Author: shawkins Date: 2010-09-15 13:07:54 -0400 (Wed, 15 Sep 2010) New Revision: 2578 Modified: branches/7.1.x/build/kits/adminshell/connection.properties branches/7.1.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html branches/7.1.x/client/src/main/java/org/teiid/net/socket/SocketUtil.java branches/7.1.x/client/src/main/resources/teiid-client-settings.properties branches/7.1.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml branches/7.1.x/documentation/client-developers-guide/src/main/docbook/en-US/content/ssl.xml branches/7.1.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java branches/7.1.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java Log: TEIID-1260 changing the admin connection to use anonymous ssl by default. Modified: branches/7.1.x/build/kits/adminshell/connection.properties =================================================================== --- branches/7.1.x/build/kits/adminshell/connection.properties 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/build/kits/adminshell/connection.properties 2010-09-15 17:07:54 UTC (rev 2578) @@ -2,6 +2,6 @@ jdbc.password=teiid jdbc.url=jdbc:teiid:admin@mm://localhost:31000; -admin.url=mm://localhost:31443 +admin.url=mms://localhost:31443 admin.user=admin admin.password=admin Modified: branches/7.1.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml =================================================================== --- branches/7.1.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2010-09-15 17:07:54 UTC (rev 2578) @@ -123,7 +123,14 @@ </bean> <bean name="JdbcSslConfiguration" class="org.teiid.transport.SSLConfiguration"> - <property name="sslEnabled">false</property> + <!-- can be one of disabled, login, or enabled + disabled = no transport or message level security will be used + login = only the login traffic will be encrypted at a message level + using 128 bit AES with an ephemerial DH key exchange. + No other config values are needed in this mode + enabled = traffic will be secured using this configuration + --> + <property name="mode">login</property> <property name="keystoreFilename">cert.keystore</property> <property name="keystorePassword">passwd</property> <property name="keystoreType">JKS</property> @@ -133,7 +140,6 @@ <property name="truststorePassword">passwd</property> <!-- 1-way, 2-way, anonymous --> <property name="authenticationMode">1-way</property> - <property name="clientEncryptionEnabled">true</property> </bean> <!-- Admin Socket connection settings (SSL see below) --> @@ -151,7 +157,14 @@ </bean> <bean name="AdminSslConfiguration" class="org.teiid.transport.SSLConfiguration"> - <property name="sslEnabled">false</property> + <!-- can be one of disabled, login, or enabled + disabled = no transport or message level security will be used + login = only the login traffic will be encrypted at a message level + using 128 bit AES with an ephemerial DH key exchange. + No other config values are needed in this mode + enabled = traffic will be secured using this configuration + --> + <property name="mode">enabled</property> <property name="keystoreFilename">cert.keystore</property> <property name="keystorePassword">passwd</property> <property name="keystoreType">JKS</property> @@ -161,7 +174,6 @@ <property name="truststorePassword">passwd</property> <!-- 1-way, 2-way, anonymous --> <property name="authenticationMode">anonymous</property> - <property name="clientEncryptionEnabled">true</property> </bean> <!-- JDBC Socket connection properties (SSL see below) --> @@ -179,7 +191,11 @@ </bean> <bean name="OdbcSslConfiguration" class="org.teiid.transport.SSLConfiguration"> - <property name="sslEnabled">false</property> + <!-- can be one of disabled or enabled + disabled = no transport or message level security will be used + enabled = traffic will be secured using this configuration + --> + <property name="mode">disabled</property> <property name="keystoreFilename">cert.keystore</property> <property name="keystorePassword">passwd</property> <property name="keystoreType">JKS</property> @@ -189,7 +205,6 @@ <property name="truststorePassword">passwd</property> <!-- 1-way, 2-way, anonymous --> <property name="authenticationMode">1-way</property> - <property name="clientEncryptionEnabled">true</property> </bean> <!-- teiid's default security domain, replace this with your own if needs to be any other JAAS domain --> Modified: branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html =================================================================== --- branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/build/kits/jboss-container/teiid-releasenotes.html 2010-09-15 17:07:54 UTC (rev 2578) @@ -78,6 +78,10 @@ <h4>from 7.1</h4> <ul> + <li>Teiid clients now allow the usage of anonymous SSL by default. + This changes allows the admin port (default 31443) to use anonymous SSL by default, rather than just securing logon traffic. + Admin clients should therefore use the mms protocol instead of mm. This will encrypt all admin traffic and ensure that any passwords in configuration files will + be encrypted in transit. See the Admin Guide to upgrade from anonymous SSL to 1-way or 2-way authentication. <li>Apache CXF is now expected to be used as the web services stack provider through JBossWS-CXF. See the Admin Guide for instructions on installing CXF for use with Teiid's Salesforce and web service connectors. The WS Resource Adapter's -ds.xml files should no longer use WSSecurityConfigURL and WSSecurityConfigName, rather they should be ConfigFile and ConfigName respectively. The property values should no longer Modified: branches/7.1.x/client/src/main/java/org/teiid/net/socket/SocketUtil.java =================================================================== --- branches/7.1.x/client/src/main/java/org/teiid/net/socket/SocketUtil.java 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/client/src/main/java/org/teiid/net/socket/SocketUtil.java 2010-09-15 17:07:54 UTC (rev 2578) @@ -43,6 +43,7 @@ import javax.net.ssl.TrustManagerFactory; import org.teiid.core.util.Assertion; +import org.teiid.core.util.PropertiesUtils; import org.teiid.jdbc.JDBCPlugin; @@ -61,14 +62,12 @@ static final String KEYSTORE_TYPE = "org.teiid.ssl.keyStoreType"; //$NON-NLS-1$ static final String KEYSTORE_PASSWORD = "org.teiid.ssl.keyStorePassword"; //$NON-NLS-1$ static final String KEYSTORE_FILENAME = "org.teiid.ssl.keyStore"; //$NON-NLS-1$ + public static final String ALLOW_ANON = "org.teiid.ssl.allowAnon"; //$NON-NLS-1$ - static final String DEFAULT_KEYSTORE_PROTOCOL = "SSLv3"; //$NON-NLS-1$ static final String DEFAULT_KEYSTORE_TYPE = "JKS"; //$NON-NLS-1$ - public static final String NONE = "none"; //$NON-NLS-1$ - public static final String ANON_CIPHER_SUITE = "TLS_DH_anon_WITH_AES_128_CBC_SHA"; //$NON-NLS-1$ - public static final String ANON_PROTOCOL = "TLS"; //$NON-NLS-1$ + public static final String DEFAULT_PROTOCOL = "TLSv1"; //$NON-NLS-1$ public static class SSLSocketFactory { private boolean isAnon; @@ -93,23 +92,20 @@ String keystore = props.getProperty(KEYSTORE_FILENAME); String keystorePassword = props.getProperty(KEYSTORE_PASSWORD); String keystoreType = props.getProperty(KEYSTORE_TYPE, DEFAULT_KEYSTORE_TYPE); - String keystoreProtocol = props.getProperty(PROTOCOL, DEFAULT_KEYSTORE_PROTOCOL); + String keystoreProtocol = props.getProperty(PROTOCOL, DEFAULT_PROTOCOL); String keystoreAlgorithm = props.getProperty(KEYSTORE_ALGORITHM); String truststore = props.getProperty(TRUSTSTORE_FILENAME, keystore); String truststorePassword = props.getProperty(TRUSTSTORE_PASSWORD, keystorePassword); - boolean anon = NONE.equalsIgnoreCase(truststore); + boolean anon = PropertiesUtils.getBooleanProperty(props, ALLOW_ANON, true); SSLContext result = null; - // 0) anon // 1) keystore != null = 2 way SSL (can define a separate truststore too) // 2) truststore != null = 1 way SSL (here we can define custom properties for truststore; useful when // client like a appserver have to define multiple certs without importing // all the certificates into one single certificate // 3) else = javax properties; this is default way to define the SSL anywhere. - if (anon) { - result = getAnonSSLContext(); - } else if (keystore != null) { + if (keystore != null) { // 2 way SSL result = getClientSSLContext(keystore, keystorePassword, truststore, truststorePassword, keystoreAlgorithm, keystoreType, keystoreProtocol); } else if(truststore != null) { @@ -149,7 +145,7 @@ } public static SSLContext getAnonSSLContext() throws IOException, GeneralSecurityException { - return getSSLContext(null, null, null, null, null, null, ANON_PROTOCOL); + return getSSLContext(null, null, null, null, null, null, DEFAULT_PROTOCOL); } public static SSLContext getSSLContext(String keystore, Modified: branches/7.1.x/client/src/main/resources/teiid-client-settings.properties =================================================================== --- branches/7.1.x/client/src/main/resources/teiid-client-settings.properties 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/client/src/main/resources/teiid-client-settings.properties 2010-09-15 17:07:54 UTC (rev 2578) @@ -44,9 +44,6 @@ # authentication that requires trust not provided # by the system defaults. # -# Set to NONE for anonymous authentication using -# the TLS_DH_anon_WITH_AES_128_CBC_SHA cipher suite -# #org.teiid.ssl.trustStore= @@ -57,11 +54,19 @@ #org.teiid.ssl.trustStorePassword= # -# The cipher protocol, defaults to SSLv3 +# The cipher protocol, defaults to TLSv1 # -org.teiid.ssl.protocol=SSLv3 +org.teiid.ssl.protocol=TLSv1 +# +# Whether to allow anonymous SSL +# (the TLS_DH_anon_WITH_AES_128_CBC_SHA cipher suite) +# defaults to true +# + +org.teiid.ssl.allowAnon=true + ######################################## # Misc Socket Configuration ######################################## Modified: branches/7.1.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml =================================================================== --- branches/7.1.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2010-09-15 17:07:54 UTC (rev 2578) @@ -74,7 +74,7 @@ successfully or unsuccessfully authenticates the user. </para> - <para>If no domain can authenticate the user, the logon + <para>If no domain can authenticate the user, the login attempt will fail. Details of the failed attempt including invalid users, which domains were consulted, etc. will be in the server log with appropriate @@ -102,19 +102,20 @@ </section> - <section id="connfigure_server"> + <section id="ssl_config"> <title>Configuring SSL</title> <para>The Teiid's configuration file <code>&lt;jboss-install&gt;/server/&lt;profile&gt;/deploy/teiid/teiid-jboss-beans.xml</code>, - contains the properties to configure SSL.</para> + contains the properties to configure SSL per socket transport.</para> <itemizedlist> - <para>There are two separate connection profiles:</para> - <listitem><para>JDBC Connection - The <code>JdbcSslConfiguration</code> bean configuration defines this.</para></listitem> - <listitem><para>Admin Connection - The <code>AdminSslConfiguration</code> bean configuration defines this.</para></listitem> + <para>There are three socket transports, each with it's own SSL configuration:</para> + <listitem><para>JDBC Connections - uses the <code>JdbcSslConfiguration</code> bean configuration. Defaults to only encrypt login traffic, none of the other properties are used.</para></listitem> + <listitem><para>Admin Connections - uses the <code>AdminSslConfiguration</code> bean configuration. Defaults to encrypting all traffic with anonymous SSL, none of the other properties are used.</para></listitem> + <listitem><para>ODBC Connections - uses the <code>OdbcSslConfiguration</code> bean configuration. Defaults to no SSL.</para></listitem> </itemizedlist> <example><title>Example Configuration</title> <programlisting><![CDATA[<bean name="JdbcSslConfiguration" class="org.teiid.transport.SSLConfiguration"> - <property name="sslEnabled">false</property> + <property name="mode">login</property> <property name="keystoreFilename">cert.keystore</property> <property name="keystorePassword">passwd</property> <property name="keystoreType">JKS</property> @@ -124,27 +125,50 @@ <property name="truststorePassword">passwd</property> <!-- 1-way, 2-way, anonymous --> <property name="authenticationMode">1-way</property> - <property name="clientEncryptionEnabled">true</property> </bean>]]></programlisting> </example> - <orderedlist> + <itemizedlist> <title>Properties</title> - <listitem><para>sslEnabled - true|false, SSL usage either turned ON or OFF </para></listitem> - <listitem><para>sslProtocol- Type of SSL protocol to be used. Default is SSLv3</para></listitem> + <listitem><para>mode - diabled|login|enabled, disabled = no transport or message level security will be used. + login = only the login traffic will be encrypted at a message level using 128 bit AES with an ephemerial DH key exchange. No other config values are needed in this mode. + enabled = traffic will be secured using the other configuration properties.</para></listitem> + <listitem><para>sslProtocol- Type of SSL protocol to be used. Default is TLSv1</para></listitem> <listitem><para>keystoreType - Keystore type created by the keytool. Default "JKS" is used.</para></listitem> - <listitem><para>authenticationMode - anonymous|1-way|2-way, Type of SSL mode, see - above about different <link linkend="ssl_modes">SSL modes</link> available.</para></listitem> + <listitem><para>authenticationMode - anonymous|1-way|2-way, Type of <link linkend="ssl_aut">SSL Authentication Mode</link>.</para></listitem> <listitem><para>keymanagementAlgorithm - Type of key algorithm used. Default is based upon the VM, e.g. "SunX509"</para></listitem> <listitem><para>keystoreFilename - The file name of the keystore, which contains the - private key of the Server. This must be available in the classpath of Teiid Server</para></listitem> + private key of the Server. This must be available in the classpath of Teiid Server.</para></listitem> <listitem><para>keystorePassword - password for the keystore.</para></listitem> <listitem><para>truststoreFilename - if "authenticationMode" is chosen as "2-way", then this property must be provided. This is the truststore that contains the public key for the client. Depending upon how you created the keystore and truststores, this may be same file as defined under "keystoreFilename" property.</para></listitem> <listitem><para>truststorePassword - password for the truststore. </para></listitem> - </orderedlist> - + </itemizedlist> + <section id="ssl_auth"> + <title>SSL Authentication Modes</title> + <para>SSL supports multiple authentication modes. In most secure intranet environments, anonymous is suitable to just bulk encrypt traffic without the need + to setup SSL certificates. + </para> + <itemizedlist> + <listitem><para><emphasis>anonymous</emphasis> - no certificates are exchanged, settings are not needed for the keystore and truststore properties. + Client must have <code>org.teiid.ssl.allowAnon</code> set to true (the default) to connect to an anonymous server. + </para></listitem> + <listitem><para><emphasis>1-way</emphasis> - the server will present a certificate, which is obtained from the keystore related properties. + The client should have a truststore configured to accept the server certificate. + </para></listitem> + <listitem><para><emphasis>2-way</emphasis> - the server will present a certificate, which is obtained from the keystore related properties. + The client should have a truststore configured to accept the server certificate. The client is also expected to present a certificate, which is obtained from its + keystore. The client certificate should be accepted by the trust store configured by the truststore related properties. + </para></listitem> + </itemizedlist> + </section> + <section id="encryption_strength"> + <title>Encryption Strength</title> + <para>Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption. + 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. + </para> + </section> </section> </chapter> \ No newline at end of file Modified: branches/7.1.x/documentation/client-developers-guide/src/main/docbook/en-US/content/ssl.xml =================================================================== --- branches/7.1.x/documentation/client-developers-guide/src/main/docbook/en-US/content/ssl.xml 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/documentation/client-developers-guide/src/main/docbook/en-US/content/ssl.xml 2010-09-15 17:07:54 UTC (rev 2578) @@ -149,9 +149,6 @@ # authentication that requires trust not provided # by the system defaults. # -# Set to NONE for anonymous authentication using -# the TLS_DH_anon_WITH_AES_128_CBC_SHA cipher suite -# #org.teiid.ssl.trustStore= @@ -165,7 +162,15 @@ # The cipher protocol, defaults to SSLv3 # -org.teiid.ssl.protocol=SSLv3]]></programlisting> +org.teiid.ssl.protocol=SSLv3 + +# +# Whether to allow anonymous SSL +# (the TLS_DH_anon_WITH_AES_128_CBC_SHA cipher suite) +# defaults to true +# + +org.teiid.ssl.allowAnon=true]]></programlisting> <example> <title>1-way SSL</title> Modified: branches/7.1.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java =================================================================== --- branches/7.1.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2010-09-15 17:07:54 UTC (rev 2578) @@ -40,15 +40,18 @@ public static final String ONEWAY = "1-way"; //$NON-NLS-1$ - one way is the default public static final String TWOWAY = "2-way"; //$NON-NLS-1$ public static final String ANONYMOUS = "anonymous"; //$NON-NLS-1$ + + public static final String LOGIN = "logIn"; //$NON-NLS-1$ + public static final String DISABLED = "disabled"; //$NON-NLS-1$ + public static final String ENABLED = "enabled"; //$NON-NLS-1$ - private static final String DEFAULT_SSL_PROTOCOL = "SSLv3"; //$NON-NLS-1$ private static final String DEFAULT_KEYSTORE_TYPE = "JKS"; //$NON-NLS-1$ /* * External SSL resource settings */ - private boolean sslEnabled = false; - private String sslProtocol = DEFAULT_SSL_PROTOCOL; + private String mode = LOGIN; + private String sslProtocol = SocketUtil.DEFAULT_PROTOCOL; private String keyManagerFactoryAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); private String keyStoreType = DEFAULT_KEYSTORE_TYPE; private String keyStoreFileName; @@ -57,11 +60,6 @@ private String trustStorePassword = ""; //$NON-NLS-1$ private String authenticationMode = ONEWAY; - /* - * Client encryption property. This may belong somewhere else - */ - boolean clientEncryptionEnabled = true; - public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException { if (!isSslEnabled()) { return null; @@ -94,18 +92,22 @@ return result; } - public boolean isSslEnabled() { - return this.sslEnabled; - } - public boolean isClientEncryptionEnabled() { - return this.clientEncryptionEnabled; + return LOGIN.equals(mode); } - public void setSslEnabled(boolean value) { - this.sslEnabled = value; + public boolean isSslEnabled() { + return ENABLED.equals(mode); } + public String getMode() { + return mode; + } + + public void setMode(String mode) { + this.mode = mode; + } + public void setKeystoreFilename(String value) { this.keyStoreFileName = value; } @@ -138,7 +140,4 @@ this.authenticationMode = value; } - public void setClientEncryptionEnabled(boolean value) { - this.clientEncryptionEnabled = value; - } } Modified: branches/7.1.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java =================================================================== --- branches/7.1.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2010-09-15 16:32:34 UTC (rev 2577) +++ branches/7.1.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2010-09-15 17:07:54 UTC (rev 2578) @@ -138,7 +138,7 @@ @Test public void testConnectWithoutClientEncryption() throws Exception { SSLConfiguration config = new SSLConfiguration(); - config.setClientEncryptionEnabled(false); + config.setMode(SSLConfiguration.DISABLED); SocketServerConnection conn = helpEstablishConnection(false, config, new Properties()); assertTrue(conn.selectServerInstance().getCryptor() instanceof NullCryptor); conn.close(); @@ -204,10 +204,9 @@ @Test public void testAnonSSLConnect() throws Exception { SSLConfiguration config = new SSLConfiguration(); - config.setSslEnabled(true); + config.setMode(SSLConfiguration.ENABLED); config.setAuthenticationMode(SSLConfiguration.ANONYMOUS); Properties p = new Properties(); - p.setProperty(SocketUtil.TRUSTSTORE_FILENAME, SocketUtil.NONE); helpEstablishConnection(true, config, p); SocketServerConnection conn = helpEstablishConnection(true, config, p); conn.close(); @@ -215,9 +214,10 @@ @Test(expected=CommunicationException.class) public void testNonSSLConnectWithSSLServer() throws Exception { SSLConfiguration config = new SSLConfiguration(); - config.setSslEnabled(true); + config.setMode(SSLConfiguration.ENABLED); config.setAuthenticationMode(SSLConfiguration.ANONYMOUS); Properties p = new Properties(); + p.setProperty(SocketUtil.ALLOW_ANON, Boolean.FALSE.toString()); helpEstablishConnection(true, config, p); }