Provide Custom PKI JNDI Realm.

Provide a Realm that provides the following: 1. Allows SSL client certificate authentation upon protected URLs. For now we are protecting the new DRM Rest functions. 2. Allows simple PKI ACL checking like we have in the current server. This is accomplished with the help of a simple file that maps URLs to ACL resourceIDs and operations. 3. DRMRestClient now support SSL Client authentication to test the feature. How to test this: Install new KRA server, after installing build pki-core rpm. Uncomment "PKIJNDIRealm" settings in conf/server.xml Some customization will be needed for instance specific info. See the sample in server.xml. Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml In running DRMTest.java in eclipse do the following: Change the arguments to support SSL Client auth such as: -h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID" where the new flags are -s = true for SSL and -c = <client auth cert name> Export the KRA's admin/agent client auth cert from Firefox to a pk12 file. Import this cert into ~/archive-test by using "pk12util" utility. Run the DRMTest.java program in eclipse and observe the results. There should be a prompt for a client cert.
author: Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com> 2012-03-09 13:15:02 -0800
committer: Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com> 2012-03-12 17:27:11 -0700
commit: 1f759b5cb7aef73092a473c01cbec1928651c10a (patch)
tree: b24a5ab8ce2bf007ee046ed15d58336528095426 /pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
parent: 0bc851bff69ef174b11cf147aeb1289c43de0666 (diff)
download: pki-1f759b5cb7aef73092a473c01cbec1928651c10a.tar.gz
pki-1f759b5cb7aef73092a473c01cbec1928651c10a.tar.xz
pki-1f759b5cb7aef73092a473c01cbec1928651c10a.zip
1 files changed, 30 insertions, 2 deletions
diff --git a/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java b/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
index 8020ec2ca..8d83247b8 100644
--- a/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
+++ b/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
@@ -17,6 +17,7 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.cms.servlet.test;
 
+import java.net.MalformedURLException;
 import java.util.Calendar;
 import java.util.Collection;
 import java.util.Iterator;
@@ -61,6 +62,8 @@ public class DRMTest {
         String port = null;
         String token_pwd = null;
         String db_dir = "./";
+        String protocol = "http";
+        String clientCertNickname = "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID";
 
         // parse command line arguments
         Options options = new Options();
@@ -68,6 +71,8 @@ public class DRMTest {
         options.addOption("p", true, "Port of the DRM");
         options.addOption("w", true, "Token password");
         options.addOption("d", true, "Directory for tokendb");
+        options.addOption("s", true, "Attempt Optional Secure SSL connection");
+        options.addOption("c", true, "Optional SSL Client cert Nickname");
 
         try {
             CommandLineParser parser = new PosixParser();
@@ -97,6 +102,20 @@ public class DRMTest {
             if (cmd.hasOption("d")) {
                 db_dir = cmd.getOptionValue("d");
             }
+            
+            if (cmd.hasOption("s")) {
+                if(cmd.getOptionValue("s") != null && cmd.getOptionValue("s").equals("true")) {
+                    protocol = "https";
+                }
+            }
+            
+            if (cmd.hasOption("c")) {
+                String nick = cmd.getOptionValue("c");
+                
+                if (nick != null && protocol.equals("https")) {
+                    clientCertNickname = nick;    
+                }
+            }
 
         } catch (ParseException e) {
             System.err.println("Error in parsing command line options: " + e.getMessage());
@@ -173,8 +192,17 @@ public class DRMTest {
         }
 
         // Set base URI and get client
-        String baseUri = "http://" + host + ":" + port + "/kra/pki";
-        DRMRestClient client = new DRMRestClient(baseUri);
+        
+        
+        String baseUri = protocol + "://" + host + ":" + port + "/kra/pki";
+        DRMRestClient client;
+        try {
+            client = new DRMRestClient(baseUri, clientCertNickname);
+        } catch (MalformedURLException e1) {
+            // TODO Auto-generated catch block
+            e1.printStackTrace();
+            return;
+        }
 
         // Test 1: Get transport certificate from DRM
         transportCert = client.getTransportCert();
author	Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com>	2012-03-09 13:15:02 -0800
committer	Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com>	2012-03-12 17:27:11 -0700
commit	1f759b5cb7aef73092a473c01cbec1928651c10a (patch)
tree	b24a5ab8ce2bf007ee046ed15d58336528095426 /pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
parent	0bc851bff69ef174b11cf147aeb1289c43de0666 (diff)
download	pki-1f759b5cb7aef73092a473c01cbec1928651c10a.tar.gz pki-1f759b5cb7aef73092a473c01cbec1928651c10a.tar.xz pki-1f759b5cb7aef73092a473c01cbec1928651c10a.zip