Menu
▾
▴
sblim-commit — CVS Commit Info for SBLIM
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
(1) |
Mar
(45) |
Apr
(150) |
May
(145) |
Jun
(150) |
Jul
(79) |
Aug
(313) |
Sep
(160) |
Oct
(309) |
Nov
(115) |
Dec
(60) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(160) |
Feb
(144) |
Mar
(127) |
Apr
(48) |
May
(102) |
Jun
(54) |
Jul
(245) |
Aug
(94) |
Sep
(152) |
Oct
(162) |
Nov
(166) |
Dec
(740) |
| 2007 |
Jan
(752) |
Feb
(437) |
Mar
(328) |
Apr
(373) |
May
(569) |
Jun
(399) |
Jul
(369) |
Aug
(627) |
Sep
(100) |
Oct
(306) |
Nov
(166) |
Dec
(282) |
| 2008 |
Jan
(68) |
Feb
(145) |
Mar
(180) |
Apr
(160) |
May
(277) |
Jun
(229) |
Jul
(1188) |
Aug
(51) |
Sep
(97) |
Oct
(99) |
Nov
(95) |
Dec
(170) |
| 2009 |
Jan
(39) |
Feb
(73) |
Mar
(120) |
Apr
(121) |
May
(104) |
Jun
(262) |
Jul
(57) |
Aug
(171) |
Sep
(131) |
Oct
(88) |
Nov
(64) |
Dec
(83) |
| 2010 |
Jan
(55) |
Feb
(67) |
Mar
(124) |
Apr
(64) |
May
(130) |
Jun
(75) |
Jul
(164) |
Aug
(64) |
Sep
(44) |
Oct
(17) |
Nov
(43) |
Dec
(31) |
| 2011 |
Jan
(21) |
Feb
(10) |
Mar
(43) |
Apr
(46) |
May
(52) |
Jun
(71) |
Jul
(7) |
Aug
(16) |
Sep
(51) |
Oct
(14) |
Nov
(33) |
Dec
(15) |
| 2012 |
Jan
(12) |
Feb
(61) |
Mar
(129) |
Apr
(76) |
May
(70) |
Jun
(52) |
Jul
(29) |
Aug
(41) |
Sep
(32) |
Oct
(23) |
Nov
(38) |
Dec
(26) |
| 2013 |
Jan
(35) |
Feb
(37) |
Mar
(51) |
Apr
(15) |
May
(52) |
Jun
(15) |
Jul
(23) |
Aug
(21) |
Sep
(46) |
Oct
(69) |
Nov
(57) |
Dec
(26) |
| 2014 |
Jan
(5) |
Feb
(13) |
Mar
(17) |
Apr
(1) |
May
(5) |
Jun
|
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(16) |
Nov
(8) |
Dec
(4) |
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
(4) |
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: Dave H. <hel...@us...> - 2012-08-28 23:29:05
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".
The branch, master has been updated
via 58d715277c881a056833e1c69f480c0872e4f00d (commit)
from 628dcad5f3606641740758383b5e95875b52d756 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 58d715277c881a056833e1c69f480c0872e4f00d
Author: Dave Heller <hel...@us...>
Date: Tue Aug 28 19:23:39 2012 -0400
[ 3562538 ] Enable curl debug via env variable
-----------------------------------------------------------------------
Summary of changes:
diff --git a/NEWS b/NEWS
index 9e780fd..af1a090 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ New features:
- 3497831 Updates to sfcb-ps test script
- 3506453 Support peer cert verification for SSL indications
- 3531210 Allow indication delivery timeout tuning
+- 3562538 Enable curl debug via env variable
Bugs fixed:
- 3495804 Cleanup: httpProcId still defined, wrong define in cimXmlGen
diff --git a/indCIMXMLExport.c b/indCIMXMLExport.c
index c260477..b628b65 100644
--- a/indCIMXMLExport.c
+++ b/indCIMXMLExport.c
@@ -22,6 +22,7 @@
#include <curl/curl.h>
#include <sfcCommon/utilft.h>
#include "trace.h"
+#include <stdlib.h>
#include <string.h>
#include "control.h"
@@ -261,8 +262,9 @@ genRequest(CurlData * cd, char *url, char **msg)
rv = curl_easy_setopt(cd->mHandle, CURLOPT_NOSIGNAL, 1);
- // Turn this on to enable debugging
- // rv = curl_easy_setopt(cd->mHandle, CURLOPT_VERBOSE, 1);
+ char *curldebug = getenv("CURLDEBUG");
+ if (curldebug && strcasecmp(curldebug,"false"))
+ rv = curl_easy_setopt(cd->mHandle, CURLOPT_VERBOSE, 1);
return 0;
}
hooks/post-receive
--
SFCB - Small Footprint CIM Broker
|
|
From: Dave H. <hel...@us...> - 2012-08-28 23:07:58
|
Update of /cvsroot/sblim/sfcb
In directory vz-cvs-3.sog:/tmp/cvs-serv28430
Modified Files:
ChangeLog NEWS indCIMXMLExport.c
Log Message:
[ 3562538 ] Enable curl debug via env variable
Index: indCIMXMLExport.c
===================================================================
RCS file: /cvsroot/sblim/sfcb/indCIMXMLExport.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- indCIMXMLExport.c 19 Jul 2012 17:21:22 -0000 1.20
+++ indCIMXMLExport.c 28 Aug 2012 23:07:55 -0000 1.21
@@ -24,6 +24,7 @@
#include <curl/curl.h>
#include "utilft.h"
#include "trace.h"
+#include <stdlib.h>
#include <string.h>
#include "control.h"
@@ -217,8 +218,9 @@
rv = curl_easy_setopt(cd->mHandle, CURLOPT_NOSIGNAL, 1);
- // Turn this on to enable debugging
- // rv = curl_easy_setopt(mHandle, CURLOPT_VERBOSE, 1);
+ char *curldebug = getenv("CURLDEBUG");
+ if (curldebug && strcasecmp(curldebug,"false"))
+ rv = curl_easy_setopt(cd->mHandle, CURLOPT_VERBOSE, 1);
return 0;
}
Index: ChangeLog
===================================================================
RCS file: /cvsroot/sblim/sfcb/ChangeLog,v
retrieving revision 1.798
retrieving revision 1.799
diff -u -d -r1.798 -r1.799
--- ChangeLog 8 Aug 2012 21:30:52 -0000 1.798
+++ ChangeLog 28 Aug 2012 23:07:55 -0000 1.799
@@ -1,3 +1,8 @@
+2012-08-28 Dave Heller <hel...@us...>
+
+ * indCIMXMLExport.c
+ [ 3562538 ] Enable curl debug via env variable
+
2012-08-08 Dave Heller <hel...@us...>
* providerDrv.c:
Index: NEWS
===================================================================
RCS file: /cvsroot/sblim/sfcb/NEWS,v
retrieving revision 1.713
retrieving revision 1.714
diff -u -d -r1.713 -r1.714
--- NEWS 8 Aug 2012 21:30:52 -0000 1.713
+++ NEWS 28 Aug 2012 23:07:55 -0000 1.714
@@ -3,6 +3,7 @@
New features:
- 3538858 custom routine to log indInst objinfo
- 3555395 Additional auth lib return codes
+- 3562538 Enable curl debug via env variable
Bugs fixed:
- 3539569 Leaks in interopProvider
|
|
From: Dave H. <hel...@us...> - 2012-08-27 21:52:23
|
Update of /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/http
In directory vz-cvs-3.sog:/tmp/cvs-serv23875/utst/org/sblim/cimclient/unittest/http
Modified Files:
Tag: Experimental
SSLConfigurationTest.java
Log Message:
3536399 - fix SSLConfigurationTest bugs
Index: SSLConfigurationTest.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/http/SSLConfigurationTest.java,v
retrieving revision 1.1.2.11
retrieving revision 1.1.2.12
diff -u -d -r1.1.2.11 -r1.1.2.12
--- SSLConfigurationTest.java 26 Aug 2012 02:27:29 -0000 1.1.2.11
+++ SSLConfigurationTest.java 27 Aug 2012 21:52:21 -0000 1.1.2.12
@@ -25,6 +25,7 @@
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
+import java.net.SocketException;
import java.net.URL;
import java.util.Locale;
import java.util.Properties;
@@ -430,13 +431,9 @@
CIMObjectPath dummyCop = new CIMObjectPath(null, null, null, "root/interop",
"CIM_Namespace", null);
- int port = listener.addListener(ilsBrief, 0, "https");
- listener.removeListener(port);
- WBEMClientSBLIM client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port),
- null, null);
-
// PEER VERIFICATION disabled at domain-level (should PASS)
- port = listener.addListener(ilsBrief, port, "https");
+ WBEMClientSBLIM client;
+ int port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
@@ -452,7 +449,7 @@
}
// PEER VERIFICATION disabled but truststore configured (should PASS and
// give WARNING)
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -469,7 +466,7 @@
}
// CLIENT_PEER_VERIFICATION enabled at domain-level but no truststore
// configured (should FAIL)
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "true");
@@ -486,7 +483,7 @@
}
// CLIENT_PEER_VERIFICATION enabled at domain-level but truststore
// misconfigured (should FAIL)
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "true");
@@ -503,7 +500,7 @@
}
// CLIENT_PEER_VERIFICATION enabled at domain-level with valid
// truststore (should PASS)
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "true");
@@ -520,7 +517,7 @@
}
// CLIENT_PEER_VERIFICATION enabled at domain-level with notrust
// truststore (should FAIL)
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "true");
@@ -540,7 +537,7 @@
// server keystore (should FAIL)
listener.setProperty(WBEMConfigurationProperties.KEYSTORE_PATH, stranger.getFile());
listener.setProperty(WBEMConfigurationProperties.KEYSTORE_PASSWORD, "password");
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "true");
@@ -598,13 +595,9 @@
CIMObjectPath dummyCop = new CIMObjectPath(null, null, null, "root/interop",
"CIM_Namespace", null);
- int port = listener.addListener(ilsBrief, 0, "https");
- listener.removeListener(port);
- WBEMClientSBLIM client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port),
- null, null);
-
// PEER VERIFICATION disabled at domain-level (should PASS)
- port = listener.addListener(ilsBrief, port, "https");
+ WBEMClientSBLIM client;
+ int port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
@@ -625,7 +618,7 @@
listener.setProperty(WBEMConfigurationProperties.SSL_LISTENER_PEER_VERIFICATION, "ignore");
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH,
"/any/path/even/if/not/validated");
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -643,7 +636,7 @@
// configured (should FAIL)
listener.setProperty(WBEMConfigurationProperties.SSL_LISTENER_PEER_VERIFICATION, "require");
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -661,7 +654,7 @@
// LISTENER_PEER_VERIFICATION enabled at domain-level but truststore
// misconfigured (should FAIL)
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "somebadpath");
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -679,7 +672,7 @@
// LISTENER_PEER_VERIFICATION enabled at domain-level with valid
// truststore (should PASS)
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, truststore.getFile());
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -698,7 +691,7 @@
// LISTENER_PEER_VERIFICATION enabled at domain-level with notrust
// truststore (should FAIL)
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, notrust.getFile());
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -708,9 +701,10 @@
client.enumerateInstanceNames(dummyCop);
} catch (WBEMException e) {
if (e.getCause() != null
- && (e.getCause().getClass().equals(SSLException.class) || e.getCause()
- .getClass().equals(SSLHandshakeException.class))) {
- // expected SSLException
+ && (e.getCause().getClass().equals(SSLException.class)
+ || e.getCause().getClass().equals(SSLHandshakeException.class) || e
+ .getCause().getClass().equals(SocketException.class))) {
+ // expected SSLException or SocketException
} else fail("Connection established with listener peer verification enabled with notrust truststore");
} finally {
listener.removeListener(port);
@@ -718,7 +712,7 @@
// LISTENER_PEER_VERIFICATION enabled at domain-level with untrusted
// client keystore (should FAIL)
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, truststore.getFile());
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -728,9 +722,10 @@
client.enumerateInstanceNames(dummyCop);
} catch (WBEMException e) {
if (e.getCause() != null
- && (e.getCause().getClass().equals(SSLException.class) || e.getCause()
- .getClass().equals(SSLHandshakeException.class))) {
- // expected SSLException
+ && (e.getCause().getClass().equals(SSLException.class)
+ || e.getCause().getClass().equals(SSLHandshakeException.class) || e
+ .getCause().getClass().equals(SocketException.class))) {
+ // expected SSLException or SocketException
} else fail("Connection established with listener peer verification enabled with untrusted client keystore");
} finally {
listener.removeListener(port);
@@ -738,7 +733,7 @@
// LISTENER_PEER_VERIFICATION enabled at domain-level but no client
// keystore (should FAIL)
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, truststore.getFile());
- port = listener.addListener(ilsBrief, port, "https");
+ port = listener.addListener(ilsBrief, 0, "https");
try {
client = (WBEMClientSBLIM) initClient(new URL("https://localhost:" + port), null, null);
client.setProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION, "false");
@@ -748,9 +743,10 @@
client.enumerateInstanceNames(dummyCop);
} catch (WBEMException e) {
if (e.getCause() != null
- && (e.getCause().getClass().equals(SSLException.class) || e.getCause()
- .getClass().equals(SSLHandshakeException.class))) {
- // expected SSLException
+ && (e.getCause().getClass().equals(SSLException.class)
+ || e.getCause().getClass().equals(SSLHandshakeException.class) || e
+ .getCause().getClass().equals(SocketException.class))) {
+ // expected SSLException or SocketException
} else fail("Connection established with listener peer verification enabled but no client keystore");
} finally {
listener.removeListener(port);
|
|
From: Dave H. <hel...@us...> - 2012-08-27 21:52:22
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files
In directory vz-cvs-3.sog:/tmp/cvs-serv23875/src/org/sblim/cimclient/doc-files
Modified Files:
Tag: Experimental
secure_indications.html
Log Message:
3536399 - fix SSLConfigurationTest bugs
Index: secure_indications.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/Attic/secure_indications.html,v
retrieving revision 1.1.2.2
retrieving revision 1.1.2.3
diff -u -d -r1.1.2.2 -r1.1.2.3
--- secure_indications.html 27 Aug 2012 00:02:22 -0000 1.1.2.2
+++ secure_indications.html 27 Aug 2012 21:52:20 -0000 1.1.2.3
@@ -74,7 +74,7 @@
<li><em>sblim.wbem.sslListenerPeerVerification</em>: Determines how a HTTPS listener will handle authentication of a client (i.e. indication sender). If set to ignore, no SSL authentication (peer verification) will be performed. If set to require, the listener will attempt to verify the server certificate against the contents of the truststore defined in "javax.net.ssl.trustStore" and will fail the connection if the certificate cannot be verified. If set to accept, the listener will request the sender to present a certificate, but will not fail the connection even if an untrusted certificate is presented (this setting is of little practical value).</li>
</ul>
-<p>If the truststore properties are set but <code>sslListenerPeerVerification</code> is <code>ignore</code>, the truststore is not activated and all connections will be allowed (i.e. every sender is trusted). The only real use of this configuration is to temporarily disable the truststore for testing. Conversely, if <code>sslListenerPeerVerification</code> is <code>require</code> but the truststore properties are not set (or the truststore file is missing or otherwise unreadable), no connections will be allowed (i.e. no listener is trusted), as this is considered to be a misconfiguration. In both cases, a WARNING message is sent to the logger. (Note: <code>sslListenerPeerVerification=accept</code> behaves like <code>require</code> but the connection will not actually fail in this case.)</p>
+<p>If the truststore properties are set but <code>sslListenerPeerVerification</code> is <code>ignore</code>, the truststore is not activated and all connections will be allowed (i.e. every sender is trusted). The only real use of this configuration is to temporarily disable the truststore for testing. Conversely, if <code>sslListenerPeerVerification</code> is <code>require</code> but the truststore properties are not set (or the truststore file is missing or otherwise unreadable), no connections will be allowed (i.e. no sender is trusted), as this is considered to be a misconfiguration. In both cases, a WARNING message is sent to the logger. (Note: <code>sslListenerPeerVerification=accept</code> behaves like <code>require</code> but the connection will not actually fail in this case.)</p>
<p>As mentioned above, there is a way to set the keystore or truststore properties independently for client and listener, and in this manner it is possible to configure a separate set of keystores for each. However, this cannot be done via the properties file; it can only be done programmatically. This is described <a href="#independent">here</a>.</p>
|
|
From: Dave B. <bla...@us...> - 2012-08-27 18:08:02
|
Update of /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/logging
In directory vz-cvs-3.sog:/tmp/cvs-serv2023/utst/org/sblim/cimclient/unittest/logging
Modified Files:
Tag: Experimental
LogAndTraceBrokerTest.java
Log Message:
3562235 - LogAndTraceBrokerTest breaks unit test tracing
Index: LogAndTraceBrokerTest.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/logging/LogAndTraceBrokerTest.java,v
retrieving revision 1.3.2.11
retrieving revision 1.3.2.12
diff -u -d -r1.3.2.11 -r1.3.2.12
--- LogAndTraceBrokerTest.java 23 Aug 2012 14:48:30 -0000 1.3.2.11
+++ LogAndTraceBrokerTest.java 27 Aug 2012 18:07:59 -0000 1.3.2.12
@@ -20,6 +20,7 @@
* 2531371 2009-02-10 raman_arora Upgrade client to JDK 1.5 (Phase 2)
* 3484014 2012-02-03 blaschke-oss Add LogAndTraceBroker.isLoggable for message/trace
* 3554738 2012-08-16 blaschke-oss dump CIM xml by LogAndTraceBroker.trace()
+ * 3562235 2012-08-27 blaschke-oss LogAndTraceBrokerTest breaks unit test tracing
*/
package org.sblim.cimclient.unittest.logging;
@@ -41,6 +42,9 @@
/**
* Class LogAndTraceBrokerTest is responsible to test the LogAndTraceBroker
*
+ * NOTE: Because this test changes log and trace properties, handlers, etc. in
+ * order to test LogAndTraceBroker, it must be the last test executed in order
+ * for log and trace to work correctly during unit test
*/
public class LogAndTraceBrokerTest extends TestCase {
|
|
From: Dave B. <bla...@us...> - 2012-08-27 11:35:14
|
Update of /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/cim
In directory vz-cvs-3.sog:/tmp/cvs-serv32066/utst/org/sblim/cimclient/unittest/cim
Modified Files:
Tag: Experimental
CIMInstanceTest.java
Log Message:
3529151 - TCK: CIMInstance property APIs include keys from COP (mkProp)
Index: CIMInstanceTest.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/cim/CIMInstanceTest.java,v
retrieving revision 1.1.2.6
retrieving revision 1.1.2.7
diff -u -d -r1.1.2.6 -r1.1.2.7
--- CIMInstanceTest.java 23 Aug 2012 12:37:29 -0000 1.1.2.6
+++ CIMInstanceTest.java 27 Aug 2012 11:35:11 -0000 1.1.2.7
@@ -41,10 +41,6 @@
pPropagated, pOriginClass);
}
- private static CIMProperty<Object> mkProp(String pName, Object pValue) {
- return mkProp(pName, pValue, false, false, null);
- }
-
private static CIMProperty<Object> mkKey(String pName, Object pValue) {
return mkProp(pName, pValue, true, false, null);
}
|
|
From: Dave H. <hel...@us...> - 2012-08-27 00:02:25
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files
In directory vz-cvs-3.sog:/tmp/cvs-serv30542/src/org/sblim/cimclient/doc-files
Modified Files:
Tag: Experimental
secure.html secure_indications.html unittest.html
Log Message:
3536399 - HTML documentation updates
Index: unittest.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/unittest.html,v
retrieving revision 1.1.2.24
retrieving revision 1.1.2.25
diff -u -d -r1.1.2.24 -r1.1.2.25
--- unittest.html 23 Aug 2012 14:30:32 -0000 1.1.2.24
+++ unittest.html 27 Aug 2012 00:02:22 -0000 1.1.2.25
@@ -32,6 +32,7 @@
* 3522904 2012-05-02 blaschke-oss Add new API WBEMClientSBLIM.isActive()
* 3529062 2012-05-23 blaschke-oss WBEMListenerFactory should return new instance
* 3554738 2012-08-16 blaschke-oss dump CIM xml by LogAndTraceBroker.trace()
+ * 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
-->
</head>
<body style="background-color: white;">
@@ -416,16 +417,24 @@
<td>Tests basic SSL connection.</td></tr>
<tr><td>testClientTrust</td>
<td>Test if the client correctly evaluates the authentication of the
- server.<br />
+ server.
Uses four keystores: <em>keystore</em> and <em>stranger</em> contain
a full private/public key each; <em>truststore</em> contains the
- public key from keystore; <em>notrust</em> is empty<br /></td></tr>
+ public key from keystore; <em>notrust</em> contains an untrusted
+ certificate<br /></td></tr>
<tr><td>testServerTrust</td>
<td>Test if the server correctly evaluates the authentication of the
- client.<br />
+ client.
Uses four keystores: <em>keystore</em> and <em>stranger</em> contain
a full private/public key each; <em>truststore</em> contains the
- public key from keystore; <em>notrust</em> is empty<br /></td></tr>
+ public key from keystore; <em>notrust</em> contains an untrusted
+ certificate<br /></td></tr>
+ <tr><td>testWBEMClientTrust</td>
+ <td>Similar to <em>testClientTrust</em> but uses true <em>WBEMClient</em>
+ and <em>WBEMListener</em> instances to perform the test<br /></td></tr>
+ <tr><td>testWBEMListenerTrust</td>
+ <td>Similar to <em>testServerTrust</em> but uses true <em>WBEMClient</em>
+ and <em>WBEMListener</em> instances to perform the test<br /></td></tr>
</table>
<h3>cimxml.CimXmlSerializerTest</h3>
Index: secure.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/secure.html,v
retrieving revision 1.3.2.5
retrieving revision 1.3.2.6
diff -u -d -r1.3.2.5 -r1.3.2.6
--- secure.html 20 Aug 2012 18:44:47 -0000 1.3.2.5
+++ secure.html 27 Aug 2012 00:02:22 -0000 1.3.2.6
@@ -21,6 +21,7 @@
* 2972697 2010-03-18 blaschke-oss Fix spelling errors in HTML files
* 2990370 2010-04-22 blaschke-oss Development/unittest HTML out of date
* 3536398 2012-08-20 hellerda Update HTML to reflect secure indication support
+ * 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
-->
</head>
<body style="background-color: white;">
@@ -28,6 +29,8 @@
<h1>Getting Started with Secure Connections</h1>
<a href="#intro">Introduction</a><br />
<a href="#basics">Authentication basics</a><br />
+<a href="#props">Keystore Configuration Properties</a><br />
+<a href="#configs">Configurations for client connections</a><br />
<a href="#c1">"No authentication" configuration</a><br />
<a href="#c2">"CIMOM authentication" configuration</a><br />
<a href="#c3">"Client authentication " configuration</a><br />
@@ -41,7 +44,7 @@
<br />
<a id="intro" name="intro" /><h2>Introduction</h2>
<p>The following text will explain how to get secure connections from the SBLIM CIM Client for Java to the
-CIM Object Manager and vice-versa (for indications) working.</p>
+CIM Object Manager working.</p>
<p>SSL/TLS may provide
<ul>
<li>confidentiality - no third party can read the content of the communication.</li>
@@ -74,8 +77,32 @@
were invented to get around this. In a certificate chain an organization certifies the authenticity of an entity's certificate and the receiver
just validates the authenticity of the organization's certificate. Therefore with just the certificate of the organization in the truststore the
receiver can validate all entities that have certificates based on the organization's certificate.</p>
-<p>The table below shows the possible configurations.
-<h3>Configurations for client connections</h3>
+
+<a id="props" name="props" /><h2>Keystore Configuration Properties</h2>
+
+<p>The following properties allow you to configure the client keystore and truststore:</p>
+
+ <ul>
+ <li><em>javax.net.ssl.keyStore</em>: The file path of the SSL keystore.</li>
+ <li><em>javax.net.ssl.keyStoreType</em>: The type of the SSL keystore repository. Typically this is <i>JKS</i> or <i>Java KeyStore</i> type, which is the default.</li>
+ <li><em>javax.net.ssl.keyStorePassword</em>: The password of the keystore.</li>
+ <li><em>javax.net.ssl.trustStore</em>: The file path of the SSL truststore.</li>
+ <li><em>javax.net.ssl.trustStoreType</em>: The type of the SSL truststore repository. Typically this is <i>JKS</i>, which is the default.
+ <li><em>javax.net.ssl.trustStorePassword</em>: The password of the truststore.</li>
+ </ul>
+
+<p>Whenever the keystore properties are defined for the client -- either by global configuration via the properties file or via a call to <code>System.setProperty()</code>, or set for the client directly via a call to <code>setProperty()</code> on an instance of a client -- the keystore will be activated automatically and no further configuration is required.</p>
+
+<p>For the truststore however, an additional property is provided to control activation; setting the above truststore properties alone is not sufficient to enable the truststore. (The reason for this difference is explained in more detail in <a href="secure_indications.html">Getting Started with Secure Indications</a>). To enable the truststore you must set the following property to <code>true</code> (the default is <code>false</code>):</p>
+
+ <ul>
+ <li><em>sblim.wbem.sslClientPeerVerification</em>: Determines if a HTTPS client will attempt to authenticate the server (i.e. CIMOM) by verifying the server certificate. If true, the client will attempt to verify the server certificate against the contents of the truststore defined in "javax.net.ssl.trustStore". If false, no verification is attempted.</li>
+ </ul>
+
+<p>If the truststore properties are set but <code>sslClientPeerVerification</code> is <code>false</code>, the truststore is not activated and all connections will be allowed (i.e. every CIMOM is trusted). The only real use of this configuration is to temporarily disable the truststore for testing. Conversely, if <code>sslClientPeerVerification</code> is <code>true</code> but the truststore properties are not set (or the truststore file is missing or otherwise unreadable), no connections will be allowed (i.e. no CIMOM is trusted), as this is considered to be a misconfiguration. In both cases, a WARNING message is sent to the logger. </p>
+
+<a id="configs" name="configs" /><h2>Configurations for client connections</h2>
+<p>The table below shows the possible configurations.</p>
<table border="1" cellpadding="5">
<tr><th>Configuration</th><th>Encryption/Hashing</th><th>CIMOM authenticated</th><th>Client authenticated</th><th>Secure indication<br />listeners supported</th></tr>
<tr align="center"><td><a href="#c1">No authentication</a></td><td>yes</td><td>no</td><td>no</td><td>no</td></tr>
@@ -110,8 +137,8 @@
<li>Keystore: No</li>
<li>Truststore: Required</li>
</ul>
-<p>In this scenario we configure the client to check the identity of the CIMOM. To do this we need to <a href="#truststore">create a truststore</a> and set the appropriate configuration properties. Once this is done the keystore will be activated and the client will automatically check the CIMOM certificate against the truststore.
-Everything else is equal to the "no authorization" configuration</p>
+<p>In this scenario we configure the client to check the identity of the CIMOM. To do this we need to <a href="#truststore">create a truststore</a> and set the appropriate configuration properties described above. When <code>sslClientPeerVerification</code> is set to <code>true</code>, the keystore will be activated and the client will automatically check the CIMOM certificate against the truststore. Everything else is equal to the "no authorization" configuration</p>
+
<p>Note: In this scenario we decided to evaluate the CIMOM's X509 certificate. In order to do that we have to
import the CIMOM's certificate into our truststore. See <a href="#import">importing a certificate</a> for
details.</p>
Index: secure_indications.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/Attic/secure_indications.html,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -u -d -r1.1.2.1 -r1.1.2.2
--- secure_indications.html 22 Aug 2012 13:17:27 -0000 1.1.2.1
+++ secure_indications.html 27 Aug 2012 00:02:22 -0000 1.1.2.2
@@ -17,13 +17,14 @@
* Flag Date Prog Description
*-------------------------------------------------------------------------------
* 3536398 2012-08-20 hellerda Update HTML to reflect secure indication support
+ * 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
-->
</head>
<body style="background-color: white;">
<h1>Getting Started with Secure Indications</h1>
<a href="#intro">Introduction</a><br />
-<a href="#global">Global Keystore Configuration</a><br />
+<a href="#props">Keystore Configuration Properties</a><br />
<a href="#configs">Configurations for secure indication listener</a><br />
<a href="#c1">"No authentication" configuration</a><br />
<a href="#c2">"CIMOM authentication" configuration</a><br />
@@ -41,7 +42,7 @@
<p>Similarly, the listener may choose to verify the certificate of the indication sender. To do this we need to additionally configure a truststore for the listener.</p>
-<a id="global" name="global" /><h2>Global Keystore Configuration</h2>
+<a id="props" name="props" /><h2>Keystore Configuration Properties</h2>
<p>SSL/TLS authentication is X509 certificate-based. Each side provides a X509 certificate that confirms its identity. The certificates are
exchanged and each side validates the received certificate against a local copy.</p>
@@ -57,13 +58,25 @@
<li><em>javax.net.ssl.trustStorePassword</em>: The password of the truststore.</li>
</ul>
-<p>When these properties are configured globally, by either setting their values in the properties file or setting them programmatically via a call to <code>System.setProperty()</code>, their values will be effectively set for both the client and listener (they will in fact be be set for all new instances of client and listener). This means the client and listener will share the same set of keystores, even though they access these these keystores for entirely independent roles.</p>
+<p>Whenever the keystore properties are defined for the listener -- either by global configuration via the properties file or via a call to <code>System.setProperty()</code>, or set for the listener directly via a call to <code>setProperty()</code> on an instance of a listener -- the keystore will be activated automatically and no further configuration is required.</p>
-<p>It is also important to understand: with global configuration, the keystore and truststore are automatically activated whenever their respective configuration properties are set. This is true for both client and listener. Put another way, if a keystore or truststore is configured at the global level it is activated for <i>both</i> client and listener, even if this is not the intended action. The side effects are described in the table below.</p>
+<p>It should be noted that, in the case where the <i>keystore</i> properties are configured globally, the <i>keystore</i> will be activated for both the client and listener simultaneously (it will in fact be enabled for all new instances of client and listener), even if this is not the intended action. This can cause the following side effect, which would be of concern only in limited circumstances:</p>
-<p>There is currently no way to control the activation of the <i>keystore</i> for client and listener independently when the properties are configured globally. If you activate the keystore for the listener (as is required for SSL) it will be activated for the client as well, and the client will now begin to send a certificate during its SSL handshake. This would cause a change in behavior only if the CIMOM is conifigured for optional peer verification. If it is, and the CIMOM is unable to verify the new client certificate, the connection would fail. To fix this you must either import the client certificate to the CIMOM's truststore, or disable peer verification at the CIMOM.
+<p>If you activate a <i>keystore</i> for the listener (as is required for SSL) it will be activated for the client as well, and the client will now begin to send a certificate during its SSL handshake. This would cause a change in behavior <i>only</i> if the CIMOM is configured for optional peer verification. If it is, and the CIMOM is unable to verify the new client certificate, the connection would fail. To fix this you must either import the client certificate to the CIMOM's truststore, or disable peer verification at the CIMOM.
-<p>Finally, there is a way to set the keystore properties independently between client and listener, and in this manner it is possible to configure a separate set of keystores for each. However, this cannot be done via the properties file; it can only be done programmatically. This is described <a href="#independent">here</a>.</p>
+<p>There is currently no way to control the activation of the <i>keystore</i> for client and listener independently when the properties are configured globally. If your application absolutely requires independent control of the keystore for client and listener, it can be done programmatically as described <a href="#independent">here</a>. For most applications this will not be required.
+
+<p>For the <i>truststore</i>, the situation is a bit different. An additional property is provided to control truststore activation; setting the above truststore properties alone is not sufficient to enable the truststore. The reason for this difference is that it allows peer authentication (a.k.a. peer verification) to be controlled independently for the client and the listener via the global configuration. (This is done for the truststore and not the keystore simply because the side effects of enabling peer verification simultaneously are much more severe than enabling the keystore simultaneously.)</p>
+
+<p>To enable the truststore for the listener you must set the following property to <code>accept</code> or <code>require</code> (the default is <code>ignore</code>):</p>
+
+ <ul>
+ <li><em>sblim.wbem.sslListenerPeerVerification</em>: Determines how a HTTPS listener will handle authentication of a client (i.e. indication sender). If set to ignore, no SSL authentication (peer verification) will be performed. If set to require, the listener will attempt to verify the server certificate against the contents of the truststore defined in "javax.net.ssl.trustStore" and will fail the connection if the certificate cannot be verified. If set to accept, the listener will request the sender to present a certificate, but will not fail the connection even if an untrusted certificate is presented (this setting is of little practical value).</li>
+ </ul>
+
+<p>If the truststore properties are set but <code>sslListenerPeerVerification</code> is <code>ignore</code>, the truststore is not activated and all connections will be allowed (i.e. every sender is trusted). The only real use of this configuration is to temporarily disable the truststore for testing. Conversely, if <code>sslListenerPeerVerification</code> is <code>require</code> but the truststore properties are not set (or the truststore file is missing or otherwise unreadable), no connections will be allowed (i.e. no listener is trusted), as this is considered to be a misconfiguration. In both cases, a WARNING message is sent to the logger. (Note: <code>sslListenerPeerVerification=accept</code> behaves like <code>require</code> but the connection will not actually fail in this case.)</p>
+
+<p>As mentioned above, there is a way to set the keystore or truststore properties independently for client and listener, and in this manner it is possible to configure a separate set of keystores for each. However, this cannot be done via the properties file; it can only be done programmatically. This is described <a href="#independent">here</a>.</p>
<a id="configs" name="configs" /><h2>Configurations for secure indication listener</h2>
@@ -71,9 +84,9 @@
<table border="1" cellpadding="5">
<tr><th>Configuration</th><th>Encryption/Hashing</th><th>CIMOM authenticated</th><th>Listener authenticated</th><th>Side effect <b/>if configured globally</th></tr>
<tr align="center"><td><a href="#c1">No authentication</a></td><td>yes</td><td>no</td><td>no</td><td>client now sends cert</td></tr>
- <tr align="center"><td><a href="#c2">CIMOM authentication</a></td><td>yes</td><td>yes</td><td>no</td><td>client now authenticates CIMOM</td></tr>
+ <tr align="center"><td><a href="#c2">CIMOM authentication</a></td><td>yes</td><td>yes</td><td>no</td><td>none</td></tr>
<tr align="center"><td><a href="#c3">Listener authentication</a></td><td>yes</td><td>no</td><td>yes</td><td>client now sends cert</td></tr>
- <tr align="center"><td><a href="#c4">Mutual authentication</a></td><td>yes</td><td>yes</td><td>yes</td><td>client now authenticates CIMOM and sends cert</td></tr>
+ <tr align="center"><td><a href="#c4">Mutual authentication</a></td><td>yes</td><td>yes</td><td>yes</td><td>client now sends cert</td></tr>
</table>
<a id="c1" name="c1" /><h2>"No authentication" configuration</h2>
@@ -93,8 +106,7 @@
<p>Note: Because the listener acts as a HTTPS server it will always present its certificate to the client (the indication sender or CIMOM). The CIMOM is free to verify the listener cert if desired. See your CIMOM documentation to determine if this feature is available. If so, the configuration will likely involve importing the listener certificate into the CIMOM truststore. See <a href="secure.html#export">exporting a certificate</a> for a description on how to export a certificate from your keystore so that you can import it into the CIMOM's truststore.</p>
-<p>Note also: if the keystore properties are configured globally the keystore will be activated for (Java CIM) client as well as the listener. This may have unintended consequences if your CIMOM is configured to check the client cert. See <a href="#c3">client authentication</a> for a details.</p>
-
+<p>Note also: if the keystore properties are configured globally the keystore will be activated for (Java CIM) client as well as the listener. This can cause the side effect described in <a href="#props">configuration properties</a> above, which in most cases it is not of concern. If your application absolutely requires an independent keystore configuration this can be done programmatically as described <a href="#independent">below</a></p>
<a id="c2" name="c2" /><h2>"CIMOM authentication" configuration</h2>
<ul>
@@ -104,16 +116,15 @@
<li>Keystore: always required</li>
<li>Truststore: required</li>
</ul>
-<p>In this scenario we configure the listener to check the identity of the CIMOM (i.e. the indication sender). To do this we need to <a href="secure.html#truststore">create a truststore</a> and set the appropriate configuration properties. Once this is done the truststore will be activated and the listener will automatically check the CIMOM certificate against the truststore.
-Everything else is equal to the "no authorization" configuration</p>
+<p>In this scenario we configure the listener to check the identity of the CIMOM (i.e. the indication sender). To do this we need to <a href="secure.html#truststore">create a truststore</a> and the appropriate configuration properties described above. When <code>sslListenerPeerVerification</code> is set to <code>accept</code> or <code>require</code>, the truststore will be activated and the listener will automatically check the CIMOM certificate against the contents. Everything else is equal to the "no authorization" configuration</p>
+
<p>Note: In this scenario we will check the CIMOM's X509 certificate. In order to do that we have to
import the CIMOM's certificate into our truststore. See <a href="secure.html#import">importing a certificate</a> for
details.</p>
<p>Note: Because the listener acts as a HTTPS server it will always present its certificate to the client (the indication sender or CIMOM). The CIMOM is free to verify the listener cert if desired.</p>
-<p>Note also: if the truststore properties are configured globally the truststore will be activated for (Java CIM) client as well as the listener. The client will now attempt to verify the CIMOM on every CIM request, which will cause the requests to fail unless the CIMOM certificate has been imported into the truststore as described <a href="secure.html#c2">here</a>. (Assuming the cert is different from the one you already imported for listener operation; in most cases it will be the same).</p>
-
+<p>Note also: even when the truststore properties are configured globally they are activated separately for client and listener via the <code>sslClientPeerVerification</code> and <code>sslListenerPeerVerification</code> properties. This is done to prevent any side effect from enabling them simultaneously.</p>
<a id="c3" name="c3" /><h2>"Listener authentication" configuration</h2>
<ul>
@@ -127,8 +138,7 @@
<p>Note: In this scenario we decided not to evaluate the CIMOM's X509 certificate. The listener can be configured to do that as described above.</p>
-<p>Note also: if the keystore properties are configured globally the keystore will be activated for (Java CIM) client as well as the listener. This may have unintended consequences if your CIMOM is configured to check the client cert. See <a href="#c3">client authentication</a> for a details.</p>
-
+<p>Note also: if the keystore properties are configured globally the keystore will be activated for (Java CIM) client as well as the listener. This can cause the side effect described in <a href="#props">configuration properties</a> above, which in most cases it is not of concern. If your application absolutely requires an independent keystore configuration this can be done programmatically as described <a href="#independent">below</a></p>
<a id="c4" name="c4" /><h2>"Mutual authentication" configuration</h2>
<ul>
@@ -150,40 +160,40 @@
<p>While it is not possible to configure client and listener keystores independently via the global configuration, it is possible to do so programmatically, by setting the desired property on the client or listener object directly, using the object's <code>setProperty()</code> method. In the case of the client this must be done after obtaining a reference to the client object but before the call to <code>initialize()</code>. For the listener it is done after obtaining the listener object but before the call to <code>addlistener()</code>.</p>
-<p>The ablity to configure client and listener keystores independently has two basic applications:</p>
+<p>The ability to configure client and listener keystores independently has two basic applications:</p>
<ol>
- <li><u>It allows the use of separate keystore/truststore files for client and listener</u>. For most applications this should not be necessary. Understand that sharing a truststore between client and listener does not mean you are limited to a single CA certificate for both, since a truststore can contain more than one certificate. The same is not exactly true for the keystore: While a keystore can contain more than one key pair, the Java CIM Client's KeyManager will use the first acceptable key pair it finds in the keystore in order to complete the SSL handshake. So there is no simple way to make the client use one key pair and the listener use another. If your application requires this you must separate the client and listener keystores. The circumstances where this is required would be unusual, since it is most common in a public key infrastructure to assign a single indentity to an endpoint, and this technique would actually assign two indentities to the endpoint. Nevertheless it is supported.
- <li><u>It allows peer authentication to be enabled separately for client and listener</u>. When the truststore is configured globally it is automatically enabled for both client and server even if this is not the intent. Configuring the truststore independently allows peer authentication (a.k.a. peer verification) to be controlled independently as well, since any property set on the client or listener directly will override the global value of that property. So there are two strategies here: you can either forego setting the truststore properties globally and set them only on the client or listener as required; or, you can force peer verification off for client or listener by setting the truststore path to a null string. The latter is recommended as it ensures it will not be inadvertently enabled if the global configuration is later modified.
+ <li><u>It allows the use of separate keystore/truststore files for client and listener</u>. For most applications this should not be necessary. Understand that sharing a truststore between client and listener does not mean you are limited to a single CA certificate for both, since a truststore can contain more than one certificate. The same is not exactly true for the keystore: While a keystore can contain more than one key pair, the Java CIM Client's KeyManager will use the first acceptable key pair it finds in the keystore in order to complete the SSL handshake. So there is no simple way to make the client use one key pair and the listener use another. If your application requires this you must separate the client and listener keystores. The circumstances where this is required would be unusual, since it is most common in a public key infrastructure to assign a single indentity to an endpoint, and this technique would actually assign two identities to the endpoint. Nevertheless it is supported.
+ <li><u>It allows the keystore to be enabled separately for client and listener</u>. When the keystore is configured globally it is automatically enabled for both client and listener even if this is not the intent. Configuring the keystore independently allows its activation to be controlled independently as well, since any property set on the client or listener directly will override the global value of that property. So there are two strategies here: you can either forego setting the keystore properties globally and set them only on the client or listener as required; or, you can force keystore activation off for client or listener by setting the keystore path to an empty string. The latter is recommended as it ensures it will not be inadvertently enabled if the global configuration is later modified. The circumstances where this required would be unusual, e.g. it is necessary to hide the identity of the client even when a SSL listener is enabled.
</ol>
-<p>For the client, using the code snippet in <a href="firststeps.html">First Steps</a> as a reference: to configure a truststore for use solely by the client, insert the following lines after the call to <code>getClient()</code> but before the call to <code>client.initialize()</code>:</p>
+<p>For the client, using the code snippet in <a href="firststeps.html">First Steps</a> as a reference: to configure a keystore for use solely by the client, insert the following lines after the call to <code>getClient()</code> but before the call to <code>client.initialize()</code>:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
-client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "/path/to/client/truststore.pks");
-client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PASSWORD, "password");
+client.setProperty(WBEMConfigurationProperties.KEYSTORE_PATH, "/path/to/client/keystore.pks");
+client.setProperty(WBEMConfigurationProperties.KEYSTORE_PASSWORD, "password");
</pre></div></div>
-<p>To disable peer verification for the client:</p>
+<p>To disable the keystore for the client:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
-client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
+client.setProperty(WBEMConfigurationProperties.KEYSTORE_PATH, "");
</pre></div></div>
-<p>For the listener, using the code snippet in <a href="indications.html#setup">Setting up an indication listener</a> as a reference: to configure a truststore for use solely by the listener, insert the following lines after the call to <code>getListener()</code> but before the call to <code>listener.addListener()</code>:</p>
+<p>For the listener, using the code snippet in <a href="indications.html#setup">Setting up an indication listener</a> as a reference: to configure a keystore for use solely by the listener, insert the following lines after the call to <code>getListener()</code> but before the call to <code>listener.addListener()</code>:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
-listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "/path/to/listener/truststore.pks");
-listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PASSWORD, "password");
+listener.setProperty(WBEMConfigurationProperties.KEYSTORE_PATH, "/path/to/listener/keystore.pks");
+listener.setProperty(WBEMConfigurationProperties.KEYSTORE_PASSWORD, "password");
</pre></div></div>
-<p>To disable peer verification for the listener:</p>
+<p>To disable the keystore for the listener (preventing the use SSL indications):</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
-listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
+listener.setProperty(WBEMConfigurationProperties.KEYSTORE_PATH, "");
</pre></div></div>
<p>Finally, note it is also possible to control the listener configuration by creating a new <code>java.lang.Properties</code> object and passing it to <code>addListener()</code>, as shown in the example <a href="indications.html#example2">here</a>. The result will be the same as the example above. If for some reason both methods are used, the properties passed to <code>addListener()</code> will take precedence.</p>
|
|
From: Dave H. <hel...@us...> - 2012-08-26 02:27:31
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util
In directory vz-cvs-3.sog:/tmp/cvs-serv28266/src/org/sblim/cimclient/internal/util
Modified Files:
Tag: Experimental
WBEMConfiguration.java WBEMConfigurationDefaults.java
Log Message:
3536399 - Add client/listener peer authentication properties
Index: WBEMConfiguration.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/WBEMConfiguration.java,v
retrieving revision 1.17.2.31
retrieving revision 1.17.2.32
diff -u -d -r1.17.2.31 -r1.17.2.32
--- WBEMConfiguration.java 6 Jun 2012 14:43:13 -0000 1.17.2.31
+++ WBEMConfiguration.java 26 Aug 2012 02:27:28 -0000 1.17.2.32
@@ -41,6 +41,7 @@
* 3492224 2012-02-23 blaschke-oss Need two different timeouts for Socket connections
* 3521157 2012-05-10 blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
* 3524050 2012-06-06 blaschke-oss Improve WWW-Authenticate in HTTPClient.java
+ * 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
*/
package org.sblim.cimclient.internal.util;
@@ -674,6 +675,30 @@
}
/**
+ * Returns whether the client will attempt to authenticate the CIMOM
+ *
+ * @return <code>true</code> if the client will attempt to authenticate the
+ * CIMOM by verifying the server certificate <code>false</code>
+ * otherwise
+ */
+ public boolean getSslClientPeerVerification() {
+ return Boolean.valueOf(
+ getProperty(WBEMConfigurationProperties.SSL_CLIENT_PEER_VERIFICATION,
+ WBEMConfigurationDefaults.SSL_CLIENT_PEER_VERIFICATION)).booleanValue();
+ }
+
+ /**
+ * Returns how the listener will handle to authentication of the indication
+ * sender endpoint.
+ *
+ * @return The listener peer verification mode
+ */
+ public String getSslListenerPeerVerification() {
+ return getProperty(WBEMConfigurationProperties.SSL_LISTENER_PEER_VERIFICATION,
+ WBEMConfigurationDefaults.SSL_LISTENER_PEER_VERIFICATION);
+ }
+
+ /**
* Returns the number of retries the client will attempt when the connection
* was refused.
*
Index: WBEMConfigurationDefaults.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/WBEMConfigurationDefaults.java,v
retrieving revision 1.11.2.20
retrieving revision 1.11.2.21
diff -u -d -r1.11.2.20 -r1.11.2.21
--- WBEMConfigurationDefaults.java 10 May 2012 23:23:42 -0000 1.11.2.20
+++ WBEMConfigurationDefaults.java 26 Aug 2012 02:27:28 -0000 1.11.2.21
@@ -35,6 +35,7 @@
* 3492214 2012-02-23 blaschke-oss Add a SenderIPAddress property indications
* 3492224 2012-02-23 blaschke-oss Need two different timeouts for Socket connections
* 3521157 2012-05-10 blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
+ * 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
*/
package org.sblim.cimclient.internal.util;
@@ -280,4 +281,14 @@
*/
public static final String SSL_DEF_PROTOCOL = "SSL";
+ /**
+ * SSL_CLIENT_PEER_VERIFICATION
+ */
+ public static final String SSL_CLIENT_PEER_VERIFICATION = "false";
+
+ /**
+ * SSL_LISTENER_PEER_VERIFICATION
+ */
+ public static final String SSL_LISTENER_PEER_VERIFICATION = "ignore";
+
}
|
|
From: Dave H. <hel...@us...> - 2012-08-26 02:27:30
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient
In directory vz-cvs-3.sog:/tmp/cvs-serv28266/src/org/sblim/cimclient
Modified Files:
Tag: Experimental
WBEMConfigurationProperties.java
Log Message:
3536399 - Add client/listener peer authentication properties
Index: WBEMConfigurationProperties.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/WBEMConfigurationProperties.java,v
retrieving revision 1.17.2.32
retrieving revision 1.17.2.33
diff -u -d -r1.17.2.32 -r1.17.2.33
--- WBEMConfigurationProperties.java 6 Jun 2012 14:43:12 -0000 1.17.2.32
+++ WBEMConfigurationProperties.java 26 Aug 2012 02:27:28 -0000 1.17.2.33
@@ -40,6 +40,7 @@
* 3492224 2012-02-23 blaschke-oss Need two different timeouts for Socket connections
* 3521157 2012-05-10 blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
* 3524050 2012-06-06 blaschke-oss Improve WWW-Authenticate in HTTPClient.java
+ * 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
*/
package org.sblim.cimclient;
@@ -481,6 +482,52 @@
public static final String SSL_TRUSTMANAGER_ALGORITHM = "ssl.TrustManagerFactory.algorithm";
/**
+ * Determines if a HTTPS client will attempt to authenticate the server
+ * (i.e. CIMOM) by verifying the server certificate.<br />
+ * <br />
+ * If false, do not attempt verification. If true, the client will attempt
+ * to verify the server certificate against the contents of the truststore;
+ * in this case a valid path must be defined in "javax.net.ssl.trustStore"
+ * or no connection will be permitted. <br />
+ * <br />
+ * Type: <code>Boolean</code><br />
+ * Recognition: On initialization of a new client<br />
+ * Default: <code>false</code><br />
+ */
+ public static final String SSL_CLIENT_PEER_VERIFICATION = "sblim.wbem.sslClientPeerVerification";
+
+ /**
+ * Determines how a HTTPS listener will handle authentication of a client
+ * (i.e. indication sender):<br />
+ * <ul>
+ * <table border="1">
+ * <tr>
+ * <td>ignore</td>
+ * <td>do not examine the client certificate</td>
+ * </tr>
+ * <tr>
+ * <td>accept</td>
+ * <td>examine client certificate if presented; do not fail if not presented
+ * </td>
+ * </tr>
+ * <tr>
+ * <td>require</td>
+ * <td>examine client certificate; fail if not presented</td>
+ * </tr>
+ * </table>
+ * </ul>
+ * If set to "ignore", do not attempt verification. If set to "accept" or
+ * "require", the listener will attempt to verify the sender against the
+ * contents of the truststore; in this case a valid path must be defined in
+ * "javax.net.ssl.trustStore" or no connection will be permitted. <br />
+ * <br />
+ * Type: <code>String</code><br />
+ * Recognition: On next call to addListener()<br />
+ * Default: <code>ignore</code><br />
+ */
+ public static final String SSL_LISTENER_PEER_VERIFICATION = "sblim.wbem.sslListenerPeerVerification";
+
+ /**
* Specifies the XML parser for parsing CIM-XML responses.<br />
* The SAX parser is the default choice since it is fast, resource saving
* and interoperable. The streaming algorithm of the PULL parser uses the
|
|
From: Michael Chase-S. <mc...@us...> - 2012-08-24 15:21:31
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".
The branch, master has been updated
via 628dcad5f3606641740758383b5e95875b52d756 (commit)
from cb1a50bbf052cfd526e6e40afcb2514cc9c08da4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 628dcad5f3606641740758383b5e95875b52d756
Author: Michael Chase-Salerno <br...@li...>
Date: Fri Aug 24 11:20:42 2012 -0400
Quick install steps in readme
-----------------------------------------------------------------------
Summary of changes:
diff --git a/README b/README
index 0e95306..71db31d 100644
--- a/README
+++ b/README
@@ -3,7 +3,7 @@
---------------------------------
What is sfcb
-===============
+==============================
sfcb is a lightweight CIM daemon (aka CIMOM) that responds to CIM client
requests for system management data and/or performs system management
tasks. sfcb supports most of the standard CIM XML over http/https protocol.
@@ -15,13 +15,46 @@ That said, sfcb runs very well on a regular Linux/Unix system and supports
most of the functions required by CIM clients to manage such the system.
Documentation
-=================
+==============================
The sfcb documentation is maintained in the sfcb wiki on Sourceforge.
sfcb wiki: http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb
sfcb documentation: https://sourceforge.net/apps/mediawiki/sblim/index.php?title=SfcbTheBook
+Quick Install
+==============================
+
+The following procedure will get SFCB installed with default options. If you
+need to customize the installation at all, please see the documentation
+linked to above.
+
+ The following prerequisites must be installed:
+
+ sfcCommon
+ cmpi-devel >= 2.0.1
+ automake >= 1.8
+ autoconf >= 2.5.8
+ libtool >= 1.5.8
+ bison >= 1.85
+ flex
+ curl >= 7.11.1-1
+ curl-devel >= 7.11.1-1
+
+
+ 3. Build sfcb using the following commands from the sfcb directory:
+
+ ./autoconfiscate.sh (if you obtained the source from CVS/GIT)
+ ./configure
+ make
+ sudo make install
+ sudo make postinstall
+
+ 4. Start sfcbd:
+
+ sudo /usr/local/sbin/sfcbd
+
+
Support and Reporting Bugs
==============================
The SBLIM project maintains a mailing list to which you should direct all
hooks/post-receive
--
SFCB - Small Footprint CIM Broker
|
|
From: Michael Chase-S. <mc...@us...> - 2012-08-23 21:16:39
|
Update of /cvsroot/sblim/sfcb In directory vz-cvs-3.sog:/tmp/cvs-serv26469 Modified Files: README Log Message: Updated readme for sfcCustomLib Index: README =================================================================== RCS file: /cvsroot/sblim/sfcb/README,v retrieving revision 1.58 retrieving revision 1.59 diff -u -d -r1.58 -r1.59 --- README 23 Nov 2011 03:24:00 -0000 1.58 +++ README 23 Aug 2012 21:16:37 -0000 1.59 @@ -611,11 +611,10 @@ be executed in the same process unless another group has been specified in the provider registration file. Default: true -slpHostnameLib - Specify the name of the library to use to determine the SLP hostname. This - will override the default method. You must implement this library based - on the sample provided, sfcSlpHostname.c. You must also specify the - --enable-slp-hostname-lib configure option to enable this support. +sfcbCustomLib + Specify the name of the library to use for sfcb customization hooks. + See http://sourceforge.net/apps/mediawiki/sblim/index.php?title=SfcbCustomizationHooks + This option replaces the former slpHostnameLib option. sslClientCertificate Specify the way sfcb handles client certificate based authentication. If set to |
|
From: Dave B. <bla...@us...> - 2012-08-23 14:48:32
|
Update of /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/logging
In directory vz-cvs-3.sog:/tmp/cvs-serv14061/utst/org/sblim/cimclient/unittest/logging
Modified Files:
Tag: Experimental
LogAndTraceBrokerTest.java
Log Message:
3554738 - dump CIM xml by LogAndTraceBroker.trace() (add testl)
Index: LogAndTraceBrokerTest.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/utst/org/sblim/cimclient/unittest/logging/LogAndTraceBrokerTest.java,v
retrieving revision 1.3.2.10
retrieving revision 1.3.2.11
diff -u -d -r1.3.2.10 -r1.3.2.11
--- LogAndTraceBrokerTest.java 23 Aug 2012 14:30:33 -0000 1.3.2.10
+++ LogAndTraceBrokerTest.java 23 Aug 2012 14:48:30 -0000 1.3.2.11
@@ -574,6 +574,11 @@
LogAndTraceBroker broker = LogAndTraceBroker.getBroker();
broker.clearCIMXMLTraceListeners();
+ verify("before: isLoggableCIMXMLTrace(OFF) != false", broker
+ .isLoggableCIMXMLTrace(Level.OFF) == false);
+ verify("before: isLoggableCIMXMLMessage(+1) != false", broker
+ .isLoggableCIMXMLTrace(Level.SEVERE) == false);
+
broker.addCIMXMLTraceListener(new CIMXMLTraceListener() {
public void traceCIMXML(Level pLevel, String pMessage, boolean pOutgoing) {
@@ -584,6 +589,11 @@
}
});
+ verify("after: isLoggableCIMXMLTrace(OFF) != false", broker
+ .isLoggableCIMXMLTrace(Level.OFF) == false);
+ verify("after: isLoggableCIMXMLMessage(+1) != true", broker
+ .isLoggableCIMXMLTrace(Level.SEVERE) == true);
+
setCIMXMLTraceMessages(0);
broker.traceCIMXML(Level.FINEST, TEST, true);
verify("Message count logged", EQUAL, new Integer(getCIMXMLTraceMessages()), new Integer(1));
|
|
From: Dave B. <bla...@us...> - 2012-08-23 14:30:35
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/wbem/indications
In directory vz-cvs-3.sog:/tmp/cvs-serv13392/src/org/sblim/cimclient/internal/wbem/indications
Modified Files:
Tag: Experimental
CIMIndicationHandler.java
Log Message:
3554738 - dump CIM xml by LogAndTraceBroker.trace() (add Level)
Index: CIMIndicationHandler.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/wbem/indications/CIMIndicationHandler.java,v
retrieving revision 1.10.2.25
retrieving revision 1.10.2.26
diff -u -d -r1.10.2.25 -r1.10.2.26
--- CIMIndicationHandler.java 17 Aug 2012 01:10:05 -0000 1.10.2.25
+++ CIMIndicationHandler.java 23 Aug 2012 14:30:32 -0000 1.10.2.26
@@ -500,7 +500,7 @@
InputStream inputstream = null;
if ((this.iSessionProperties.isCimXmlTracingEnabled() && LogAndTraceBroker.getBroker()
.getXmlTraceStream() != null)
- || LogAndTraceBroker.getBroker().isLoggableCIMXMLTrace()) {
+ || LogAndTraceBroker.getBroker().isLoggableCIMXMLTrace(Level.FINEST)) {
inputstream = new DebugInputStream(pReader.getInputStream(), LogAndTraceBroker
.getBroker().getXmlTraceStream());
} else {
@@ -758,14 +758,14 @@
throw new HttpException(400, "Bad Request");
}
if (this.iSessionProperties.isCimXmlTracingEnabled()
- || this.iLogger.isLoggableCIMXMLTrace()) {
+ || this.iLogger.isLoggableCIMXMLTrace(Level.FINEST)) {
OutputStream pos = new ByteArrayOutputStream();
CIMClientXML_HelperImpl.dumpDocument(pos, responseDoc);
OutputStream debugStream = this.iLogger.getXmlTraceStream();
if (this.iSessionProperties.isCimXmlTracingEnabled() && debugStream != null) debugStream
.write(pos.toString().getBytes());
- if (this.iLogger.isLoggableCIMXMLTrace()) this.iLogger
- .traceCIMXML(pos.toString(), true);
+ if (this.iLogger.isLoggableCIMXMLTrace(Level.FINEST)) this.iLogger.traceCIMXML(
+ Level.FINEST, pos.toString(), true);
}
CIMClientXML_HelperImpl.serialize(pWriter.getOutputStream(), responseDoc);
pWriter.getHeader().addField("CIMExport", "MethodResponse");
|
|
From: Dave B. <bla...@us...> - 2012-08-23 12:37:31
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util
In directory vz-cvs-3.sog:/tmp/cvs-serv3509/src/org/sblim/cimclient/internal/util
Modified Files:
Tag: Experimental
MOF.java
Log Message:
3529151 - TCK: CIMInstance property APIs include keys from COP
Index: MOF.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/MOF.java,v
retrieving revision 1.7.2.15
retrieving revision 1.7.2.16
diff -u -d -r1.7.2.15 -r1.7.2.16
--- MOF.java 23 Mar 2012 16:44:47 -0000 1.7.2.15
+++ MOF.java 23 Aug 2012 12:37:29 -0000 1.7.2.16
@@ -25,6 +25,7 @@
* 2797550 2009-06-01 raman_arora JSR48 compliance - add Java Generics
* 3185824 2011-02-18 blaschke-oss Char16 definition includes whitespace
* 3510090 2012-03-23 blaschke-oss Fix CIMObjectPath.toString() inconsistencies
+ * 3529151 2012-08-22 blaschke-oss TCK: CIMInstance property APIs include keys from COP
*/
package org.sblim.cimclient.internal.util;
@@ -295,8 +296,16 @@
// TODO: What is the alias? How to use?
StringBuffer buf = new StringBuffer();
buf.append(pInd + INSTOF + pInst.getClassName() + " {\n");
+ // Add all properties in prop array
for (int i = 0; i < pInst.getPropertyCount(); i++)
buf.append(valueInitializer(pInst.getProperty(i), pInd + INDENT));
+ // Add keys that are NOT also in prop array
+ CIMProperty<?>[] keys = pInst.getKeys();
+ for (int i = 0; i < keys.length; i++) {
+ if (pInst.getProperty(keys[i].getName()) == null) {
+ buf.append(valueInitializer(keys[i], pInd + INDENT));
+ }
+ }
buf.append(pInd + "};");
return buf.toString();
}
|
|
From: Dave H. <hel...@us...> - 2012-08-22 13:17:31
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files
In directory vz-cvs-3.sog:/tmp/cvs-serv16074/src/org/sblim/cimclient/doc-files
Added Files:
Tag: Experimental
secure_indications.html
Log Message:
3536398 - Update HTML: add secure_indications.html
--- NEW FILE: secure_indications.html ---
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<!--
*
* (C) Copyright IBM Corp. 2012
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
* CONSTITUTES RECIPIENTS ACCEPTANCE OF THE AGREEMENT.
*
* You can obtain a current copy of the Eclipse Public License from
* http://www.opensource.org/licenses/eclipse-1.0.php
*
* @author : Dave Heller, IBM, hel...@us...
*
* Change History
* Flag Date Prog Description
*-------------------------------------------------------------------------------
* 3536398 2012-08-20 hellerda Update HTML to reflect secure indication support
-->
</head>
<body style="background-color: white;">
<h1>Getting Started with Secure Indications</h1>
<a href="#intro">Introduction</a><br />
<a href="#global">Global Keystore Configuration</a><br />
<a href="#configs">Configurations for secure indication listener</a><br />
<a href="#c1">"No authentication" configuration</a><br />
<a href="#c2">"CIMOM authentication" configuration</a><br />
<a href="#c3">"Listener authentication" configuration</a><br />
<a href="#c4">"Mutual authentication" configuration</a><br />
<a href="#independent">Configuring client and listener keystores independently</a><br />
<br />
<a id="intro" name="intro" /><h2>Introduction</h2>
<p>The following text will explain how to configure a secure indication listener for the SBLIM CIM Client for Java.</p>
<p>It is suggested the reader first review <a href="secure.html">Getting Started with Secure Connections</a>, as this document relies on the topics covered there.
<p>As described in <a href="indications.html">Getting Started with Indications</a>, indication delivery reverses the role of of HTTP client and server. The indication sender (typically the CIMOM) is now the HTTP client and the indication listener is the HTTP server.</p>
<p>For SSL/TLS (HTTPS) connections, configuration of a keystore is optional for the HTTPS client. For a HTTPS server however, a keystore is mandatory. This is because the keystore contains the private key the server will use to initiate encryption for the connection. So we must configure a keystore to enable a secure indication listener.</p>
<p>The keystore also contains the certificate the HTTPS server (i.e. the indication listener) will use to assert its identity. The HTTPS client (the indication sender or CIMOM) may optionally choose to verify the server cert against the contents of its own truststore.
<p>Similarly, the listener may choose to verify the certificate of the indication sender. To do this we need to additionally configure a truststore for the listener.</p>
<a id="global" name="global" /><h2>Global Keystore Configuration</h2>
<p>SSL/TLS authentication is X509 certificate-based. Each side provides a X509 certificate that confirms its identity. The certificates are
exchanged and each side validates the received certificate against a local copy.</p>
<p>For the listener, just as for the client, two files are used to store the certificates: a keystore and a truststore. The process for managing the keystores is described in <a href="secure.html">Getting Started with Secure Connections</a>. The following properties allow you to configure the keystores:</p>
<ul>
<li><em>javax.net.ssl.keyStore</em>: The file path of the SSL keystore.</li>
<li><em>javax.net.ssl.keyStoreType</em>: The type of the SSL keystore repository. Typically this is <i>JKS</i> or <i>Java KeyStore</i> type, which is the default.</li>
<li><em>javax.net.ssl.keyStorePassword</em>: The password of the keystore.</li>
<li><em>javax.net.ssl.trustStore</em>: The file path of the SSL truststore.</li>
<li><em>javax.net.ssl.trustStoreType</em>: The type of the SSL truststore repository. Typically this is <i>JKS</i>, which is the default.
<li><em>javax.net.ssl.trustStorePassword</em>: The password of the truststore.</li>
</ul>
<p>When these properties are configured globally, by either setting their values in the properties file or setting them programmatically via a call to <code>System.setProperty()</code>, their values will be effectively set for both the client and listener (they will in fact be be set for all new instances of client and listener). This means the client and listener will share the same set of keystores, even though they access these these keystores for entirely independent roles.</p>
<p>It is also important to understand: with global configuration, the keystore and truststore are automatically activated whenever their respective configuration properties are set. This is true for both client and listener. Put another way, if a keystore or truststore is configured at the global level it is activated for <i>both</i> client and listener, even if this is not the intended action. The side effects are described in the table below.</p>
<p>There is currently no way to control the activation of the <i>keystore</i> for client and listener independently when the properties are configured globally. If you activate the keystore for the listener (as is required for SSL) it will be activated for the client as well, and the client will now begin to send a certificate during its SSL handshake. This would cause a change in behavior only if the CIMOM is conifigured for optional peer verification. If it is, and the CIMOM is unable to verify the new client certificate, the connection would fail. To fix this you must either import the client certificate to the CIMOM's truststore, or disable peer verification at the CIMOM.
<p>Finally, there is a way to set the keystore properties independently between client and listener, and in this manner it is possible to configure a separate set of keystores for each. However, this cannot be done via the properties file; it can only be done programmatically. This is described <a href="#independent">here</a>.</p>
<a id="configs" name="configs" /><h2>Configurations for secure indication listener</h2>
<p>The table below shows the possible keystore configurations for the listener. Note we refer to the CIMOM in its capacity as indication sender, not server.</p>
<table border="1" cellpadding="5">
<tr><th>Configuration</th><th>Encryption/Hashing</th><th>CIMOM authenticated</th><th>Listener authenticated</th><th>Side effect <b/>if configured globally</th></tr>
<tr align="center"><td><a href="#c1">No authentication</a></td><td>yes</td><td>no</td><td>no</td><td>client now sends cert</td></tr>
<tr align="center"><td><a href="#c2">CIMOM authentication</a></td><td>yes</td><td>yes</td><td>no</td><td>client now authenticates CIMOM</td></tr>
<tr align="center"><td><a href="#c3">Listener authentication</a></td><td>yes</td><td>no</td><td>yes</td><td>client now sends cert</td></tr>
<tr align="center"><td><a href="#c4">Mutual authentication</a></td><td>yes</td><td>yes</td><td>yes</td><td>client now authenticates CIMOM and sends cert</td></tr>
</table>
<a id="c1" name="c1" /><h2>"No authentication" configuration</h2>
<ul>
<li>Confidentiality: given</li>
<li>Integrity: given</li>
<li>Authentication: no</li>
<li>Keystore: always required</li>
<li>Truststore: No</li>
</ul>
<p>As previously stated we must <i>always</i> configure a keystore to enable a secure listener. Follow the procedure here to <a href="secure.html#keystore">create a keystore</a> and set the appropriate configuration properties. Once this is done the keystore will be activated and the listener will be capable of receiving secure indications.</p>
<p>The process for creating a new indication listener is described <a href="indications.html#setup">here</a>. The sample code supports either a http or https listener. Don't forget to change "http" to "https" in the CIM_ListenerDestinationCIMXML instance when creating a secure subscription.</p>
<p>Note: The indication sender CIMOM (i.e. the indication sender) may be configured to send its own X509 certificate. In this scenario we decided not to evaluate this certificate..</p>
<p>Note: Because the listener acts as a HTTPS server it will always present its certificate to the client (the indication sender or CIMOM). The CIMOM is free to verify the listener cert if desired. See your CIMOM documentation to determine if this feature is available. If so, the configuration will likely involve importing the listener certificate into the CIMOM truststore. See <a href="secure.html#export">exporting a certificate</a> for a description on how to export a certificate from your keystore so that you can import it into the CIMOM's truststore.</p>
<p>Note also: if the keystore properties are configured globally the keystore will be activated for (Java CIM) client as well as the listener. This may have unintended consequences if your CIMOM is configured to check the client cert. See <a href="#c3">client authentication</a> for a details.</p>
<a id="c2" name="c2" /><h2>"CIMOM authentication" configuration</h2>
<ul>
<li>Confidentiality: given</li>
<li>Integrity: given</li>
<li>Authentication: CIMOM only</li>
<li>Keystore: always required</li>
<li>Truststore: required</li>
</ul>
<p>In this scenario we configure the listener to check the identity of the CIMOM (i.e. the indication sender). To do this we need to <a href="secure.html#truststore">create a truststore</a> and set the appropriate configuration properties. Once this is done the truststore will be activated and the listener will automatically check the CIMOM certificate against the truststore.
Everything else is equal to the "no authorization" configuration</p>
<p>Note: In this scenario we will check the CIMOM's X509 certificate. In order to do that we have to
import the CIMOM's certificate into our truststore. See <a href="secure.html#import">importing a certificate</a> for
details.</p>
<p>Note: Because the listener acts as a HTTPS server it will always present its certificate to the client (the indication sender or CIMOM). The CIMOM is free to verify the listener cert if desired.</p>
<p>Note also: if the truststore properties are configured globally the truststore will be activated for (Java CIM) client as well as the listener. The client will now attempt to verify the CIMOM on every CIM request, which will cause the requests to fail unless the CIMOM certificate has been imported into the truststore as described <a href="secure.html#c2">here</a>. (Assuming the cert is different from the one you already imported for listener operation; in most cases it will be the same).</p>
<a id="c3" name="c3" /><h2>"Listener authentication" configuration</h2>
<ul>
<li>Confidentiality: given</li>
<li>Integrity: given</li>
<li>Authentication: listener only</li>
<li>Keystore: always required</li>
<li>Truststore: no</li>
</ul>
<p>In this scenario we configure the CIMOM (i.e. the indication sender) to check the identity of the listener. As previously stated, the listener will <i>always</i> present its certificate to the indication sender, so there is no further configuration required on the listener side. All that is required is to enable listener verification at your CIMOM. See your CIMOM documentation to determine if this feature is available. If so, the configuration will likely involve importing the listener certificate into the CIMOM truststore. See <a href="secure.html#export">exporting a certificate</a> for a description on how to export a certificate from your keystore so that you can import it into the CIMOM's truststore.</p>
<p>Note: In this scenario we decided not to evaluate the CIMOM's X509 certificate. The listener can be configured to do that as described above.</p>
<p>Note also: if the keystore properties are configured globally the keystore will be activated for (Java CIM) client as well as the listener. This may have unintended consequences if your CIMOM is configured to check the client cert. See <a href="#c3">client authentication</a> for a details.</p>
<a id="c4" name="c4" /><h2>"Mutual authentication" configuration</h2>
<ul>
<li>Confidentiality: given</li>
<li>Integrity: given</li>
<li>Authentication: listener and CIMOM</li>
<li>Keystore: always required</li>
<li>Truststore: required</li>
</ul>
<p>In this scenario we configure certificate validation in both directions simultaneously.</p>
<p>In short, this configuration comprises the "CIMOM authentication" and "Listener authentication" together.</p>
<p>Remember, if the keystore or truststore properties are configured globally, the keystore or truststore will be activated for the client as well as the listener. If this is not your intent you must set the keystore configurations independently.</p>
<a id="#independent" name="independent" />
<h2>Configuring client and listener keystores independently</h2>
<p>While it is not possible to configure client and listener keystores independently via the global configuration, it is possible to do so programmatically, by setting the desired property on the client or listener object directly, using the object's <code>setProperty()</code> method. In the case of the client this must be done after obtaining a reference to the client object but before the call to <code>initialize()</code>. For the listener it is done after obtaining the listener object but before the call to <code>addlistener()</code>.</p>
<p>The ablity to configure client and listener keystores independently has two basic applications:</p>
<ol>
<li><u>It allows the use of separate keystore/truststore files for client and listener</u>. For most applications this should not be necessary. Understand that sharing a truststore between client and listener does not mean you are limited to a single CA certificate for both, since a truststore can contain more than one certificate. The same is not exactly true for the keystore: While a keystore can contain more than one key pair, the Java CIM Client's KeyManager will use the first acceptable key pair it finds in the keystore in order to complete the SSL handshake. So there is no simple way to make the client use one key pair and the listener use another. If your application requires this you must separate the client and listener keystores. The circumstances where this is required would be unusual, since it is most common in a public key infrastructure to assign a single indentity to an endpoint, and this technique would actually assign two indentities to the endpoint. Nevertheless it is supported.
<li><u>It allows peer authentication to be enabled separately for client and listener</u>. When the truststore is configured globally it is automatically enabled for both client and server even if this is not the intent. Configuring the truststore independently allows peer authentication (a.k.a. peer verification) to be controlled independently as well, since any property set on the client or listener directly will override the global value of that property. So there are two strategies here: you can either forego setting the truststore properties globally and set them only on the client or listener as required; or, you can force peer verification off for client or listener by setting the truststore path to a null string. The latter is recommended as it ensures it will not be inadvertently enabled if the global configuration is later modified.
</ol>
<p>For the client, using the code snippet in <a href="firststeps.html">First Steps</a> as a reference: to configure a truststore for use solely by the client, insert the following lines after the call to <code>getClient()</code> but before the call to <code>client.initialize()</code>:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "/path/to/client/truststore.pks");
client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PASSWORD, "password");
</pre></div></div>
<p>To disable peer verification for the client:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
client.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
</pre></div></div>
<p>For the listener, using the code snippet in <a href="indications.html#setup">Setting up an indication listener</a> as a reference: to configure a truststore for use solely by the listener, insert the following lines after the call to <code>getListener()</code> but before the call to <code>listener.addListener()</code>:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "/path/to/listener/truststore.pks");
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PASSWORD, "password");
</pre></div></div>
<p>To disable peer verification for the listener:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 3px;"><pre>
listener.setProperty(WBEMConfigurationProperties.TRUSTSTORE_PATH, "");
</pre></div></div>
<p>Finally, note it is also possible to control the listener configuration by creating a new <code>java.lang.Properties</code> object and passing it to <code>addListener()</code>, as shown in the example <a href="indications.html#example2">here</a>. The result will be the same as the example above. If for some reason both methods are used, the properties passed to <code>addListener()</code> will take precedence.</p>
</body></html>
|
|
From: Dave H. <hel...@us...> - 2012-08-20 18:44:49
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files
In directory vz-cvs-3.sog:/tmp/cvs-serv16186/src/org/sblim/cimclient/doc-files
Modified Files:
Tag: Experimental
configuration.html indications.html secure.html
Log Message:
3536398 - Update HTML to reflect secure indication support
Index: indications.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/indications.html,v
retrieving revision 1.5.2.9
retrieving revision 1.5.2.10
diff -u -d -r1.5.2.9 -r1.5.2.10
--- indications.html 3 Jan 2012 23:14:51 -0000 1.5.2.9
+++ indications.html 20 Aug 2012 18:44:47 -0000 1.5.2.10
@@ -24,6 +24,7 @@
* 2972697 2010-03-18 blaschke-oss Fix spelling errors in HTML files
* 2990370 2010-04-22 blaschke-oss Development/unittest HTML out of date
* 3469210 2012-01-03 blaschke-oss Include reliable indications in HTML
+ * 3536398 2012-08-20 hellerda Update HTML to reflect secure indication support
-->
</head>
<body style="background-color: white;">
@@ -32,7 +33,7 @@
</p>
<p> The delivery of indications reverses the roles of client and server. The CIMOM acts as HTTP client, the SBLIM CIM Client for Java as an HTTP server. The indication delivery is asynchronous and completely independent from an open client-to-CIMOM connection.
</p>
- <h2>Setting up an indication listener</h2>
+ <a id="setup" name="setup" /><h2>Setting up an indication listener</h2>
<p>The following code snippet illustrates how to set up a simple indication listener.</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 10px;">
@@ -142,6 +143,7 @@
<li><em>sblim.wbem.listenerDeliveryRetryInterval</em>: Sets the default value to use for the CIM_IndicationService DeliveryRetryInterval property. This value should match the value of the property of the CIM_IndicationService instance on the CIMOM dispatching the indications.</li>
<li><em>sblim.wbem.listenerReliableIndicationHashtableCapacity</em>: Sets the default value to use for the reliable indication handler's initial hash table capacity. A value of 0 indicates use a linked list instead. Linked lists are better suited for a small number of listener destinations per WBEMListener while hash tables are better suited for a large number.</li>
</ul>
+ <a id="example2" name="example2" />
<p>The following code snippet illustrates how to set up a simple indication listener with reliable indication support enabled.</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 10px;">
Index: configuration.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/configuration.html,v
retrieving revision 1.5.2.5
retrieving revision 1.5.2.6
diff -u -d -r1.5.2.5 -r1.5.2.6
--- configuration.html 22 Apr 2010 14:39:53 -0000 1.5.2.5
+++ configuration.html 20 Aug 2012 18:44:47 -0000 1.5.2.6
@@ -2,7 +2,7 @@
<html><head>
<!--
*
- * (C) Copyright IBM Corp. 2006, 2010
+ * (C) Copyright IBM Corp. 2006, 2012
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
@@ -20,6 +20,7 @@
* 2799260 2009-06-01 raman_arora Fix left over @author tag from Java5 upgrade
* 2972697 2010-03-18 blaschke-oss Fix spelling errors in HTML files
* 2990370 2010-04-22 blaschke-oss Development/unittest HTML out of date
+ * 3536398 2012-08-20 hellerda Update HTML to reflect secure indication support
-->
</head>
<body style="background-color: white;">
@@ -92,6 +93,17 @@
setProperty()</code></a>. Note that most properties will have no effect if set after the
<a href="../../../../javax/wbem/client/WBEMClient.html#initialize(javax.cim.CIMObjectPath,%20javax.security.auth.Subject,%20java.util.Locale[])">
<code>initialize()</code></a> method was called.</p>
+<h3>Listener Settings</h3>
+<p>It is possible to override the global configuration for an individual <a href="../../../../javax/wbem/listener/WBEMListener.html"><code>
+WBEMListener</code></a> instance. These settings are shared between all threads using that listener instance. In order to do this cast the
+<code>WBEMListener</code> to <a href="../WBEMListenerSBLIM.html"><code>
+WBEMListenerSBLIM</code></a> and call <a href="../WBEMListenerSBLIM.html#setProperty(java.lang.String,%20java.lang.String)"><code>
+setProperty()</code></a>. Note that most properties will have no effect if set after the
+<a href="../../../../javax/wbem/listener/WBEMListener.html#addListener(javax.wbem.listener.IndicationListener,%20int,%20java.lang.String)">
+<code>addListener()</code></a> method was called. It is also possible to set a listener's properties by creating a new <code>java.util.Properties</code>
+object and passing it to the <a href="../WBEMListenerSBLIM.html"><code>WBEMListenerSBLIM</code></a> variant of
+ <a href="../WBEMListenerSBLIM.html#addListener(org.sblim.cimclient.IndicationListenerSBLIM,%20int,%20java.lang.String,%20java.lang.String,%20java.util.Properties)">
+<code>addListener()</code></a> that accepts properties.</p>
<h3>Local Settings</h3>
<p>Imagine you've multiple threads using the same client instance concurrently and you want to reconfigure the instance in one thread, but keep the other threads
unaffected. This is what the local settings do. They override the client and global settings, but are recognized by the current thread only. You can set
@@ -103,10 +115,10 @@
<p>The client has four possible layers for any configuration property. They override each other in the following order:</p>
<ol>
<li>local setting</li>
-<li>client setting</li>
+<li>client or listener setting</li>
<li>global setting</li>
<li>default value</li>
</ol>
-<p>The global settings can be initialized either from a configuration file or via method calls, client and local settings via method calls only. The default values
+<p>The global settings can be initialized either from a configuration file or via method calls. Client, listener and local settings are initialized via method calls only. The default values
are compile time constants and not subject to change.</p>
</body></html>
Index: secure.html
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/doc-files/secure.html,v
retrieving revision 1.3.2.4
retrieving revision 1.3.2.5
diff -u -d -r1.3.2.4 -r1.3.2.5
--- secure.html 22 Apr 2010 14:39:53 -0000 1.3.2.4
+++ secure.html 20 Aug 2012 18:44:47 -0000 1.3.2.5
@@ -2,7 +2,7 @@
<html><head>
<!--
*
- * (C) Copyright IBM Corp. 2006, 2010
+ * (C) Copyright IBM Corp. 2006, 2012
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
@@ -20,6 +20,7 @@
* 2799260 2009-06-01 raman_arora Fix left over @author tag from Java5 upgrade
* 2972697 2010-03-18 blaschke-oss Fix spelling errors in HTML files
* 2990370 2010-04-22 blaschke-oss Development/unittest HTML out of date
+ * 3536398 2012-08-20 hellerda Update HTML to reflect secure indication support
-->
</head>
<body style="background-color: white;">
@@ -31,7 +32,6 @@
<a href="#c2">"CIMOM authentication" configuration</a><br />
<a href="#c3">"Client authentication " configuration</a><br />
<a href="#c4">"Mutual authentication" configuration</a><br />
-<a href="#indications">Indications</a><br />
<a href="#keystore">Creation of a keystore</a><br />
<a href="#export">Export of a certificate</a><br />
<a href="#truststore">Creation of a truststore</a><br />
@@ -69,13 +69,12 @@
<p>To store the certificates two files are used. The first is the so-called keystore and contains your own certificate with all private and public key information.
The second is the so-called truststore and contains local copies of certificates from other systems you trust. These copies contain only the public
key information.</p>
-<p>How to create a keystore for Java is explained <a href="#keystore">here</a>. As of today, the SBLIM CIM Client for Java does not support truststores.</p>
+<p>How to create a keystore for Java is explained <a href="#keystore">here</a>.</p>
<p>The described mechanism would enforce every receiver to have the certificate of every trusted sender stored in its truststore. Certificate chains
were invented to get around this. In a certificate chain an organization certifies the authenticity of an entity's certificate and the receiver
just validates the authenticity of the organization's certificate. Therefore with just the certificate of the organization in the truststore the
receiver can validate all entities that have certificates based on the organization's certificate.</p>
-<p>The table below shows the possible configurations. Note that since the current SBLIM CIM Client for Java
-release does not use truststores, the CIMOM and mutual authentication configurations are not supported.
+<p>The table below shows the possible configurations.
<h3>Configurations for client connections</h3>
<table border="1" cellpadding="5">
<tr><th>Configuration</th><th>Encryption/Hashing</th><th>CIMOM authenticated</th><th>Client authenticated</th><th>Secure indication<br />listeners supported</th></tr>
@@ -111,8 +110,7 @@
<li>Keystore: No</li>
<li>Truststore: Required</li>
</ul>
-<p>When we want to check the identity of the CIMOM we need to <a href="#truststore">create a truststore</a>.
-Once this is set up, the client checks automatically the CIMOM certificate against the truststore.
+<p>In this scenario we configure the client to check the identity of the CIMOM. To do this we need to <a href="#truststore">create a truststore</a> and set the appropriate configuration properties. Once this is done the keystore will be activated and the client will automatically check the CIMOM certificate against the truststore.
Everything else is equal to the "no authorization" configuration</p>
<p>Note: In this scenario we decided to evaluate the CIMOM's X509 certificate. In order to do that we have to
import the CIMOM's certificate into our truststore. See <a href="#import">importing a certificate</a> for
@@ -130,62 +128,27 @@
<li>Keystore: Required</li>
<li>Truststore: No</li>
</ul>
-<p>In order to enable the CIMOM to check our identity we have to send it a certificate. For that we
-need to <a href="#keystore">create a keystore</a>.
-Once this is set up, the client automatically sends our certificate on request by the CIMOM.
+<p>In this scenario we configure the CIMOM to check the identity of the client. We want our client to send a certificate to the CIMOM and for that we
+need to <a href="#keystore">create a keystore</a> and set the appropriate configuration properties. Once this is done the keystore will be activated and the client will automatically send our certificate on request by the CIMOM.
Everything else is equal to the "no authorization" configuration.</p>
-<p>Note: In this scenario we decided not to evaluate the CIMOM's X509 certificate. The client is
-free to do that.</p>
-<p>Note: The CIMOM has to be enabled to validate our certificate. This can be done by either
-copying our certificate to the CIMOM's truststore, deducing our certificate from an organization certificate
-the CIMOM already trusts, copying our certificate to an organization's central certificate store (e.g. LDAP)
-the CIMOM queries, etc. See <a href="#export">exporting a certificate</a> for a description on how to export
-a certificate from your keystore so that you can import it into the CIMOM's truststore.</p>
+<p>Note: In this scenario we decided not to evaluate the CIMOM's X509 certificate. The client can be configured to do that as described above.</p>
+
+<p> Note: The CIMOM has to be enabled to validate our certificate. To do this we must import into the CIMOM's truststore either a copy of our client cert or an appropriate "Certificate Authority" (CA) cert that is a <i>signer</i> for our client cert. (Really , the most general case is that the CA cert is the signer of one or more certs in a <i>trust chain</i> leading to our client cert.) The simplest case is where the CIMOM has a copy of our client cert. See <a href="#export">exporting a certificate</a> for a description on how to export a certificate from your client keystore so that you can import it into the CIMOM's truststore or other central certificate store (e.g. LDAP).</p>
+
+<p>Finally, note that most CIMOMs have three configurable settings governing authentication of the client: SFCB has ignore, accept, require. OpenPegasus has disabled, optional, required. In the case of ignore (disabled), the CIMOM will not check the client certificate. In the case of require (required) it will. The often confusing case is accept (optional); here the CIMOM will enforce the certificate check only if the client provides one. If your CIMOM is so configured you may find that it happily accepts the connection without the client sending any X509 certificate. But once the client keystore is configured and the client does send a certificate, the CIMOM will suddenly behave as if require (required) is configured, and will refuse the connection if it is unable to verify the client cert.</p>
<a id="c4" name="c4" /><h2>"Mutual authentication" configuration</h2>
<ul>
<li>Confidentiality: given</li>
<li>Integrity: given</li>
- <li>Authentication: client only</li>
+ <li>Authentication: client and CIMOM</li>
<li>Keystore: Required</li>
<li>Truststore: Required</li>
</ul>
-<p>When we want to check the identity of the CIMOM we need to <a href="#truststore">create a truststore</a>.
-Once this is set up, the client checks automatically the CIMOM certificate against the truststore.<br />
-In order to enable the CIMOM to check our identity we have to send it a certificate. For that we
-need to <a href="#keystore">create a keystore</a>.
-Once this is set up, the client sends automatically our certificate if the CIMOM requests it.
-Everything else is equal to the "no authorization" configuration.</p>
-<p>Note: In this scenario we decided to evaluate the CIMOM's X509 certificate. In order to do that we have to
-import the CIMOM's certificate into our truststore. See <a href="#import">importing a certificate</a> for
-details.</p>
-<p>Note: The CIMOM has to be enabled to validate our certificate. This can be done by either
-copying our certificate to the CIMOM's truststore, deducing our certificate from an organization certificate
-the CIMOM already trusts, copying our certificate to an organization's central certificate store (e.g. LDAP)
-the CIMOM queries, etc. See <a href="#export">exporting a certificate</a> for a description on how to export
-a certificate from your keystore so that you can import it into the CIMOM's truststore.</p>
-<a id="indications" name="indications" />
-<h2>Indications</h2>
-<p>If we want to receive indications on secure connections the SSL/TLS implementation will require the
-server side of a connection (that's us in this case!) to provide a certificate. It might be used for
-authentication, but more importantly provides a public key for the session key negotiation handshake. Therefore
-receiving indications on a secure connection requires either the "client authentication" or "mutual authentication"
-configuration.</p>
-<p>To start a secure HTTP server to receive indications replace your unsecure call</p>
-<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
-<div style="background-color: #f0f0f0; padding: 10px;">
-<pre>
-HttpServerConnection indicationServer = new HttpServerConnection(connectionHandler, port);
-</pre></div></div>
-<p>with this</p>
-<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
-<div style="background-color: #f0f0f0; padding: 10px;">
-<pre>
-HttpServerConnection indicationServer = new HttpServerConnection(connectionHandler, port, <b>true</b>);
-</pre></div></div>
-<p>Don't forget to change "http" to "https" in the CIM_ListenerDestinationCIMXML instance when you
-subscribe.</p>
+<p>In this scenario we configure certificate validation in both directions simultaneously.</p>
+
+<p>In short, this configuration comprises the "CIMOM authentication" and "Client authentication" together.</p>
<a id="keystore" name="keystore" />
<h2>Creation of a Keystore</h2>
@@ -238,20 +201,28 @@
</pre></div></div>
Please refer to the CIMOM's documentation regarding the export of the CIMOM's certificate.
+<p>A note on terminology: we use the terms <i>keystore</i> and <i>truststore</i> to refer to the certificate stores that perform
+the roles described above. Be aware that the term <i>keystore</i> is also used in the general sense to describe any certificate store,
+regardless of role. This latter definition is used by <code>keytool</code>, and for that reason you will use the -keystore
+option to point to either your keystore or truststore.</p>
+
+<p>Also note: Your JVM might ship with a default truststore (containing common CA certificates issued by well-known certificate authorities). If so, the above command would import the cert into the existing truststore. If not, a new truststore will be created. In either case <code>keytool</code> will prompt you for a password. For an exisitng truststore the password will be the one already set for the truststore (commonly this is "changeit" for the default JVM truststore). For a new truststore, the password you provide will be the one set going forward. In either case you can optionally specify the password on the command line using the -password option.</p>
+
<a id="export" name="export" />
<h2>Export of a certificate</h2>
-<p>If you want to export the public part of your certificate to a file (e.g. for transfer to a CIMOM's truststore) you can do that
+<p>If you want to export the public part of your certificate to a file (e.g. for import into to a CIMOM's truststore) you can do that
with keytool:</p>
<div style="border: 1px dashed #3c78b5; font-size: 14px; font-family: Courier; margin: 10px; line-height: 17px;">
<div style="background-color: #f0f0f0; padding: 10px;">
<pre>
keytool -export -alias mykey -keystore keystore -rfc -file mykey.cer
</pre></div></div>
+<p>The -rfc option ensures the cert is exported in PEM format, the format commonly required by the CIMOM.</p>
Please refer to the CIMOM's documentation regarding the import of the certificate into the CIMOM's truststore.
<a id="params" name="params" />
<h2>Configuration parameters for secure connections</h2>
-<p>The configuration parametes can be found <a href="../WBEMConfigurationProperties.html">here</a>. The properties beginning with
+<p>The configuration parameters can be found <a href="../WBEMConfigurationProperties.html">here</a>. The properties beginning with
<code>KEYSTORE_</code>, <code>TRUSTSTORE_</code> or <code>SSL_</code> control the SSL configuration.</p>
<p>Note: The SSL system properties globally configure the JREs SSL support. If you want to use settings different from the global
JRE configuration, you'll have to use <code>WBEMClientSBLIM.setProperty()</code> to override the global setting. Keep in mind that
|
|
From: Dave B. <bla...@us...> - 2012-08-17 02:47:42
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/wbem/indications
In directory vz-cvs-3.sog:/tmp/cvs-serv9596/src/org/sblim/cimclient/internal/wbem/indications
Modified Files:
CIMIndicationHandler.java
Log Message:
3553858 - Append duplicate HTTP header fields instead of replace
Index: CIMIndicationHandler.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/wbem/indications/CIMIndicationHandler.java,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -d -r1.30 -r1.31
--- CIMIndicationHandler.java 8 May 2012 17:22:08 -0000 1.30
+++ CIMIndicationHandler.java 17 Aug 2012 02:47:40 -0000 1.31
@@ -41,6 +41,7 @@
* 3484022 2012-02-08 blaschke-oss Turn reliable indication mode on and off based on SC/SN
* 3492214 2012-02-23 blaschke-oss Add a SenderIPAddress property indications
* 3513228 2012-04-23 blaschke-oss Reliable Indications support can create lots of threads
+ * 3553858 2012-08-06 blaschke-oss Append duplicate HTTP header fields instead of replace
*/
package org.sblim.cimclient.internal.wbem.indications;
@@ -777,9 +778,9 @@
Entry<HeaderEntry, String> entry = iter.next();
if (entry != null) {
key = entry.getKey().toString();
- if (key.startsWith(ns + "-")) headers.addField(key.substring(3), entry
+ if (key.startsWith(ns + "-")) headers.addParsedField(key.substring(3), entry
.getValue().toString());
- else headers.addField(key, entry.getValue().toString());
+ else headers.addParsedField(key, entry.getValue().toString());
}
}
} else {
|
|
From: Dave B. <bla...@us...> - 2012-08-17 02:22:15
|
Update of /cvsroot/sblim/jsr48-client In directory vz-cvs-3.sog:/tmp/cvs-serv8068 Modified Files: NEWS Log Message: 3535383 - HashDoS fix 3498482 Index: NEWS =================================================================== RCS file: /cvsroot/sblim/jsr48-client/NEWS,v retrieving revision 1.312 retrieving revision 1.313 diff -u -d -r1.312 -r1.313 --- NEWS 17 Aug 2012 02:11:09 -0000 1.312 +++ NEWS 17 Aug 2012 02:22:13 -0000 1.313 @@ -1,5 +1,6 @@ Changes in HEAD ================ +3535383 HashDoS fix 3498482 3545797 Support new error code of SFCB 3529066 Add Jsr48IndicationTester 3524050 Improve WWW-Authenticate in HTTPClient.java |
|
From: Dave B. <bla...@us...> - 2012-08-17 02:11:11
|
Update of /cvsroot/sblim/jsr48-client In directory vz-cvs-3.sog:/tmp/cvs-serv7787 Modified Files: NEWS Log Message: 3545797 - Support new error code of SFCB Index: NEWS =================================================================== RCS file: /cvsroot/sblim/jsr48-client/NEWS,v retrieving revision 1.311 retrieving revision 1.312 diff -u -d -r1.311 -r1.312 --- NEWS 17 Aug 2012 01:51:32 -0000 1.311 +++ NEWS 17 Aug 2012 02:11:09 -0000 1.312 @@ -1,5 +1,6 @@ Changes in HEAD ================ +3545797 Support new error code of SFCB 3529066 Add Jsr48IndicationTester 3524050 Improve WWW-Authenticate in HTTPClient.java 3529065 Enable WBEMListener get/setProperty |
|
From: Dave B. <bla...@us...> - 2012-08-17 01:51:34
|
Update of /cvsroot/sblim/jsr48-client In directory vz-cvs-3.sog:/tmp/cvs-serv5688 Modified Files: NEWS Log Message: 3529066 - Add Jsr48IndicationTester Index: NEWS =================================================================== RCS file: /cvsroot/sblim/jsr48-client/NEWS,v retrieving revision 1.310 retrieving revision 1.311 diff -u -d -r1.310 -r1.311 --- NEWS 21 Jun 2012 12:28:32 -0000 1.310 +++ NEWS 17 Aug 2012 01:51:32 -0000 1.311 @@ -1,5 +1,6 @@ Changes in HEAD ================ +3529066 Add Jsr48IndicationTester 3524050 Improve WWW-Authenticate in HTTPClient.java 3529065 Enable WBEMListener get/setProperty 3529062 WBEMListenerFactory should return new instance |
|
From: Dave B. <bla...@us...> - 2012-08-17 01:45:18
|
Update of /cvsroot/sblim/jsr48-client/smpl/org/sblim/cimclient/samples
In directory vz-cvs-3.sog:/tmp/cvs-serv5357/smpl/org/sblim/cimclient/samples
Modified Files:
Tag: Experimental
Jsr48IndicationTester.java
Log Message:
3529066 - Add Jsr48IndicationTester (format)
Index: Jsr48IndicationTester.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/smpl/org/sblim/cimclient/samples/Attic/Jsr48IndicationTester.java,v
retrieving revision 1.1.2.2
retrieving revision 1.1.2.3
diff -u -d -r1.1.2.2 -r1.1.2.3
--- Jsr48IndicationTester.java 7 Jul 2012 00:59:27 -0000 1.1.2.2
+++ Jsr48IndicationTester.java 17 Aug 2012 01:45:15 -0000 1.1.2.3
@@ -51,14 +51,14 @@
/**
* Class Jsr48IndicationTester is an interactive, command line program that
- * facilitates testing of end-to-end indication delivery between CIMOM and
- * the SBLIM Java CIM Client. The program starts an indication listener, sends
- * a subscription request to the CIMOM and reports any indications received by
- * the listener. The listener will continue to wait for new indications until
- * a keyboard interrupt is received or the timer expired. An indication can be
+ * facilitates testing of end-to-end indication delivery between CIMOM and the
+ * SBLIM Java CIM Client. The program starts an indication listener, sends a
+ * subscription request to the CIMOM and reports any indications received by the
+ * listener. The listener will continue to wait for new indications until a
+ * keyboard interrupt is received or the timer expired. An indication can be
* triggered via the program's trigger-mode, intended to be run from a separate
- * console. An indication may also triggered by some independent means.
- * The program is based on the Java CIM Client Jsr48IndicationSample programs.
+ * console. An indication may also triggered by some independent means. The
+ * program is based on the Java CIM Client Jsr48IndicationSample programs.
*/
public abstract class Jsr48IndicationTester {
@@ -142,9 +142,9 @@
public void indicationOccured(String pIndicationURL, CIMInstance pIndication,
InetAddress pSenderAddress) {
- System.out.println("Indication received on: " + pIndicationURL
- + ": from IP: " + pSenderAddress.getHostAddress()
- + ": classname: " + pIndication.getClassName());
+ System.out.println("Indication received on: " + pIndicationURL + ": from IP: "
+ + pSenderAddress.getHostAddress() + ": classname: "
+ + pIndication.getClassName());
}
};
IndicationListenerSBLIM ilsDetail = new IndicationListenerSBLIM() {
@@ -169,9 +169,9 @@
+ "support reliable indications.");
}
};
- System.out.printf("Added listener on port %d.\n\n", Integer.valueOf(
- sListener.addListener(pPrintInd ? ilsDetail : ilsBrief,
- pDestURL.getPort(), pDestURL.getProtocol(), null, props)));
+ System.out.printf("Added listener on port %d.\n\n", Integer.valueOf(sListener
+ .addListener(pPrintInd ? ilsDetail : ilsBrief, pDestURL.getPort(), pDestURL
+ .getProtocol(), null, props)));
return true;
@@ -234,8 +234,8 @@
* @throws UnknownHostException
* If "localhost" could not be resolved
*/
- private static CIMInstance makeFilter(String pInteropNS, String pIndicationNS, String pQuery, String pHost)
- throws UnknownHostException {
+ private static CIMInstance makeFilter(String pInteropNS, String pIndicationNS, String pQuery,
+ String pHost) throws UnknownHostException {
final CIMProperty<String> name = new CIMProperty<String>("Name", CIMDataType.STRING_T,
"JSR48SampleFilter" + getNextId(), true, false, null);
final CIMProperty<String> creationClassName = new CIMProperty<String>("CreationClassName",
@@ -244,8 +244,8 @@
CIMDataType.STRING_T, InetAddress.getByName(pHost).getHostName(), true, false, null);
final CIMProperty<String> systemCCN = new CIMProperty<String>("SystemCreationClassName",
CIMDataType.STRING_T, "CIM_ComputerSystem", true, false, null);
- final CIMProperty<String> query = new CIMProperty<String>("Query",
- CIMDataType.STRING_T, pQuery, false, false, null);
+ final CIMProperty<String> query = new CIMProperty<String>("Query", CIMDataType.STRING_T,
+ pQuery, false, false, null);
final CIMProperty<String> queryLanguage = new CIMProperty<String>("QueryLanguage",
CIMDataType.STRING_T, "WQL", false, false, null);
final CIMProperty<String> sourceNameSpace = new CIMProperty<String>("SourceNamespace",
@@ -314,14 +314,14 @@
* @return <code>true</code> if the subscription succeeds,
* <code>false</code> otherwise
*/
- public static boolean subscribe(WBEMClient pClient, String pInteropNS,
- String pIndicationNS, String pHost, URL pDestURL, String pQuery) {
+ public static boolean subscribe(WBEMClient pClient, String pInteropNS, String pIndicationNS,
+ String pHost, URL pDestURL, String pQuery) {
try {
- cDestinationPath = pClient.createInstance(makeListenerDestination(pInteropNS, pDestURL.getProtocol()
- + "://" + pDestURL.getHost() + ":" + pDestURL.getPort()
- + "/create", pHost));
- cFilterPath = pClient.createInstance(makeFilter(pInteropNS,
- pIndicationNS, pQuery, pHost));
+ cDestinationPath = pClient.createInstance(makeListenerDestination(pInteropNS, pDestURL
+ .getProtocol()
+ + "://" + pDestURL.getHost() + ":" + pDestURL.getPort() + "/create", pHost));
+ cFilterPath = pClient.createInstance(makeFilter(pInteropNS, pIndicationNS, pQuery,
+ pHost));
cSubscriptionPath = pClient.createInstance(makeSubscription(pInteropNS,
cDestinationPath, cFilterPath));
@@ -389,9 +389,12 @@
System.out.println(" (default: http://localhost:5988)");
System.out.println(" --destUrl DESTURL URL of destination handler");
System.out.println(" (default: http://localhost:7000)");
- System.out.println(" --intNS INTEROPNS Interop namespace name (default: root/interop)");
- System.out.println(" --indNS INDICATIONNS Namespace in which the register the indication");
- System.out.println(" (default is the same value as the interop namespace)");
+ System.out
+ .println(" --intNS INTEROPNS Interop namespace name (default: root/interop)");
+ System.out
+ .println(" --indNS INDICATIONNS Namespace in which the register the indication");
+ System.out
+ .println(" (default is the same value as the interop namespace)");
}
/**
@@ -407,32 +410,29 @@
if (url.getUserInfo() != null) {
String[] userInfo = url.getUserInfo().split(":");
System.out.printf("-username : %s\n", userInfo[0]);
- if (userInfo.length > 1)
- System.out.printf("-password : %s\n", userInfo[1]);
+ if (userInfo.length > 1) System.out.printf("-password : %s\n", userInfo[1]);
}
System.out.printf("File : %s\n", url.getFile());
System.out.printf("Path : %s\n", url.getPath());
System.out.printf("Query : %s\n", url.getQuery());
System.out.printf("Ref : %s\n", url.getRef());
try {
- System.out.printf("InetAddress.getHostAddress(): %s\n",
- InetAddress.getByName(url.getHost()).getHostAddress());
- System.out.printf("InetAddress.getHostName() : %s\n",
- InetAddress.getByName(url.getHost()).getHostName());
+ System.out.printf("InetAddress.getHostAddress(): %s\n", InetAddress.getByName(
+ url.getHost()).getHostAddress());
+ System.out.printf("InetAddress.getHostName() : %s\n", InetAddress.getByName(
+ url.getHost()).getHostName());
} catch (UnknownHostException e) {
e.printStackTrace();
}
}
-
+
/**
* Check that namespace is valid, apply default prefix if necessary
*/
private static String chkNamespace(String pNamespace) {
int fields = pNamespace.split("/").length;
- if (fields == 1)
- return "root/" + pNamespace;
- else if (fields == 2)
- return pNamespace;
+ if (fields == 1) return "root/" + pNamespace;
+ else if (fields == 2) return pNamespace;
else {
throw new IllegalArgumentException("Invalid namespace: " + pNamespace);
}
@@ -459,27 +459,27 @@
* "user", "pw", "root/interop" }
*/
static public void main(String[] args) {
-
+
try {
// Parse command line arguments
List<String> orphanArgs = new ArrayList<String>();
List<String> singleDashOpts = new ArrayList<String>();
- Map<String,String> doubleDashOpts = new HashMap<String,String>();
-
- for (int i=0; i < args.length; i++) {
+ Map<String, String> doubleDashOpts = new HashMap<String, String>();
+
+ for (int i = 0; i < args.length; i++) {
if (args[i].charAt(0) == '-') {
- if (args[i].length() < 2)
- throw new IllegalArgumentException("Invalid argument: " + args[i]);
+ if (args[i].length() < 2) throw new IllegalArgumentException(
+ "Invalid argument: " + args[i]);
if (args[i].charAt(1) == '-') {
- if (i >= args.length-1)
- throw new IllegalArgumentException("Expected arg after: " + args[i]);
- if (args[i].length() < 3)
- throw new IllegalArgumentException("Invalid argument: " + args[i]);
- doubleDashOpts.put(args[i].toLowerCase(), args[i+1]);
+ if (i >= args.length - 1) throw new IllegalArgumentException(
+ "Expected arg after: " + args[i]);
+ if (args[i].length() < 3) throw new IllegalArgumentException(
+ "Invalid argument: " + args[i]);
+ doubleDashOpts.put(args[i].toLowerCase(), args[i + 1]);
i++;
} else {
- if (args[i].length() > 2)
- throw new IllegalArgumentException("Invalid argument: " + args[i]);
+ if (args[i].length() > 2) throw new IllegalArgumentException(
+ "Invalid argument: " + args[i]);
singleDashOpts.add(args[i]);
}
} else {
@@ -491,32 +491,34 @@
boolean printInd = singleDashOpts.contains("-p") ? true : false;
boolean trigger = singleDashOpts.contains("-t") ? true : false;
boolean verbose = singleDashOpts.contains("-v") ? true : false;
-
- if (help) { printUsage(); printHelp(); System.exit(0); }
-
+
+ if (help) {
+ printUsage();
+ printHelp();
+ System.exit(0);
+ }
+
// If indication namespace not specified, use interop namespace
- final String interopNS = doubleDashOpts.containsKey("--intns") ?
- chkNamespace(doubleDashOpts.get("--intns")) : "root/interop";
- final String indicationNS = doubleDashOpts.containsKey("--indns") ?
- chkNamespace(doubleDashOpts.get("--indns")) : interopNS;
+ final String interopNS = doubleDashOpts.containsKey("--intns") ? chkNamespace(doubleDashOpts
+ .get("--intns"))
+ : "root/interop";
+ final String indicationNS = doubleDashOpts.containsKey("--indns") ? chkNamespace(doubleDashOpts
+ .get("--indns"))
+ : interopNS;
- final URL cimomURL = doubleDashOpts.containsKey("--cimomurl") ?
- new URL(doubleDashOpts.get("--cimomurl")) :
- new URL("http://localhost:5988");
- final URL destURL = doubleDashOpts.containsKey("--desturl") ?
- new URL(doubleDashOpts.get("--desturl")) :
- new URL("http://localhost:7000");
+ final URL cimomURL = doubleDashOpts.containsKey("--cimomurl") ? new URL(doubleDashOpts
+ .get("--cimomurl")) : new URL("http://localhost:5988");
+ final URL destURL = doubleDashOpts.containsKey("--desturl") ? new URL(doubleDashOpts
+ .get("--desturl")) : new URL("http://localhost:7000");
String userInfo = cimomURL.getUserInfo();
- final String cimomUser = (userInfo != null) ?
- userInfo.split(":")[0] : null;
- final String cimomPasswd = (userInfo != null) ?
- userInfo.split(":")[1] : null;
+ final String cimomUser = (userInfo != null) ? userInfo.split(":")[0] : null;
+ final String cimomPasswd = (userInfo != null) ? userInfo.split(":")[1] : null;
- if (orphanArgs.isEmpty())
- throw new IllegalArgumentException("No indication classname provided");
- else if (orphanArgs.size() > 1)
- throw new IllegalArgumentException("Garbled command: too many arguments");
+ if (orphanArgs.isEmpty()) throw new IllegalArgumentException(
+ "No indication classname provided");
+ else if (orphanArgs.size() > 1) throw new IllegalArgumentException(
+ "Garbled command: too many arguments");
final String indClassName = orphanArgs.get(0);
if (verbose) {
@@ -534,8 +536,8 @@
// Initialize client. This will not trigger any communication with
// the CIMOM.
- final WBEMClientSBLIM client =
- (WBEMClientSBLIM) connect(cimomURL, cimomUser, cimomPasswd);
+ final WBEMClientSBLIM client = (WBEMClientSBLIM) connect(cimomURL, cimomUser,
+ cimomPasswd);
if (client == null) {
System.err.println("Client init failed. Probably due to invalid cl parameters.");
@@ -550,23 +552,22 @@
// This will trigger a TestIndication that is caught by the
// remote listener
- Object obj = client.invokeMethod(new CIMObjectPath(null,
- null, null, indicationNS, indClassName, null),
- "SendTestIndication", input, output);
- if (obj.toString().equals("0"))
- System.out.println("Indication generated successfully.");
- else
- System.out.println("Indication not generated successfully!");
+ Object obj = client.invokeMethod(new CIMObjectPath(null, null, null, indicationNS,
+ indClassName, null), "SendTestIndication", input, output);
+ if (obj.toString().equals("0")) System.out
+ .println("Indication generated successfully.");
+ else System.out.println("Indication not generated successfully!");
System.exit(0);
}
// cleanup at shutdown or keyboard interrupt (ctrl-C)
Runtime.getRuntime().addShutdownHook(new Thread() {
+
@Override
public void run() {
cleanup(client, interopNS, destURL);
}
- });
+ });
// start the listener so that we are "on air" when the indications
// come in
@@ -585,15 +586,14 @@
// any connectivity or authentication problems the WBEMException
// will be thrown right in the subscribe method.
String query = "SELECT * FROM " + indClassName;
- if (subscribe(client, interopNS, indicationNS,
- cimomURL.getHost(), destURL, query)) {
+ if (subscribe(client, interopNS, indicationNS, cimomURL.getHost(), destURL, query)) {
System.out.println("Successfully subscribed.");
} else {
System.err.println("Subscription failed.");
return;
}
- Thread.sleep(300*1000);
-
+ Thread.sleep(300 * 1000);
+
} finally {
// should never get here as we have ShutdownHook to catch exit
}
|
|
From: Dave B. <bla...@us...> - 2012-08-17 01:10:09
|
Update of /cvsroot/sblim/jsr48-client/smpl/org/sblim/cimclient/samples
In directory vz-cvs-3.sog:/tmp/cvs-serv1307/smpl/org/sblim/cimclient/samples
Modified Files:
Tag: Experimental
Jsr48OperationSample.java
Log Message:
3554738 - dump CIM xml by LogAndTraceBroker.trace()
Index: Jsr48OperationSample.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/smpl/org/sblim/cimclient/samples/Jsr48OperationSample.java,v
retrieving revision 1.2.2.13
retrieving revision 1.2.2.14
diff -u -d -r1.2.2.13 -r1.2.2.14
--- Jsr48OperationSample.java 25 Apr 2012 02:34:36 -0000 1.2.2.13
+++ Jsr48OperationSample.java 17 Aug 2012 01:10:06 -0000 1.2.2.14
@@ -23,6 +23,7 @@
* 3190335 2011-02-23 blaschke-oss Erroneous use of SystemName property in samples
* 3267429 2011-04-01 blaschke-oss Samples should close client
* 3521119 2012-04-24 blaschke-oss JSR48 1.0.0: remove CIMObjectPath 2/3/4-parm ctors
+ * 3554738 2012-08-16 blaschke-oss dump CIM xml by LogAndTraceBroker.trace()
*/
package org.sblim.cimclient.samples;
@@ -332,7 +333,17 @@
public static void main(String[] args) throws Exception {
// Uncomment following two lines to enable writing XML trace to stdout.
// System.setProperty("sblim.wbem.cimxmlTracing", "true");
- // LogAndTraceBroker.getBroker().setXmlTraceStream(System.out);
+ // LogAndTraceManager.getManager().setXmlTraceStream(System.out);
+
+ // Uncomment following lines and corresponding removeCIMXMLTraceListener
+ // call below to enable writing XML trace to stdout.
+ // CIMXMLTraceListener xmlListener = new CIMXMLTraceListener() {
+ // public void traceCIMXML(String pMessage, boolean pOutgoing) {
+ // System.out.println("client" + (pOutgoing ? "->" : "<-") + "server: "
+ // + pMessage);
+ // }
+ // };
+ // LogAndTraceManager.getManager().addCIMXMLTraceListener(xmlListener);
// Initialize client. This will not trigger any communication with
// the CIMOM.
@@ -393,6 +404,7 @@
// delete the instance again
client.deleteInstance(path);
System.out.println("Instance " + path + " deleted");
+ // LogAndTraceManager.getManager().removeCIMXMLTraceListener(xmlListener);
client.close();
}
}
|
|
From: Dave B. <bla...@us...> - 2012-08-17 01:10:08
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient
In directory vz-cvs-3.sog:/tmp/cvs-serv1307/src/org/sblim/cimclient
Modified Files:
Tag: Experimental
LogAndTraceManager.java
Added Files:
Tag: Experimental
CIMXMLTraceListener.java
Log Message:
3554738 - dump CIM xml by LogAndTraceBroker.trace()
Index: LogAndTraceManager.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/LogAndTraceManager.java,v
retrieving revision 1.4.2.3
retrieving revision 1.4.2.4
diff -u -d -r1.4.2.3 -r1.4.2.4
--- LogAndTraceManager.java 23 Feb 2009 18:18:33 -0000 1.4.2.3
+++ LogAndTraceManager.java 17 Aug 2012 01:10:06 -0000 1.4.2.4
@@ -1,5 +1,5 @@
/**
- * (C) Copyright IBM Corp. 2006, 2009
+ * (C) Copyright IBM Corp. 2006, 2012
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
@@ -16,7 +16,8 @@
* 1565892 2006-11-13 lupusalex Make SBLIM client JSR48 compliant
* 2003590 2008-06-30 blaschke-oss Change licensing from CPL to EPL
* 2524131 2009-01-21 raman_arora Upgrade client to JDK 1.5 (Phase 1)
- * 2531371 2009-02-10 raman_arora Upgrade client to JDK 1.5 (Phase 2)
+ * 2531371 2009-02-10 raman_arora Upgrade client to JDK 1.5 (Phase 2)
+ * 3554738 2012-08-16 blaschke-oss dump CIM xml by LogAndTraceBroker.trace()
*/
package org.sblim.cimclient;
@@ -131,6 +132,45 @@
}
/**
+ * Adds a listener for CIM-XML trace messages. The listener will be notified
+ * of any CIM-XML trace event.
+ *
+ * @param pListener
+ * The listener
+ */
+ public void addCIMXMLTraceListener(CIMXMLTraceListener pListener) {
+ LogAndTraceBroker.getBroker().addCIMXMLTraceListener(pListener);
+ }
+
+ /**
+ * Removes a CIM-XML trace listener. This listener will not be notified of
+ * CIM-XML trace events anymore.
+ *
+ * @param pListener
+ * The listener
+ */
+ public void removeCIMXMLTraceListener(CIMXMLTraceListener pListener) {
+ LogAndTraceBroker.getBroker().removeCIMXMLTraceListener(pListener);
+ }
+
+ /**
+ * Removes all CIM-XML trace listeners.
+ */
+ public void clearCIMXMLTraceListeners() {
+ LogAndTraceBroker.getBroker().clearCIMXMLTraceListeners();
+ }
+
+ /**
+ * Gets the registered CIM-XML trace listeners.
+ *
+ * @return A unmodifiable list of listeners
+ */
+ public List<CIMXMLTraceListener> getCIMXMLTraceListeners() {
+ return Collections
+ .unmodifiableList(LogAndTraceBroker.getBroker().getCIMXMLTraceListeners());
+ }
+
+ /**
* Returns the stream to which the CIM-XML traces are sent. A value of
* <code>null</code> means that tracing is effectively disabled. Otherwise
* the CIM-XML tracing can be activated either globally or per-connection
--- NEW FILE: CIMXMLTraceListener.java ---
/**
* (C) Copyright IBM Corp. 2012
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
* CONSTITUTES RECIPIENTS ACCEPTANCE OF THE AGREEMENT.
*
* You can obtain a current copy of the Eclipse Public License from
* http://www.opensource.org/licenses/eclipse-1.0.php
*
* @author : Alexander Wolf-Reber, IBM, a.w...@de...
* Dave Blaschke, IBM, bla...@us...
*
* Change History
* Flag Date Prog Description
*-------------------------------------------------------------------------------
* 3554738 2012-08-16 blaschke-oss dump CIM xml by LogAndTraceBroker.trace()
*/
package org.sblim.cimclient;
/**
* The interface CIMXMLTraceListener must be implemented if you want to attach
* your own CIM-XML logging framework to the CIM Client.
*
* @see LogAndTraceManager
*/
public interface CIMXMLTraceListener {
/**
* Receive a CIM-XML trace message.
*
* @param pMessage
* The CIM-XML message text
* @param pOutgoing
* <code>true</code> if CIM-XML is outgoing (being sent from
* client to server), <code>false</code> if CIM-XML is incoming
* (being sent from server to client)
*/
public void traceCIMXML(String pMessage, boolean pOutgoing);
}
|
|
From: Dave B. <bla...@us...> - 2012-08-17 01:10:07
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/logging
In directory vz-cvs-3.sog:/tmp/cvs-serv1307/src/org/sblim/cimclient/internal/logging
Modified Files:
Tag: Experimental
LogAndTraceBroker.java
Log Message:
3554738 - dump CIM xml by LogAndTraceBroker.trace()
Index: LogAndTraceBroker.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/logging/LogAndTraceBroker.java,v
retrieving revision 1.10.2.15
retrieving revision 1.10.2.16
diff -u -d -r1.10.2.15 -r1.10.2.16
--- LogAndTraceBroker.java 29 Feb 2012 04:24:41 -0000 1.10.2.15
+++ LogAndTraceBroker.java 17 Aug 2012 01:10:05 -0000 1.10.2.16
@@ -28,6 +28,7 @@
* 3469018 2012-01-03 blaschke-oss Properties not passed to CIMIndicationHandler
* 3484014 2012-02-03 blaschke-oss Add LogAndTraceBroker.isLoggable for message/trace
* 3489638 2012-02-28 blaschke-oss PERF: Bottleneck in LogAndTraceBroker.java - getCaller()
+ * 3554738 2012-08-16 blaschke-oss dump CIM xml by LogAndTraceBroker.trace()
*/
package org.sblim.cimclient.internal.logging;
@@ -46,6 +47,7 @@
import java.util.logging.LogRecord;
import java.util.logging.Logger;
+import org.sblim.cimclient.CIMXMLTraceListener;
import org.sblim.cimclient.LogAndTraceManager;
import org.sblim.cimclient.LogListener;
import org.sblim.cimclient.TraceListener;
@@ -97,6 +99,8 @@
private volatile ArrayList<TraceListener> iTraceListeners;
+ private volatile ArrayList<CIMXMLTraceListener> iCIMXMLTraceListeners;
+
private String iProductName = "SBLIM CIM Client for Java";
private String iCopyright = "COPYRIGHT (C) 2006, 2012 IBM Corp.";
@@ -138,6 +142,7 @@
private LogAndTraceBroker() {
this.iLogListeners = new ArrayList<LogListener>();
this.iTraceListeners = new ArrayList<TraceListener>();
+ this.iCIMXMLTraceListeners = new ArrayList<CIMXMLTraceListener>();
loadVersionTxt();
registerInternalListeners();
}
@@ -523,6 +528,51 @@
}
/**
+ * Adds a listener for CIM-XML trace messages. The listener will be notified
+ * of any CIM-XML trace event.
+ *
+ * @param pListener
+ * The listener
+ */
+ public synchronized void addCIMXMLTraceListener(CIMXMLTraceListener pListener) {
+ if (pListener == null) return;
+ ArrayList<CIMXMLTraceListener> newListeners = new ArrayList<CIMXMLTraceListener>(
+ this.iCIMXMLTraceListeners);
+ newListeners.add(pListener);
+ this.iCIMXMLTraceListeners = newListeners;
+ }
+
+ /**
+ * Removes a CIM-XML trace listener. This listener will not be notified of
+ * CIM-XML trace events anymore.
+ *
+ * @param pListener
+ * The listener
+ */
+ public synchronized void removeCIMXMLTraceListener(CIMXMLTraceListener pListener) {
+ ArrayList<CIMXMLTraceListener> newListeners = new ArrayList<CIMXMLTraceListener>(
+ this.iCIMXMLTraceListeners);
+ if (!newListeners.remove(pListener)) return;
+ this.iCIMXMLTraceListeners = newListeners;
+ }
+
+ /**
+ * Removes all CIM-XML trace listeners.
+ */
+ public synchronized void clearCIMXMLTraceListeners() {
+ if (this.iCIMXMLTraceListeners.size() > 0) this.iCIMXMLTraceListeners = new ArrayList<CIMXMLTraceListener>();
+ }
+
+ /**
+ * Gets the registered CIM-XML trace listeners.
+ *
+ * @return A list of listeners
+ */
+ public List<CIMXMLTraceListener> getCIMXMLTraceListeners() {
+ return this.iCIMXMLTraceListeners;
+ }
+
+ /**
* Forwards a log/trace message to the registered log&trace listeners.
*
* @param pKey
@@ -623,6 +673,30 @@
}
/**
+ * Forwards a CIM-XML trace message to the registered CIM-XML trace
+ * listeners.
+ *
+ * @param pMessage
+ * The CIM-XML message text
+ * @param pOutgoing
+ * <code>true</code> if CIM-XML is outgoing (being sent from
+ * client to server), <code>false</code> if CIM-XML is incoming
+ * (being sent from server to client)
+ */
+ public void traceCIMXML(String pMessage, boolean pOutgoing) {
+ try {
+ if (this.iCIMXMLTraceListeners.size() > 0) {
+ final List<CIMXMLTraceListener> traceListeners = getCIMXMLTraceListeners();
+ for (int i = 0; i < traceListeners.size(); ++i) {
+ traceListeners.get(i).traceCIMXML(pMessage, pOutgoing);
+ }
+ }
+ } catch (Exception e) {
+ // don't crash for logging
+ }
+ }
+
+ /**
* Forwards a method entry message to the registered trace listeners.
*/
public void entry() {
@@ -784,4 +858,24 @@
return true;
}
+
+ /**
+ * Checks whether there are CIM-XML trace listeners installed that will log
+ * a CIM-XML trace message. Use this method to determine if a trace() method
+ * call could result in logging before preparing the information to be
+ * logged. For example:
+ *
+ * <pre>
+ * if (logger.isLoggableCIMXMLTrace() {
+ * // Prepare info for logging
+ * logger.traceCIMXML(...
+ * </pre>
+ *
+ * @return <code>true</code> if CIM-XML trace message could be logged,
+ * <code>false</code> otherwise.
+ */
+ public boolean isLoggableCIMXMLTrace() {
+ // If there are no CIM-XML trace listeners, message will not be logged
+ return this.iCIMXMLTraceListeners.size() > 0;
+ }
}
|
|
From: Tyrel D. <ty...@us...> - 2012-08-15 03:48:29
|
Update of /cvsroot/sblim/gather In directory vz-cvs-3.sog:/tmp/cvs-serv13432 Modified Files: Makefile.am NEWS Log Message: Fixed 355767: distcheck should check for system z plugins Index: NEWS =================================================================== RCS file: /cvsroot/sblim/gather/NEWS,v retrieving revision 1.131 retrieving revision 1.132 diff -u -d -r1.131 -r1.132 --- NEWS 15 Aug 2012 02:13:57 -0000 1.131 +++ NEWS 15 Aug 2012 03:48:27 -0000 1.132 @@ -1,3 +1,9 @@ +Chagnes in Version 2.2.7 +======================== + +Bugs fixed: +3557673 distcheck should check for system z plugins + Changes in Version 2.2.6 ======================== Index: Makefile.am =================================================================== RCS file: /cvsroot/sblim/gather/Makefile.am,v retrieving revision 1.25 retrieving revision 1.26 diff -u -d -r1.25 -r1.26 --- Makefile.am 15 Aug 2012 02:13:57 -0000 1.25 +++ Makefile.am 15 Aug 2012 03:48:27 -0000 1.26 @@ -18,6 +18,9 @@ SUBDIRS=. $(PROVIDER_SUBDIR) +# make sure that system z components are included +DISTCHECK_CONFIGURE_FLAGS = --enable-z + # Start from an empty extra distribution file list EXTRA_DIST= |
