package com.ibm.ws.security.auth.kerberos.admintask;

import com.ibm.ISecurityUtilityImpl.AuthenticationTarget;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.AdminCommand;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandMgr;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandResult;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigDataId;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.websphere.management.exception.InvalidAttributeNameException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.AdminHelper;
import com.ibm.ws.security.auth.kerberos.Krb5Utils;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.CSIv2ConfigData;
import com.ibm.ws.security.config.CSIv2LayerConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.UserRegistryConfig;
import com.ibm.ws.security.profiletask.MessageFormatHelper;
import com.ibm.ws.security.util.ConfigUtils;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.ResourceBundle;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.ObjectName;
import javax.management.QueryExp;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/auth/kerberos/admintask/CreateKrbAuthMechanism.class */
public class CreateKrbAuthMechanism extends AbstractTaskCommand {
    private static String BUNDLE_NAME = "com.ibm.ejs.resources.security";
    private static ResourceBundle resBundle = ResourceBundle.getBundle(BUNDLE_NAME, Locale.getDefault());
    private static TraceComponent tc = Tr.register(CreateKrbAuthMechanism.class, "CreateKrbAuthMechanism", "com.ibm.ws.security.auth.kerberos.admintask");
    static final String krb5LoginModuleWrapper = "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper";
    static final String wsKrb5LoginModule = "com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule";
    static final String ltpaLoginModule = "com.ibm.ws.security.server.lm.ltpaLoginModule";
    static final String pdLoginModuleWrapper = "com.tivoli.pd.as.jacc.cfg.PDLoginModuleWrapper";
    static final String delimiter = "|";
    String krb5Realm;
    String krb5Config;
    String krb5Keytab;
    String serviceName;
    String krb5Spn;
    Boolean trimUserName;
    Boolean enabledGssCredDelegate;
    Boolean allowKrbAuthForCsiInbound;
    Boolean allowKrbAuthForCsiOutbound;
    private String _krb5Config;
    private String _krb5Keytab;
    private String _krb5Realm;
    private String _krb5Spn;
    private String _serverId;
    private String _serverIdPassword;
    private boolean _useRegServerId;

    public CreateKrbAuthMechanism(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.krb5Realm = null;
        this.krb5Config = null;
        this.krb5Keytab = null;
        this.serviceName = null;
        this.krb5Spn = null;
        this.trimUserName = true;
        this.enabledGssCredDelegate = true;
        this.allowKrbAuthForCsiInbound = true;
        this.allowKrbAuthForCsiOutbound = true;
        this._krb5Config = null;
        this._krb5Keytab = null;
        this._krb5Realm = null;
        this._krb5Spn = null;
        this._serverId = null;
        this._serverIdPassword = null;
        this._useRegServerId = false;
    }

    public CreateKrbAuthMechanism(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.krb5Realm = null;
        this.krb5Config = null;
        this.krb5Keytab = null;
        this.serviceName = null;
        this.krb5Spn = null;
        this.trimUserName = true;
        this.enabledGssCredDelegate = true;
        this.allowKrbAuthForCsiInbound = true;
        this.allowKrbAuthForCsiOutbound = true;
        this._krb5Config = null;
        this._krb5Keytab = null;
        this._krb5Realm = null;
        this._krb5Spn = null;
        this._serverId = null;
        this._serverIdPassword = null;
        this._useRegServerId = false;
    }

    private String getMsg(ResourceBundle resourceBundle, String str, Object[] objArr) {
        return MessageFormatHelper.getFormattedMessage(resourceBundle, str, objArr);
    }

    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.VALIDATE);
        }
        super.validate();
        this.krb5Realm = (String) getParameter("krb5Realm");
        this.krb5Config = (String) getParameter("krb5Config");
        this.krb5Keytab = (String) getParameter("krb5Keytab");
        this.serviceName = (String) getParameter("serviceName");
        this.trimUserName = (Boolean) getParameter("trimUserName");
        this.enabledGssCredDelegate = (Boolean) getParameter("enabledGssCredDelegate");
        this.allowKrbAuthForCsiInbound = (Boolean) getParameter("allowKrbAuthForCsiInbound");
        this.allowKrbAuthForCsiOutbound = (Boolean) getParameter("allowKrbAuthForCsiOutbound");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "krb5Realm:  " + this.krb5Realm);
            Tr.debug(tc, "krb5Config:  " + this.krb5Config);
            Tr.debug(tc, "krb5Keytab:  " + this.krb5Keytab);
            Tr.debug(tc, "serviceName:  " + this.serviceName);
            Tr.debug(tc, "trimUserName:  " + this.trimUserName);
            Tr.debug(tc, "enabledGssCredDelegate:  " + this.enabledGssCredDelegate);
            Tr.debug(tc, "allowKrbAuthForCsiInbound:  " + this.allowKrbAuthForCsiInbound);
            Tr.debug(tc, "allowKrbAuthForCsiOutbound:  " + this.allowKrbAuthForCsiOutbound);
        }
        try {
            if (this.krb5Realm == null || this.krb5Realm.length() == 0) {
                String str = null;
                if (this.krb5Config != null && this.krb5Config.length() > 0) {
                    str = Krb5Utils.getDefaultRealm(this.krb5Config);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "default_realm is: " + str + " in " + this.krb5Config);
                }
                if (str == null || str.length() == 0) {
                    String msg = getMsg(resBundle, "security.admintask.missingParameter.krb5ConfigAndSecurity.SECJ7785E", new Object[]{"default_realm", this.krb5Config});
                    Tr.error(tc, msg);
                    throw new CommandValidationException(msg);
                }
            }
            if (this.krb5Keytab == null || this.krb5Keytab.length() == 0) {
                String str2 = null;
                if (this.krb5Config != null && this.krb5Config.length() > 0) {
                    str2 = Krb5Utils.getDefaultKeytab(this.krb5Config);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "default_keytab_name is: " + str2 + " in " + this.krb5Config);
                }
                if (str2 == null || str2.length() == 0) {
                    String msg2 = getMsg(resBundle, "security.admintask.missingParameter.krb5ConfigAndSecurity.SECJ7785E", new Object[]{"default_keytab_name", this.krb5Config});
                    Tr.error(tc, msg2);
                    throw new CommandValidationException(msg2);
                }
            }
            if (this.serviceName != null && this.serviceName.contains("/")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The service name contains a char slash");
                }
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.invalid.serviceName", new Object[]{this.serviceName}));
            }
            if (this.serviceName != null) {
                this.krb5Spn = this.serviceName + "/${HOST}";
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "krb5Spn:  " + this.krb5Spn);
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.VALIDATE);
            }
        } catch (Exception e) {
            throw new CommandValidationException(e.getMessage());
        }
    }

    protected void afterStepsExecuted() {
        ConfigService configService;
        Session configSession;
        ObjectName objectName;
        CommandMgr commandMgr;
        CommandResult commandResult;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterStepsExecuted");
        }
        super.afterStepsExecuted();
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        TaskCommandResultImpl taskCommandResult = getTaskCommandResult();
        if (!taskCommandResult.isSuccessful()) {
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
                return;
            }
            return;
        }
        if (this.krb5Config != null && this.krb5Config.length() != 0 && !new File(this.krb5Config).exists()) {
            String msg = getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{this.krb5Config});
            Tr.warning(tc, msg);
            taskCommandResult.addWarnings(msg);
        }
        if (this.krb5Keytab != null && this.krb5Keytab.length() != 0 && !new File(this.krb5Keytab).exists()) {
            String msg2 = getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{this.krb5Keytab});
            Tr.warning(tc, msg2);
            taskCommandResult.addWarnings(msg2);
        }
        try {
            configService = ConfigServiceFactory.getConfigService();
            configSession = getConfigSession();
            objectName = configService.resolve(configSession, "Cell=:Security=")[0];
            ObjectName objectName2 = (ObjectName) configService.getAttribute(configSession, objectName, "activeUserRegistry");
            String str = null;
            String str2 = null;
            if (((Boolean) configService.getAttribute(configSession, objectName2, UserRegistryConfig.USE_REGISTRY_SERVER_ID, false)).booleanValue()) {
                str = (String) configService.getAttribute(configSession, objectName2, UserRegistryConfig.SERVER_ID, false);
                str2 = (String) configService.getAttribute(configSession, objectName2, UserRegistryConfig.SERVER_PASSWORD, false);
            }
            commandMgr = CommandMgr.getCommandMgr();
            String hostName = AdminHelper.getInstance().getHostName();
            AdminCommand createCommand = commandMgr.createCommand("validateKrbConfig");
            createCommand.setParameter("checkConfigOnly", false);
            createCommand.setParameter("validateKrbRealm", true);
            createCommand.setParameter("useGlobalSecurityConfig", false);
            if (str == null || str.length() == 0 || str2 == null || str2.length() == 0 || this.serviceName == null || this.serviceName.length() == 0 || this.krb5Config == null || this.krb5Config.length() == 0 || this.krb5Keytab == null || this.krb5Keytab.length() == 0 || this.krb5Realm == null || this.krb5Realm.length() == 0) {
                getKrbConfigInThisSession(configSession, configService, objectName);
            }
            if (str == null || str.length() <= 0) {
                createCommand.setParameter(UserRegistryConfig.SERVER_ID, this._serverId);
            } else {
                createCommand.setParameter(UserRegistryConfig.SERVER_ID, str);
            }
            if (str2 == null || str2.length() <= 0) {
                createCommand.setParameter("serverIdPassword", this._serverIdPassword);
            } else {
                createCommand.setParameter("serverIdPassword", str2);
            }
            if (this.serviceName == null || this.serviceName.length() <= 0) {
                createCommand.setParameter(AuthMechanismConfig.KRB5_SPN, this._krb5Spn);
            } else {
                createCommand.setParameter(AuthMechanismConfig.KRB5_SPN, this.serviceName + "/" + hostName);
            }
            if (this.krb5Config == null || this.krb5Config.length() <= 0) {
                createCommand.setParameter("krb5Config", this._krb5Config);
            } else {
                createCommand.setParameter("krb5Config", this.krb5Config);
            }
            if (this.krb5Keytab == null || this.krb5Keytab.length() <= 0) {
                createCommand.setParameter("krb5Keytab", this._krb5Keytab);
            } else {
                createCommand.setParameter("krb5Keytab", this.krb5Keytab);
            }
            if (this.krb5Realm == null || this.krb5Realm.length() <= 0) {
                createCommand.setParameter("krb5Realm", this._krb5Realm);
            } else {
                createCommand.setParameter("krb5Realm", this.krb5Realm);
            }
            createCommand.setConfigSession(configSession);
            createCommand.execute();
            commandResult = createCommand.getCommandResult();
        } catch (CommandValidationException e) {
            FFDCFilter.processException((Throwable) e, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "580", (Object) this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Command validation exception occurred.", new Object[]{e});
            }
            taskCommandResult.setException(new CommandException(e, e.getMessage()));
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "586", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occurred.", new Object[]{e2});
            }
            taskCommandResult.setException(new CommandException(e2, e2.getMessage()));
        }
        if (!commandResult.isSuccessful()) {
            Throwable exception = commandResult.getException();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Validating Kerberos configuration failed", new Object[]{exception});
            }
            Tr.error(tc, "Validating Kerberos configuration failed", new Object[]{exception.getMessage()});
            throw new CommandValidationException(exception.getMessage());
        }
        ObjectName authMechObj = Krb5Utils.getAuthMechObj(configSession, configService, objectName, AuthMechanismConfig.TYPE_SPNEGO);
        if ((authMechObj != null ? ((Boolean) configService.getAttribute(configSession, authMechObj, "enabled", false)).booleanValue() : false) && !krb5ConfigEquals(configSession, configService, objectName, this.krb5Config, this.krb5Keytab)) {
            AdminCommand createCommand2 = commandMgr.createCommand("validateSpnegoConfig");
            createCommand2.setParameter("krb5Config", this.krb5Config);
            createCommand2.setParameter("krb5Keytab", this.krb5Keytab);
            createCommand2.setConfigSession(configSession);
            createCommand2.execute();
            CommandResult commandResult2 = createCommand2.getCommandResult();
            if (!commandResult2.isSuccessful()) {
                Throwable exception2 = commandResult2.getException();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Validating SPNEGO Web auth configuration with the new Kerberos configuration failed", new Object[]{exception2});
                }
                Tr.error(tc, "Validating SPNEGO Web auth with the new Kerberos configuration failed", new Object[]{exception2.getMessage()});
                throw new CommandValidationException(exception2.getMessage());
            }
        }
        r27 = new AttributeList();
        ObjectName authMechObj2 = Krb5Utils.getAuthMechObj(configSession, configService, objectName, AuthMechanismConfig.TYPE_KERBEROS);
        if (authMechObj2 == null) {
            authMechObj2 = createDefaultKrb5AuthMechObj(configSession, configService, objectName);
        } else {
            boolean propertyBool = SecurityObjectLocator.getSecurityConfig("security").getPropertyBool("com.ibm.websphere.security.krb.enabled");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Kerberos authentication mechanism is disabled in this release");
            }
            if (propertyBool) {
                r27.add(new Attribute("activeAuthMechanism", authMechObj2));
                configService.setAttributes(configSession, objectName, r27);
            }
        }
        r27.clear();
        r27.add(new Attribute(AuthMechanismConfig.OID, KRB5MechOID.value));
        r27.add(new Attribute(AuthMechanismConfig.AUTH_CONTEXT_IMPL_CLASS, "com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl"));
        r27.add(new Attribute(AuthMechanismConfig.AUTH_CONFIG, "system.KRB5"));
        r27.add(new Attribute(AuthMechanismConfig.SIMPLE_AUTH_CONFIG, "system.KRB5"));
        r27.add(new Attribute(AuthMechanismConfig.AUTH_VALIDATION_CONFIG, "system.KRB5"));
        r27.add(new Attribute("krb5Realm", this.krb5Realm));
        r27.add(new Attribute("krb5Config", this.krb5Config));
        r27.add(new Attribute("krb5Keytab", this.krb5Keytab));
        r27.add(new Attribute(AuthMechanismConfig.KRB5_SPN, this.krb5Spn));
        r27.add(new Attribute("trimUserName", this.trimUserName));
        r27.add(new Attribute("enabledGssCredDelegate", this.enabledGssCredDelegate));
        boolean propertyBool2 = SecurityObjectLocator.getSecurityConfig("security").getPropertyBool("com.ibm.websphere.security.krb.enabled");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Kerberos authentication mechanism is disabled in this release");
        }
        if (propertyBool2) {
            r27.add(new Attribute("configured", true));
        } else {
            r27.add(new Attribute("configured", false));
        }
        configService.setAttributes(configSession, authMechObj2, r27);
        if (!propertyBool2) {
            taskCommandResult.setResult(new Boolean(true));
            taskCommandResult.addWarnings("Kerberos authentication mechanism is disabled in this release");
            return;
        }
        ObjectName[] queryConfigObjects = configService.queryConfigObjects(configSession, (ObjectName) null, ConfigServiceHelper.createObjectName((ConfigDataId) null, "JAASConfigurationEntry"), (QueryExp) null);
        for (int i = 0; i < queryConfigObjects.length; i++) {
            Object attribute = configService.getAttribute(configSession, queryConfigObjects[i], "alias");
            if (attribute != null && (attribute.toString().equals("WEB_INBOUND") || attribute.toString().equals("RMI_INBOUND") || attribute.toString().equals("DEFAULT"))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "JAASConfigurationEntries: " + queryConfigObjects[i]);
                }
                for (Attribute attribute2 : configService.getAttributes(configSession, queryConfigObjects[i], (String[]) null, true)) {
                    if (attribute2.getName().equals("loginModules")) {
                        for (AttributeList attributeList : (List) attribute2.getValue()) {
                            ObjectName[] queryConfigObjects2 = configService.queryConfigObjects(configSession, (ObjectName) null, ConfigServiceHelper.createObjectName(attributeList), (QueryExp) null);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "loginModuleObjs: " + queryConfigObjects2);
                            }
                            if (queryConfigObjects2 != null && queryConfigObjects2.length != 0) {
                                Object attribute3 = configService.getAttribute(configSession, queryConfigObjects2[0], "moduleClassName");
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "moduleClassName: " + attribute3.toString());
                                }
                                if (krb5LoginModuleWrapper.equals(attribute3.toString())) {
                                    z = true;
                                }
                                if (wsKrb5LoginModule.equals(attribute3.toString())) {
                                    z2 = true;
                                }
                                if (pdLoginModuleWrapper.equals(attribute3.toString())) {
                                    z3 = true;
                                }
                            }
                        }
                        if (!z) {
                            attributeList.clear();
                            attributeList.add(new Attribute("moduleClassName", krb5LoginModuleWrapper));
                            attributeList.add(new Attribute("authenticationStrategy", "REQUIRED"));
                            configService.addElement(configSession, queryConfigObjects[i], "loginModules", attributeList, 0);
                        }
                        if (!z2) {
                            attributeList.clear();
                            attributeList.add(new Attribute("moduleClassName", wsKrb5LoginModule));
                            attributeList.add(new Attribute("authenticationStrategy", "REQUIRED"));
                            if (z3) {
                                configService.addElement(configSession, queryConfigObjects[i], "loginModules", attributeList, 2);
                            } else {
                                configService.addElement(configSession, queryConfigObjects[i], "loginModules", attributeList, 1);
                            }
                        }
                    }
                }
            }
        }
        ObjectName[] queryConfigObjects3 = configService.queryConfigObjects(configSession, (ObjectName) null, ConfigServiceHelper.createObjectName((ConfigDataId) null, "JAASConfigurationEntry"), (QueryExp) null);
        if (!z) {
            for (int i2 = 0; i2 < queryConfigObjects3.length; i2++) {
                String str3 = (String) configService.getAttribute(configSession, queryConfigObjects3[i2], "alias");
                if (str3 != null && (str3.equals("WEB_INBOUND") || str3.equals("RMI_INBOUND") || str3.equals("DEFAULT"))) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "alias: " + str3);
                    }
                    for (Attribute attribute4 : configService.getAttributes(configSession, queryConfigObjects3[i2], (String[]) null, true)) {
                        if (attribute4.getName().equals("loginModules")) {
                            for (AttributeList attributeList2 : (List) attribute4.getValue()) {
                                ObjectName[] queryConfigObjects4 = configService.queryConfigObjects(configSession, (ObjectName) null, ConfigServiceHelper.createObjectName(attributeList2), (QueryExp) null);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "jaasLoginModules: " + queryConfigObjects4);
                                }
                                if (queryConfigObjects4 != null && queryConfigObjects4.length != 0) {
                                    String str4 = (String) configService.getAttribute(configSession, queryConfigObjects4[0], "moduleClassName");
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "moduleClassName: " + str4.toString());
                                    }
                                    if (krb5LoginModuleWrapper.equals(str4)) {
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "storeSharedStateCredentials"));
                                        attributeList2.add(new Attribute("value", "true"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "refreshKrb5Config"));
                                        attributeList2.add(new Attribute("value", "true"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "credsType"));
                                        attributeList2.add(new Attribute("value", "both"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "tryFirstPass"));
                                        attributeList2.add(new Attribute("value", "true"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "renewable"));
                                        attributeList2.add(new Attribute("value", "true"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "forwardable"));
                                        attributeList2.add(new Attribute("value", "true"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                        attributeList2.clear();
                                        attributeList2.add(new Attribute("name", "noAddress"));
                                        attributeList2.add(new Attribute("value", "true"));
                                        attributeList2.add(new Attribute("required", false));
                                        configService.addElement(configSession, queryConfigObjects4[0], "options", attributeList2, -1);
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        String str5 = null;
        boolean z4 = false;
        attributeList2.clear();
        ObjectName objectName3 = configService.queryConfigObjects(configSession, objectName, ConfigServiceHelper.createObjectName((AttributeList) configService.getAttribute(configSession, objectName, "CSI")), (QueryExp) null)[0];
        ArrayList arrayList = (ArrayList) ConfigServiceHelper.getAttributeValue((AttributeList) configService.getAttribute(configSession, objectName3, CSIv2ConfigData.CLAIMS), "layers");
        for (int i3 = 0; i3 < arrayList.size(); i3++) {
            AttributeList attributeList3 = (AttributeList) arrayList.get(i3);
            if (((String) ConfigServiceHelper.getAttributeValue(attributeList3, "_Websphere_Config_Data_Type")).equals("MessageLayer")) {
                str5 = (String) ConfigServiceHelper.getAttributeValue(attributeList3, CSIv2LayerConfig.SUPPORTED_AUTH_MECH_LIST);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CSI inbound, supportedAuthMechList: " + str5);
        }
        if (str5 != null && str5.length() != 0) {
            str5 = str5.toLowerCase();
            if (str5.contains(AuthenticationTarget.KRB5String)) {
                z4 = true;
            }
        }
        String str6 = str5;
        if (z4) {
            if (!this.allowKrbAuthForCsiInbound.booleanValue()) {
                str6 = str5.replace("krb5|", "");
            }
        } else if (this.allowKrbAuthForCsiInbound.booleanValue()) {
            str6 = "krb5|" + str5;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CSI inbound, update supportedAuthMechList: " + str6);
        }
        if (str6 != null) {
            AdminCommand createCommand3 = commandMgr.createCommand("configureCSIInbound");
            createCommand3.setParameter(CSIv2LayerConfig.SUPPORTED_AUTH_MECH_LIST, str6.toUpperCase());
            createCommand3.setConfigSession(configSession);
            createCommand3.execute();
            CommandResult commandResult3 = createCommand3.getCommandResult();
            if (!commandResult3.isSuccessful()) {
                Throwable exception3 = commandResult3.getException();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error getting supportedAuthMechList for CSI inbound.", new Object[]{exception3});
                }
                Tr.error(tc, "Error getting supportedAuthMechList for CSI inbound", new Object[]{exception3.getMessage()});
                throw new CommandValidationException(exception3.getMessage());
            }
        }
        String str7 = null;
        boolean z5 = false;
        ArrayList arrayList2 = (ArrayList) ConfigServiceHelper.getAttributeValue((AttributeList) configService.getAttribute(configSession, objectName3, CSIv2ConfigData.PERFORMS), "layers");
        for (int i4 = 0; i4 < arrayList2.size(); i4++) {
            AttributeList attributeList4 = (AttributeList) arrayList2.get(i4);
            if (((String) ConfigServiceHelper.getAttributeValue(attributeList4, "_Websphere_Config_Data_Type")).equals("MessageLayer")) {
                str7 = (String) ConfigServiceHelper.getAttributeValue(attributeList4, CSIv2LayerConfig.SUPPORTED_AUTH_MECH_LIST);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CSI outbound, supportedAuthMechList " + str7);
        }
        if (str7 != null && str7.length() != 0) {
            str7 = str7.toLowerCase();
            if (str7.contains(AuthenticationTarget.KRB5String)) {
                z5 = true;
            }
        }
        String str8 = str7;
        if (z5) {
            if (!this.allowKrbAuthForCsiOutbound.booleanValue()) {
                str8 = str7.replace("krb5|", "");
            }
        } else if (this.allowKrbAuthForCsiOutbound.booleanValue()) {
            str8 = "krb5|" + str7;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CSI outbound, update supportedAuthMechList " + str8);
        }
        if (str8 != null) {
            AdminCommand createCommand4 = commandMgr.createCommand("configureCSIOutbound");
            createCommand4.setParameter(CSIv2LayerConfig.SUPPORTED_AUTH_MECH_LIST, str8.toUpperCase());
            createCommand4.setConfigSession(configSession);
            createCommand4.execute();
            CommandResult commandResult4 = createCommand4.getCommandResult();
            if (!commandResult4.isSuccessful()) {
                Throwable exception4 = commandResult4.getException();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error getting supportedAuthMechList for CSI outbound.", new Object[]{exception4});
                }
                Tr.error(tc, "Error getting supportedAuthMechList for CSI outbound", new Object[]{exception4.getMessage()});
                throw new CommandValidationException(exception4.getMessage());
            }
        }
        taskCommandResult.setResult(new Boolean(true));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "afterStepsExecuted");
        }
    }

    public boolean krb5ConfigEquals(Session session, ConfigService configService, ObjectName objectName, String str, String str2) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "krb5ConfigEquals");
        }
        boolean z = false;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "krb5Config: " + str);
            Tr.debug(tc, "krb5Keytab: " + str2);
        }
        ObjectName authMechObj = Krb5Utils.getAuthMechObj(session, configService, objectName, AuthMechanismConfig.TYPE_KERBEROS);
        if (authMechObj != null) {
            String str3 = (String) configService.getAttribute(session, authMechObj, "krb5Config", false);
            String str4 = (String) configService.getAttribute(session, authMechObj, "krb5Keytab", false);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "existing krb5Config: " + str3);
                Tr.debug(tc, "existing krb5Keytab: " + str4);
            }
            if (str3 != null && str3.length() != 0 && str3.equalsIgnoreCase(str)) {
                if ((str4 == null || str4.length() == 0) && (str2 == null || str2.length() == 0)) {
                    z = true;
                } else if (str4 != null && str2 != null && str4.equalsIgnoreCase(str2)) {
                    z = true;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "krb5ConfigEquals " + z);
        }
        return z;
    }

    public static ObjectName createDefaultKrb5AuthMechObj(Session session, ConfigService configService, ObjectName objectName) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createDefaultKrb5AuthMechObj");
        }
        ObjectName objectName2 = null;
        try {
            AttributeList attributeList = new AttributeList();
            attributeList.add(new Attribute(AuthMechanismConfig.OID, KRB5MechOID.value));
            attributeList.add(new Attribute(AuthMechanismConfig.AUTH_CONTEXT_IMPL_CLASS, "com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl"));
            attributeList.add(new Attribute(AuthMechanismConfig.AUTH_CONFIG, "system.KRB5"));
            attributeList.add(new Attribute(AuthMechanismConfig.SIMPLE_AUTH_CONFIG, "system.KRB5"));
            attributeList.add(new Attribute(AuthMechanismConfig.AUTH_VALIDATION_CONFIG, "system.KRB5"));
            attributeList.add(new Attribute("krb5Realm", null));
            attributeList.add(new Attribute("krb5Config", null));
            attributeList.add(new Attribute("krb5Keytab", null));
            objectName2 = configService.createConfigData(session, objectName, "authMechanisms", AuthMechanismConfig.TYPE_KERBEROS, attributeList);
        } catch (InvalidAttributeNameException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "createDefaultKrb5AuthMechObj caught an unexpected exception.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createDefaultKrb5AuthMechObj " + objectName2);
        }
        return objectName2;
    }

    public void getKrbConfigInThisSession(Session session, ConfigService configService, ObjectName objectName) {
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKrbConfigInThisSession");
        }
        try {
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(session, configService, objectName, AuthMechanismConfig.TYPE_KERBEROS);
            if (authMechObj != null) {
                this._krb5Config = (String) configService.getAttribute(session, authMechObj, "krb5Config", false);
                if (this._krb5Config != null && this._krb5Config.length() > 0) {
                    this._krb5Keytab = (String) configService.getAttribute(session, authMechObj, "krb5Keytab", false);
                    if (this._krb5Keytab == null || this._krb5Keytab.length() == 0) {
                        this._krb5Keytab = Krb5Utils.getDefaultKeytab(this._krb5Config);
                    }
                    this._krb5Realm = (String) configService.getAttribute(session, authMechObj, "krb5Realm", false);
                    if (this._krb5Realm == null || this._krb5Realm.length() == 0) {
                        this._krb5Realm = Krb5Utils.getDefaultRealm(this._krb5Config);
                    }
                }
                this._krb5Spn = ConfigUtils.expandHost((String) configService.getAttribute(session, authMechObj, AuthMechanismConfig.KRB5_SPN, false), null);
            }
            ObjectName objectName2 = (ObjectName) configService.getAttribute(session, objectName, "activeUserRegistry");
            if (objectName2 != null) {
                this._useRegServerId = ((Boolean) configService.getAttribute(session, objectName2, UserRegistryConfig.USE_REGISTRY_SERVER_ID, false)).booleanValue();
                this._serverId = (String) configService.getAttribute(session, objectName2, UserRegistryConfig.SERVER_ID, false);
                this._serverIdPassword = (String) configService.getAttribute(session, objectName2, UserRegistryConfig.SERVER_PASSWORD, false);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "_krb5Config: " + this._krb5Config);
                Tr.debug(tc, "_krb5Keytab: " + this._krb5Keytab);
                Tr.debug(tc, "_krb5Realm: " + this._krb5Realm);
                Tr.debug(tc, "_useRegServerId: " + this._useRegServerId);
                Tr.debug(tc, "_serverId: " + this._serverId);
                Tr.debug(tc, "_serverIdPassword: " + (this._serverIdPassword == null ? "null" : "*****"));
            }
        } catch (CommandValidationException e) {
            FFDCFilter.processException((Throwable) e, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "794", (Object) this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Command validation exception occurred.", new Object[]{e});
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "799", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occurred.", new Object[]{e2});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKrbConfigInThisSession");
        }
    }
}
