为 SSL 创建定制密钥管理器
您可以在任何管理范围中创建定制密钥管理器配置并使新的密钥管理器与安全套接字层 (SSL) 配置相关联。
开始之前
关于此任务
过程
结果
示例
开发定制密钥管理器以便选择定制安全套接字层密钥。 以下示例是样本定制密钥管理器。如果已配置的别名是使用别名属性 com.ibm.ssl.keyStoreClientAlias 或 com.ibm.ssl.keyStoreServerAlias 设置的(这取决于密钥管理器使用哪一端连接),那么此简单密钥管理器将返回该别名。如果未设置这些属性,那么密钥管理器将推迟到由 JSSE 缺省 IbmX509 密钥管理器来选择别名。
在构建定制密钥管理器并将其打包后,可在纯客户机的 ssl.client.props 文件中配置它,或者通过使用管理控制台中的 SSLConfiguration KeyManager 链接来配置它。有关密钥管理器的更多信息,请参阅密钥管理器对 X.509 证书标识的控制。
因为对于任何指定的安全套接字层 (SSL) 配置,一次只能配置一个密钥管理器,所以在服务器端所作的证书选择不会像指定缺省
IbmX509 密钥管理器那样起作用。配置定制密钥管理器之后,由密钥管理器的所有者确保在调用
chooseClientAlias 或 chooseServerAlias
时,提供的 SSL 配置中选择的别名进行了正确设置。查找
com.ibm.ssl.keyStoreClientAlias 和 com.ibm.ssl.keyStoreServerAlias SSL
属性。
注: 此示例仅应用作示例,并且不受支持。
package com.ibm.test;
import java.security.cert.X509Certificate;
import com.ibm.wsspi.ssl.KeyManagerExtendedInfo;
public final class CustomKeyManager
implements javax.net.ssl.X509KeyManager, com.ibm.wsspi.ssl.KeyManagerExtendedInfo
{
private java.util.Properties props = null;
private java.security.KeyStore ks = null;
private javax.net.ssl.X509KeyManager km = null;
private java.util.Properties sslConfig = null;
private String clientAlias = null;
private String serverAlias = null;
private int clientslotnum = 0;
private int serverslotnum = 0;
public CustomKeyManager()
{
}
/**
* Method called by WebSphere Application Server runtime to set the custom
* properties.
*
* @param java.util.Properties - custom props
*/
public void setCustomProperties(java.util.Properties customProps)
{
props = customProps;
}
private java.util.Properties getCustomProperties()
{
return props;
}
/**
* Method called by WebSphere Application Server runtime to set the SSL
* configuration properties being used for this connection.
*
* @param java.util.Properties - contains a property for the SSL configuration.
*/
public void setSSLConfig(java.util.Properties config)
{
sslConfig = config;
}
private java.util.Properties getSSLConfig()
{
return sslConfig;
}
/**
* Method called by WebSphere Application Server runtime to set the default
* X509KeyManager created by the IbmX509 KeyManagerFactory using the KeyStore
* information present in this SSL configuration. This allows some delegation
* to the default IbmX509 KeyManager to occur.
*
* @param javax.net.ssl.KeyManager defaultX509KeyManager - default key manager for IbmX509
*/
public void setDefaultX509KeyManager(javax.net.ssl.X509KeyManager defaultX509KeyManager)
{
km = defaultX509KeyManager;
}
public javax.net.ssl.X509KeyManager getDefaultX509KeyManager()
{
return km;
}
/**
* Method called by WebSphere Application Server runtime to set the SSL
* KeyStore used for this connection.
*
* @param java.security.KeyStore - the KeyStore currently configured
*/
public void setKeyStore(java.security.KeyStore keyStore)
{
ks = keyStore;
}
public java.security.KeyStore getKeyStore()
{
return ks;
}
/**
* Method called by custom code to set the server alias.
*
* @param String - the server alias to use
*/
public void setKeyStoreServerAlias(String alias)
{
serverAlias = alias;
}
private String getKeyStoreServerAlias()
{
return serverAlias;
}
/**
* Method called by custom code to set the client alias.
*
* @param String - the client alias to use
*/
public void setKeyStoreClientAlias(String alias)
{
clientAlias = alias;
}
private String getKeyStoreClientAlias()
{
return clientAlias;
}
/**
* Method called by custom code to set the client alias and slot (if necessary).
*
* @param String - the client alias to use
* @param int - the slot to use (for hardware)
*/
public void setClientAlias(String alias, int slotnum) throws Exception
{
if ( !ks.containsAlias(alias))
{
throw new IllegalArgumentException ( "Client alias " + alias + "
not found in keystore." );
}
this.clientAlias = alias;
this.clientslotnum = slotnum;
}
/**
* Method called by custom code to set the server alias and slot (if necessary).
*
* @param String - the server alias to use
* @param int - the slot to use (for hardware)
*/
public void setServerAlias(String alias, int slotnum) throws Exception
{
if ( ! ks.containsAlias(alias))
{
throw new IllegalArgumentException ( "Server alias " + alias + "
not found in keystore." );
}
this.serverAlias = alias;
this.serverslotnum = slotnum;
}
/**
* Method called by JSSE runtime to when an alias is needed for a client
* connection where a client certificate is required.
*
* @param String keyType
* @param Principal[] issuers
* @param java.net.Socket socket (not always present)
*/
public String chooseClientAlias(String[] keyType, java.security.Principal[]
issuers, java.net.Socket socket)
{
if (clientAlias != null && !clientAlias.equals(""))
{
String[] list = km.getClientAliases(keyType[0], issuers);
String aliases = "";
if (list != null)
{
boolean found=false;
for (int i=0; i<list.length; i++)
{
aliases += list[i] + " ";
if (clientAlias.equalsIgnoreCase(list[i]))
found=true;
}
if (found)
{
return clientAlias;
}
}
}
// client alias not found, let the default key manager choose.
String[] keyArray = new String [] {keyType[0]};
String alias = km.chooseClientAlias(keyArray, issuers, null);
return alias.toLowerCase();
}
/**
* Method called by JSSE runtime to when an alias is needed for a server
* connection to provide the server identity.
*
* @param String[] keyType
* @param Principal[] issuers
* @param java.net.Socket socket (not always present)
*/
public String chooseServerAlias(String keyType, java.security.Principal[]
issuers, java.net.Socket socket)
{
if (serverAlias != null && !serverAlias.equals(""))
{
// get the list of aliases in the keystore from the default key manager
String[] list = km.getServerAliases(keyType, issuers);
String aliases = "";
if (list != null)
{
boolean found=false;
for (int i=0; i<list.length; i++)
{
aliases += list[i] + " ";
if (serverAlias.equalsIgnoreCase(list[i]))
found = true;
}
if (found)
{
return serverAlias;
}
}
}
// specified alias not found, let the default key manager choose.
String alias = km.chooseServerAlias(keyType, issuers, null);
return alias.toLowerCase();
}
public String[] getClientAliases(String keyType, java.security.Principal[] issuers)
{
return km.getClientAliases(keyType, issuers);
}
public String[] getServerAliases(String keyType, java.security.Principal[] issuers)
{
return km.getServerAliases(keyType, issuers);
}
public java.security.PrivateKey getPrivateKey(String s)
{
return km.getPrivateKey(s);
}
public java.security.cert.X509Certificate[] getCertificateChain(String s)
{
return km.getCertificateChain(s);
}
public javax.net.ssl.X509KeyManager getX509KeyManager()
{
return km;
}
}