allow more flexibility in SSL in grouper client

Here is an email from Bert... he said on the call that just disabling ssl checking would be sufficient...

Chris,

There are two things that slow down the use of java programs when SSL servers are involved:
-Adding a new trusted root (end users don't like keytool) [We mess with lib/security/cacerts a lot... our tools don't make it as easy as we should]
-Disabling trusted-root checking [We do this at GT] [This is the fastest way to get going, least secure, and code included below]

First, on adding new trusted roots
There are some programs (like LDAPBrowserEditor (http://www.mcs.anl.gov/~gawor/ldap/)) that seem to keep their own cacerts file.
Also, you can start java with a different cacerts file as a java property
Finally, you can initialize an SocketFactory (via a SSLContext (via a KeyManagerFactory )) to use a random keystore
http://www.onjava.com/pub/a/onjava/2001/05/03/java_security.html?page=3

In an ideal world, grouper would use its own cacerts file and you'd be able to have a command to add a cacert from a local file.

On an easier note, here is the code we use when we want to avoid checking the Root CA of the remote SSL Certificate:
package edu.gatech.iam.net;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;

import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

/**

• Class to create an SSL Socket without checking validity of certificate signer.
• This was copied from http://blog.platinumsolutions.com/files/BlindSSLSocketFactoryTest.java.txt
• @author bert
  *
  */
  public class GTIAMBlindSSLFactory extends SocketFactory
  {
  private static SocketFactory blindFactory = null;

/**

• Builds an all trusting "blind" ssl socket factory.
  */
  static {
  // create a trust manager that will purposefully fall down on the
  // job
  TrustManager[] blindTrustMan = new TrustManager[] { new X509TrustManager() {
  public X509Certificate[] getAcceptedIssuers() { return null; }

  public void checkClientTrusted(X509Certificate[] c, String a) { }
  public void checkServerTrusted(X509Certificate[] c, String a) { }
  } };

// create our "blind" ssl socket factory with our lazy trust manager
try

{ SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, blindTrustMan, new java.security.SecureRandom()); blindFactory = sc.getSocketFactory(); }

catch (GeneralSecurityException e)

{ e.printStackTrace(); }

}

/**

• @see javax.net.SocketFactory#getDefault()
  */
  public static SocketFactory getDefault() { return new GTIAMBlindSSLFactory(); }

/**

• @see javax.net.SocketFactory#createSocket(java.lang.String, int)
  */
  public Socket createSocket(String arg0, int arg1) throws IOException,
  UnknownHostException { return blindFactory.createSocket(arg0, arg1); }
  
  /**
  * @see javax.net.SocketFactory#createSocket(java.net.InetAddress, int)
  */
  public Socket createSocket(InetAddress arg0, int arg1) throws IOException { return blindFactory.createSocket(arg0, arg1); }

/**

• @see javax.net.SocketFactory#createSocket(java.lang.String, int,
• java.net.InetAddress, int)
  */
  public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
  throws IOException, UnknownHostException { return blindFactory.createSocket(arg0, arg1, arg2, arg3); }

/**

• @see javax.net.SocketFactory#createSocket(java.net.InetAddress, int,
• java.net.InetAddress, int)
  */
  public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
  int arg3) throws IOException { return blindFactory.createSocket(arg0, arg1, arg2, arg3); }

}

Then, the Netscape LDAP library we use has a SocketFactory interface:
package edu.gatech.iam.ldaputil;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;

import javax.net.SocketFactory;

import edu.gatech.iam.net.GTIAMBlindSSLFactory;

import netscape.ldap.LDAPException;
import netscape.ldap.LDAPSocketFactory;

/**

• SSL Socket factory that wraps GTIAMBlindSSLFactory and also offers selectable
• TCP keepalives.
• @author bert
  *
  */
  public class GTIAMLDAPSSLSocketFactory
  implements LDAPSocketFactory
  {

SocketFactory helper = new GTIAMBlindSSLFactory();
boolean enableKeepAlives;

public GTIAMLDAPSSLSocketFactory( boolean enableKeepAlives )

{ this.enableKeepAlives = enableKeepAlives; }

/* (non-Javadoc)

• @see netscape.ldap.LDAPSSLSocketFactory#makeSocket(java.lang.String, int)
  */
  public Socket makeSocket(String arg0, int arg1) throws LDAPException
  Unknown macro: { try { Socket s = helper.createSocket(arg0, arg1); s.setKeepAlive(enableKeepAlives); return s; } catch (UnknownHostException e) { throw new LDAPException("Unknown host: " + e.toString()); } catch (IOException e) { throw new LDAPException("IO Exception while creating socket: " + e.toString()); } }

  }

On Jan 7, 2009, at 11:11 PM, Chris Hyzer wrote:

Hey,

There is an action item that we should discuss the ssl paths for grouper client. Do you have info or code for me, and perhaps an ssl website in gatech which I can connect to with java so I can test the ssl path?

Thanks,
Chris