com.entrust.toolkit.x509.directory

Class LDAPSConfig

java.lang.Object

com.entrust.toolkit.x509.directory.LDAPSConfig

public class LDAPSConfig
extends java.lang.Object

This class is used by the JNDIDirectory to store LDAPS Configuration parameters. The parameters that can be set are the following:

• SSLEnabled - Used to determine if an SSL connection should be used for this connection. The default setting is false indicating SSL for this directory is not enabled. If a JNDIDirectory is initialized with an LDAPS URL, this setting will automatically be enabled.
• TrustCerts - Setting allows Trusted Certificates (CA or End Entity to be added or removed). These certificates are used to determined whether the SSL server should be trusted by configuring the LDAPSTrustManager for the default EntrustSSLSocketFactory. If a custom SSLSocketFactory has been specified, these certificates will not be used.

Note:The certificates are stored in a static memory cache. This means every certificate added or removed through this class will be added/removed for every subsequent LDAPS connection made with a JNDIDirectory instance.

• AllowLDAPSReferrals - Setting used to determine whether LDAPS referrals are allowed. It is possible to have a plain LDAP connection get an LDAPS referral. If this setting is set to false it will not attempt to use LDAPS to follow the referral. This setting is set to true by default.
• SSLSocketFactory - Setting allows a custom SSLSocketFactory to be passed in as a parameter. The Toolkit will make sure the String passed in can be instantiated, and is an instance of an SSLSocketFactory.

Example usage:

 User user = new User();
 X509Certificate[] certificates = {new X509Certificate(new FileInputStream(trustedcert))};
 JNDIDirectory directory = new JNDIDirectory(myldapshost.com,636);
 LDAPSConfig config = new LDAPSConfig(true);
 config.setTrustCerts(certificates);
 Directory.setLDAPSConfig (config);
 user.setConnections(directory, null);
 .
 .
 user.login(CredentialReader,SecureStringBuffer);
 

Note: It is possible to have SSL Disabled for this directory, but still allow LDAPS Referrals. In this case the LDAPSConfig may be configured with the trusted certificates of any directory which may be referred. If a referred directory using LDAPS is attached to the JNDIDirectory object then the trusted certificates required for LDAPS to succeeded will already be configured. However, if AllowLDAPSReferral is set to false, LDAPS will not be attempted for any referrals.

Since:

7.2 Patch

Constructor Summary

Constructors

Constructor and Description
LDAPSConfig() The default constructor.
LDAPSConfig(boolean enabled) Constructor which allows SSL to be enabled or disabled for this directory.

Method Summary

Methods

Modifier and Type	Method and Description
void	addTrustCerts(java.security.cert.X509Certificate[] trustcerts) Adds the X509Certificates that are trusted for this SSL configuration.
boolean	getAllowLDAPSReferrals()
JNDIDirectory	getJNDIDirectory()
boolean	getSSLEnabled()
java.lang.String	getSSLSocketFactory()
java.security.cert.X509Certificate[]	getTrustCerts() Return the array of certificates that were added for this instance of LDAPSConfig.
LDAPSTrustStoreSingleton	getTrustStoreSingleton() Return the LDAPSTrustStoreSingleton object that contains the list of all certificates that will be used by the EntrustSSLSocketFactory.
void	removeTrustCert(java.security.cert.X509Certificate trustcert) Removes an X509Certificate from the list of trusted certificates.
void	setAllowLDAPSReferrals(boolean referrals) Set whether LDAPS referrals should be used.
void	setSSLEnabled(boolean SSL) Sets whether SSL should be enabled.
void	setSSLSocketFactory(java.lang.String SocketFactoryName) Sets the name of a custom SSLSocketfactory that will be used to create the SSLSocket of LDAP.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

LDAPSConfig

public LDAPSConfig()

The default constructor. The following default parameters are set:

• SSLEnabled - false
• TrustCerts - null
• AllowLDAPSReferrals - true
• SSLSocketFactory - com.entrust.toolkit.x509.directory.EntrustSSLSocketFactory

Since:

7.2 patch

LDAPSConfig

public LDAPSConfig(boolean enabled)

Constructor which allows SSL to be enabled or disabled for this directory. The other parameters are set to the following defaults:

• TrustCerts - null
• AllowLDAPSReferrals - true
• SSLSocketFactory - com.entrust.toolkit.x509.directory.EntrustSSLSocketFactory

Parameters:

enabled - sets whether SSL is enabled or disabled.

Since:

7.2 patch

Method Detail

setSSLEnabled

public void setSSLEnabled(boolean SSL)

Sets whether SSL should be enabled. True indicates that SSL should be enabled. False indicates it should not be used.

Parameters:

SSL - true indicates SSL enabled, false SSL disabled

getSSLEnabled

public boolean getSSLEnabled()

Returns:

true if SSL is enabled, false if SSL is not enabled

addTrustCerts

public void addTrustCerts(java.security.cert.X509Certificate[] trustcerts)

Adds the X509Certificates that are trusted for this SSL configuration. These certificates can either be trusted roots, or trusted End Entity certificates.

Note: Because JNDI creates an instance of an SSLSocketFactory using the static getDefault() method, all trusted certificates must be available from a static location. This method places the certificates in LDAPSTrustStoreSingleton (as well as a local instance). This means every certificate added through this method will be trusted for every subsequent LDAPS connection made with a JNDIDirectory instance.

Parameters:

trustcerts -

See Also:

LDAPSTrustStoreSingleton

removeTrustCert

public void removeTrustCert(java.security.cert.X509Certificate trustcert)

Removes an X509Certificate from the list of trusted certificates. These certificates can either be trusted roots, or trusted End Entity certificates.

Note: Because JNDI creates an instance of an SSLSocketFactory using the static getDefault() method, all trusted certificates must be available from a static location. This method removes the certificate from LDAPSTrustStoreSingleton (as well as a local instance). This means every certificate removed through this method will be removed for every existing LDAPS connection made with a JNDIDirectory instance.

Parameters:

trustcert - the trusted certificate that should be removed

getTrustCerts

public java.security.cert.X509Certificate[] getTrustCerts()

Return the array of certificates that were added for this instance of LDAPSConfig. The type of certificate returned is a X509Certificate. This method will never return null.

Returns:

certificates added for this instance of LDAPSConfig.

getTrustStoreSingleton

public LDAPSTrustStoreSingleton getTrustStoreSingleton()

Return the LDAPSTrustStoreSingleton object that contains the list of all certificates that will be used by the EntrustSSLSocketFactory. When a trust cert is added or removed using addTrustCerts(X509Certificate[]) or removeTrustCert(X509Certificate), it is automatically added or removed from the LDAPSTrustStoreSingleton as well.

This method is provided to allow precise control over the Trusted certificates which are used to setup the SSLConection.

Note: The LDAPSTrustStoreSingleton can be returned from any context by calling:

 LDAPSTrustStoreSingleton.getLDAPSTrustStoreSingleton();
 

Returns:

LDAPSTrustStoreSingleton

getJNDIDirectory

public JNDIDirectory getJNDIDirectory()

Returns:

the JNDIDirectory associated with this configuration or null if no directory is associated with this configuration.

setAllowLDAPSReferrals

public void setAllowLDAPSReferrals(boolean referrals)

Set whether LDAPS referrals should be used. If value is set to true, it is allowed. If set to false it is not allowed. The default setting is true.

Parameters:

referrals - true indicates LDAPS referrals allowed, false indicates they are not allowed.

getAllowLDAPSReferrals

public boolean getAllowLDAPSReferrals()

Returns:

true if LDAPS referrals allowed, false if they are not allowed. The default setting is true.

setSSLSocketFactory

public void setSSLSocketFactory(java.lang.String SocketFactoryName)
                         throws java.lang.ClassNotFoundException

Sets the name of a custom SSLSocketfactory that will be used to create the SSLSocket of LDAP. The classloader will be invoked to try and load the class. If the class cannot be found, a ClassNotFound exception will be thrown.

Note: The static SSLSocketFactory.getDefault() method will be used to create the socket, so any data such as certificates or keys used to initialize the SSLContext must be referenced from a static context.

Parameters:

String - SocketFactoryName the fully qualified

Throws:

java.lang.ClassNotFoundException

getSSLSocketFactory

public java.lang.String getSSLSocketFactory()

Returns:

The name of the SocketFactory used to secure the connection