVerification is off? |
| |
// Create the certificate control provider |
| |
// String verifyClient = ConfigManager::getInstance()->getCurrentValue(PROPERTY_NAME__SSL_CLIENT_VERIFICATION); |
| |
// if (!String::equal(verifyClient, "disabled")) |
| |
//{ |
| |
ProviderMessageFacade * certificateProvider = |
| |
new ProviderMessageFacade(new CertificateProvider(_repository)); |
| |
ModuleController::register_module(PEGASUS_QUEUENAME_CONTROLSERVICE, |
| |
PEGASUS_MODULENAME_CERTIFICATEPROVIDER, |
| |
certificateProvider, |
| |
controlProviderReceiveMessageCallback, |
| |
0, 0); |
| |
//} |
| |
|
| #ifdef PEGASUS_HAS_PERFINST | #ifdef PEGASUS_HAS_PERFINST |
| | |
| // Create the Statistical Data control provider | // Create the Statistical Data control provider |
|
|
|
| | |
| _httpAuthenticatorDelegator = new HTTPAuthenticatorDelegator( | _httpAuthenticatorDelegator = new HTTPAuthenticatorDelegator( |
| _cimOperationRequestDecoder->getQueueId(), | _cimOperationRequestDecoder->getQueueId(), |
| _cimExportRequestDecoder->getQueueId()); |
_cimExportRequestDecoder->getQueueId(), |
| |
_repository); |
| | |
| // IMPORTANT-NU-20020513: Indication service must start after ExportService | // IMPORTANT-NU-20020513: Indication service must start after ExportService |
| // otherwise HandlerService started by indicationService will never | // otherwise HandlerService started by indicationService will never |
|
|
|
| static String PROPERTY_NAME__SSL_CERT_FILEPATH = "sslCertificateFilePath"; | static String PROPERTY_NAME__SSL_CERT_FILEPATH = "sslCertificateFilePath"; |
| static String PROPERTY_NAME__SSL_KEY_FILEPATH = "sslKeyFilePath"; | static String PROPERTY_NAME__SSL_KEY_FILEPATH = "sslKeyFilePath"; |
| static String PROPERTY_NAME__SSL_TRUST_STORE = "sslTrustStore"; | static String PROPERTY_NAME__SSL_TRUST_STORE = "sslTrustStore"; |
| |
static String PROPERTY_NAME__SSL_CRL_STORE = "crlStore"; |
| static String PROPERTY_NAME__SSL_CLIENT_VERIFICATION = "sslClientVerificationMode"; | static String PROPERTY_NAME__SSL_CLIENT_VERIFICATION = "sslClientVerificationMode"; |
| static String PROPERTY_NAME__SSL_AUTO_TRUST_STORE_UPDATE = "enableSSLTrustStoreAutoUpdate"; |
|
| static String PROPERTY_NAME__SSL_TRUST_STORE_USERNAME = "sslTrustStoreUserName"; | static String PROPERTY_NAME__SSL_TRUST_STORE_USERNAME = "sslTrustStoreUserName"; |
| static String PROPERTY_NAME__HTTP_ENABLED = "enableHttpConnection"; | static String PROPERTY_NAME__HTTP_ENABLED = "enableHttpConnection"; |
| | |
| if (_sslcontext.get() == 0) | if (_sslcontext.get() == 0) |
| { | { |
| // Note that if invalid values were set for either sslKeyFilePath, sslCertificateFilePath, or sslTrustStore, |
// Note that if invalid values were set for either sslKeyFilePath, sslCertificateFilePath, crlStore, or sslTrustStore, |
| // the invalid paths would have been detected in SecurityPropertyOwner and terminated the server startup. | // the invalid paths would have been detected in SecurityPropertyOwner and terminated the server startup. |
| // This happens regardless of whether or not HTTPS is enabled (not a great design, but that seems to be | // This happens regardless of whether or not HTTPS is enabled (not a great design, but that seems to be |
| // how other properties are validated as well) | // how other properties are validated as well) |
|
|
|
| } | } |
| | |
| // | // |
| // Get the enableSSLAutoTrustStoreUpdate property from the Config Manager. |
// Get the crlStore property from the Config Manager. |
| // Note that this feature is only exposed via the compile-time flag PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE |
|
| // It will be deprecated in the future in favor of better certificate management. See PEP165. |
|
| // | // |
| String autoUpdate = "false"; |
String crlStore = String::EMPTY; |
| |
crlStore = ConfigManager::getInstance()->getCurrentValue(PROPERTY_NAME__SSL_CRL_STORE); |
| | |
| #ifdef PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE |
if (crlStore != String::EMPTY) |
| autoUpdate = ConfigManager::getInstance()->getCurrentValue(PROPERTY_NAME__SSL_AUTO_TRUST_STORE_UPDATE); |
{ |
| #endif |
crlStore = ConfigManager::getHomedPath(crlStore); |
| |
} |
| | |
| // | // |
| // Get the sslTrustStoreUserName property from the Config Manager. | // Get the sslTrustStoreUserName property from the Config Manager. |
|
|
|
| } | } |
| | |
| // | // |
| // a truststore username must be specified if sslClientVerificationMode is required OR |
// A truststore username must be specified if sslClientVerificationMode is enabled |
| // sslClientVerificationMode is optional and a truststore is specified. |
// and the truststore is a single CA file. If the truststore is a directory, then |
| |
// the CertificateProvider should be used to register users with certificates. |
| // | // |
| if (String::equal(verifyClient, "required") || (String::equal(verifyClient, "optional") && trustStore != String::EMPTY)) |
if ((trustStore != String::EMPTY) && (!FileSystem::isDirectory(trustStore))) |
| { | { |
| if (trustStoreUserName == String::EMPTY) | if (trustStoreUserName == String::EMPTY) |
| { | { |
| MessageLoaderParms parms("Server.CIMServer.SSL_CLIENT_VERIFICATION_EMPTY_USERNAME", | MessageLoaderParms parms("Server.CIMServer.SSL_CLIENT_VERIFICATION_EMPTY_USERNAME", |
| "The \"sslTrustStoreUserName\" property must specify a truststore username to associate with the trusted certificates if \"sslClientVerificationMode\" is 'required' or 'optional', and a truststore is specified. cimserver not started."); |
"The \"sslTrustStoreUserName\" property must specify a valid username if \"sslClientVerificationMode\" is 'required' or 'optional' and the truststore is a single CA file. To register individual certificates to users, you must use a truststore directory along with the CertificateProvider. cimserver not started."); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
| } | } |
| } | } |
| | |
| // | // |
| // 'autoUpdate' must be used in conjunction with an 'optional' verification mode |
|
| // |
|
| if (String::equal(autoUpdate, "true") && !(String::equal(verifyClient, "optional"))) |
|
| { |
|
| MessageLoaderParms parms("Server.CIMServer.SSL_CLIENT_VERIFICATION_INVALID_AUTO_UPDATE_MODE", |
|
| "The \"enableSSLTrustStoreAutoUpdate\" property can only be 'true' if \"sslClientVerificationMode\" is 'optional'. cimserver not started."); |
|
| throw SSLException(parms); |
|
| } |
|
| |
|
| // |
|
| // 'autoUpdate' must be used in conjunction with a truststore DIRECTORY |
|
| // |
|
| FileSystem::translateSlashes(trustStore); |
|
| if (String::equal(autoUpdate, "true") && !FileSystem::isDirectory(trustStore)) |
|
| { |
|
| MessageLoaderParms parms("Server.CIMServer.SSL_CLIENT_VERIFICATION_INVALID_AUTO_UPDATE_DIRECTORY", |
|
| "The \"sslTrustStore\" value must be a valid directory if \"enableSSLTrustStoreAutoUpdate\" is 'true'. cimserver not started."); |
|
| throw SSLException(parms); |
|
| } |
|
| |
|
| // |
|
| // Get the sslCertificateFilePath property from the Config Manager. | // Get the sslCertificateFilePath property from the Config Manager. |
| // | // |
| String certPath; | String certPath; |
|
|
|
| randFile = ConfigManager::getHomedPath(PEGASUS_SSLSERVER_RANDOMFILE); | randFile = ConfigManager::getHomedPath(PEGASUS_SSLSERVER_RANDOMFILE); |
| #endif | #endif |
| | |
| Boolean trustStoreAutoUpdate = (String::equal(autoUpdate, "true") ? true : false); |
// Create the SSLContext defined by the configuration properties |
| |
|
| if (String::equal(verifyClient, "required")) | if (String::equal(verifyClient, "required")) |
| { | { |
| Tracer::trace(TRC_SSL, Tracer::LEVEL2, | Tracer::trace(TRC_SSL, Tracer::LEVEL2, |
| "SSL Client verification REQUIRED."); | "SSL Client verification REQUIRED."); |
| | |
| #ifdef PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE |
_sslcontext.reset(new SSLContext(trustStore, certPath, keyPath, crlStore, 0, randFile)); |
| _sslcontext.reset(new SSLContext(trustStore, certPath, keyPath, 0, false, trustStoreUserName, randFile)); |
|
| #else |
|
| _sslcontext.reset(new SSLContext(trustStore, certPath, keyPath, 0, trustStoreUserName, randFile)); |
|
| #endif |
|
| } | } |
| else if (String::equal(verifyClient, "optional")) | else if (String::equal(verifyClient, "optional")) |
| { | { |
| Tracer::trace(TRC_SSL, Tracer::LEVEL2, | Tracer::trace(TRC_SSL, Tracer::LEVEL2, |
| "SSL Client verification OPTIONAL."); | "SSL Client verification OPTIONAL."); |
| | |
| #ifdef PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE |
_sslcontext.reset(new SSLContext(trustStore, certPath, keyPath, crlStore, (SSLCertificateVerifyFunction*)verifyClientOptionalCallback, randFile)); |
| _sslcontext.reset(new SSLContext(trustStore, certPath, keyPath, (SSLCertificateVerifyFunction*)verifyClientOptionalCallback, trustStoreAutoUpdate, trustStoreUserName, randFile)); |
|
| #else |
|
| _sslcontext.reset(new SSLContext(trustStore, certPath, keyPath, (SSLCertificateVerifyFunction*)verifyClientOptionalCallback, trustStoreUserName, randFile)); |
|
| #endif |
|
| } | } |
| else if (String::equal(verifyClient, "disabled") || verifyClient == String::EMPTY) | else if (String::equal(verifyClient, "disabled") || verifyClient == String::EMPTY) |
| { | { |
| Tracer::trace(TRC_SSL, Tracer::LEVEL2, | Tracer::trace(TRC_SSL, Tracer::LEVEL2, |
| "SSL Client verification DISABLED."); | "SSL Client verification DISABLED."); |
| | |
| #ifdef PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE |
_sslcontext.reset(new SSLContext(String::EMPTY, certPath, keyPath, String::EMPTY, 0, randFile)); |
| _sslcontext.reset(new SSLContext(String::EMPTY, certPath, keyPath, 0, false, String::EMPTY, randFile)); |
|
| #else |
|
| _sslcontext.reset(new SSLContext(String::EMPTY, certPath, keyPath, 0, String::EMPTY, randFile)); |
|
| #endif |
|
| } | } |
| } | } |
| | |
Return to
CIMServer.cpp
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Server