Added global TCP Keep-Alive option.

A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.

The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.

All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.

https://fedorahosted.org/pki/ticket/2564

4 files changed, 98 insertions, 61 deletions

diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 9b87f6e24..ab10be91b 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -144,7 +144,7 @@ import com.netscape.cmscore.ldapconn.LdapAuthInfo;
 import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
 import com.netscape.cmscore.ldapconn.LdapBoundConnection;
 import com.netscape.cmscore.ldapconn.LdapConnInfo;
-import com.netscape.cmscore.ldapconn.LdapJssSSLSocketFactory;
+import com.netscape.cmscore.ldapconn.PKISocketFactory;
 import com.netscape.cmscore.logging.Auditor;
 import com.netscape.cmscore.logging.LogSubsystem;
 import com.netscape.cmscore.logging.Logger;
@@ -174,6 +174,7 @@ import com.netscape.cmsutil.util.Utils;
 import netscape.ldap.LDAPConnection;
 import netscape.ldap.LDAPException;
 import netscape.ldap.LDAPSSLSocketFactoryExt;
+import netscape.ldap.LDAPSocketFactory;
 import netscape.security.extensions.CertInfo;
 import netscape.security.pkcs.ContentInfo;
 import netscape.security.pkcs.PKCS7;
@@ -480,9 +481,7 @@ public class CMSEngine implements ICMSEngine {
         String host = info.getHost();
         int port = info.getPort();
 
-        LDAPConnection conn = info.getSecure() ?
-                new LDAPConnection(CMS.getLdapJssSSLSocketFactory()) :
-                new LDAPConnection();
+        LDAPConnection conn = new LDAPConnection(CMS.getLDAPSocketFactory(info.getSecure()));
 
         System.out.println("testLDAPConnection connecting to " + host + ":" + port);
 
@@ -1029,11 +1028,15 @@ public class CMSEngine implements ICMSEngine {
 
     public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory(
             String certNickname) {
-        return new LdapJssSSLSocketFactory(certNickname);
+        return new PKISocketFactory(certNickname);
     }
 
     public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory() {
-        return new LdapJssSSLSocketFactory();
+        return new PKISocketFactory(true);
+    }
+
+    public LDAPSocketFactory getLDAPSocketFactory(boolean secure) {
+        return new PKISocketFactory(secure);
     }
 
     public ILdapAuthInfo getLdapAuthInfo() {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java
index 52cdc4b1e..5d5e142d2 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java
@@ -40,7 +40,7 @@ public class LdapAnonConnection extends LDAPConnection {
      */
     public LdapAnonConnection(LdapConnInfo connInfo)
             throws LDAPException {
-        super(connInfo.getSecure() ? new LdapJssSSLSocketFactory() : null);
+        super(new PKISocketFactory(connInfo.getSecure()));
 
         // Set option to automatically follow referrals.
         // rebind info is also anonymous.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java
index 787967a5f..a32634472 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java
@@ -19,6 +19,8 @@ package com.netscape.cmscore.ldapconn;
 
 import java.util.Properties;
 
+import com.netscape.certsrv.apps.CMS;
+
 import netscape.ldap.LDAPConnection;
 import netscape.ldap.LDAPException;
 import netscape.ldap.LDAPRebind;
@@ -26,8 +28,6 @@ import netscape.ldap.LDAPRebindAuth;
 import netscape.ldap.LDAPSocketFactory;
 import netscape.ldap.LDAPv2;
 
-import com.netscape.certsrv.apps.CMS;
-
 /**
  * A LDAP connection that is bound to a server host, port, secure type.
  * and authentication.
@@ -56,8 +56,8 @@ public class LdapBoundConnection extends LDAPConnection {
         // this LONG line to satisfy super being the first call. (yuk)
         super(
                 authInfo.getAuthType() == LdapAuthInfo.LDAP_AUTHTYPE_SSLCLIENTAUTH ?
-                        new LdapJssSSLSocketFactory(authInfo.getParms()[0]) :
-                        (connInfo.getSecure() ? new LdapJssSSLSocketFactory() : null));
+                        new PKISocketFactory(authInfo.getParms()[0]) :
+                        new PKISocketFactory(connInfo.getSecure()));
 
         // Set option to automatically follow referrals.
         // Use the same credentials to follow referrals; this is the easiest
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
index b54d1e2f2..d0c23ed4c 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
@@ -24,90 +24,124 @@ import java.net.UnknownHostException;
 import java.util.Iterator;
 import java.util.Vector;
 
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPSSLSocketFactoryExt;
-
 import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
 import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
 import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
 import org.mozilla.jss.ssl.SSLSocket;
 
 import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.base.IConfigStore;
+
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSSLSocketFactoryExt;
 
 /**
  * Uses HCL ssl socket.
  *
  * @author Lily Hsiao lhsiao@netscape.com
  */
-public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
-    private String mClientAuthCertNickname = null;
-    private boolean mClientAuth = false;
+public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
 
-    public LdapJssSSLSocketFactory() {
+    private boolean secure;
+    private String mClientAuthCertNickname;
+    private boolean mClientAuth;
+    private boolean keepAlive;
+
+    public PKISocketFactory() {
+        init();
     }
 
-    public LdapJssSSLSocketFactory(String certNickname) {
-        mClientAuthCertNickname = certNickname;
+    public PKISocketFactory(boolean secure) {
+        this.secure = secure;
+        init();
     }
 
-    public Socket makeSocket(String host, int port) throws LDAPException {
-        SSLSocket s = null;
+    public PKISocketFactory(String certNickname) {
+        this.secure = true;
+        mClientAuthCertNickname = certNickname;
+        init();
+    }
 
+    public void init() {
         try {
-            /*
-             * let inherit TLS range and cipher settings
-             */
+            IConfigStore cs = CMS.getConfigStore();
+            keepAlive = cs.getBoolean("tcp.keepAlive", true);
+            CMS.debug("TCP Keep-Alive: " + keepAlive);
 
-            if (mClientAuthCertNickname == null) {
-                s = new SSLSocket(host, port);
-            }
-            else {
-                //Let's create a selection callback in the case the client auth
-                //No longer manually set the cert name.
-                //This two step process, used in the JSS client auth test suite,
-                //appears to be needed to get this working.
-
-                Socket js = new Socket(InetAddress.getByName(host), port);
-                s = new SSLSocket(js, host,
-                        null,
-                        new SSLClientCertificateSelectionCB(mClientAuthCertNickname));
-            }
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new RuntimeException("Unable to read TCP configuration: " + e, e);
+        }
+    }
+
+    public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException {
 
-            s.setUseClientMode(true);
-            s.enableV2CompatibleHello(false);
+        /*
+         * let inherit TLS range and cipher settings
+         */
 
-            SSLHandshakeCompletedListener listener = null;
+        SSLSocket s;
 
-            listener = new ClientHandshakeCB(this);
-            s.addHandshakeCompletedListener(listener);
+        if (mClientAuthCertNickname == null) {
+            s = new SSLSocket(host, port);
 
-            if (mClientAuthCertNickname != null) {
-                mClientAuth = true;
-                CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
-                        mClientAuthCertNickname);
+        } else {
+            // Let's create a selection callback in the case the client auth
+            // No longer manually set the cert name.
+            // This two step process, used in the JSS client auth test suite,
+            // appears to be needed to get this working.
+
+            Socket js = new Socket(InetAddress.getByName(host), port);
+            s = new SSLSocket(js, host,
+                    null,
+                    new SSLClientCertificateSelectionCB(mClientAuthCertNickname));
+        }
+
+        s.setUseClientMode(true);
+        s.enableV2CompatibleHello(false);
+
+        SSLHandshakeCompletedListener listener = null;
+
+        listener = new ClientHandshakeCB(this);
+        s.addHandshakeCompletedListener(listener);
+
+        if (mClientAuthCertNickname != null) {
+            mClientAuth = true;
+            CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
+                    mClientAuthCertNickname);
+
+            //We have already established the manual cert selection callback
+            //Doing it this way will provide some debugging info on the candidate certs
+        }
+        s.forceHandshake();
+
+        return s;
+    }
+
+    public Socket makeSocket(String host, int port) throws LDAPException {
+
+        Socket s = null;
+
+        try {
+            if (!secure) {
+                s = new Socket(host, port);
 
-                //We have already established the manual cert selection callback
-                //Doing it this way will provide some debugging info on the candidate certs
+            } else {
+                s = makeSSLSocket(host, port);
             }
-            s.forceHandshake();
 
-        } catch (UnknownHostException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSCORE_LDAPCONN_UNKNOWN_HOST"));
-            throw new LDAPException(
-                    "Cannot Create JSS SSL Socket - Unknown host: " + e);
+            s.setKeepAlive(keepAlive);
 
-        } catch (IOException e) {
+        } catch (Exception e) {
+            CMS.debug(e);
             if (s != null) {
                 try {
                     s.close();
                 } catch (IOException e1) {
-                    e1.printStackTrace();
+                    CMS.debug(e1);
                 }
             }
-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_LDAPCONN_IO_ERROR", e.toString()));
-            throw new LDAPException("IO Error creating JSS SSL Socket: " + e);
+            throw new LDAPException("Unable to create socket: " + e);
         }
 
         return s;