eu.xtreemos.xosd.security.rca.server
Class RCAServer

java.lang.Object
  extended by eu.xtreemos.system.eventmachine.stage.AbstractStage
      extended by eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
          extended by eu.xtreemos.system.eventmachine.stage.Abstract2wayStage
              extended by eu.xtreemos.xosd.security.rca.server.RCAServer
All Implemented Interfaces:
eu.xtreemos.system.eventmachine.queue.IEventHandler, eu.xtreemos.system.eventmachine.stage.IStage

public class RCAServer
extends eu.xtreemos.system.eventmachine.stage.Abstract2wayStage

The service implementing the Resource Certification Authority server. The main purpose of the service is to sign the resource's identity certificate public key, and provide a signed attribute certificate to the resource. The service implements the RCA server and the RCA database that keeps the collections of the registered resources. A typical sequence of usage is as follows:

The attribute certificate currently contains the following attributes: The VO attribute certificate also contains the ID of the VO the resource is certified to belong to. The configuration file RCAServerConfig.conf provides a way to configure the type of the attribute certificate (set attributeType to "V2" for attribute certificate, or to "V3" for attributes stored in extensions), the location of the trust store, the organisation details that form a part of the distinguished name (DM) of the issuer, etc.

Author:
matej.artac@xlab.si

Nested Class Summary
 class RCAServer.RCAServerStorage
           
 
Field Summary
protected  CRCAServerConfig config
           
protected  boolean isConfiguredCorrectly
          If certificates are missing, then server is not configured correctly.
(package private) static org.apache.log4j.Logger logger
           
protected  ResourceRegistration resourceRegistration
          The keeper of the resource registration collections.
protected  RCAServerProcessor serverProcessor
          The implementation of the RCA server's main routines.
 
Fields inherited from class eu.xtreemos.system.eventmachine.stage.Abstract2wayStage
context, counter, curContext, sink
 
Fields inherited from class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
queue
 
Fields inherited from class eu.xtreemos.system.eventmachine.stage.AbstractStage
handlerChain, handlerGroup, handlerThreads, name, running, serviceListeners
 
Constructor Summary
RCAServer()
           
 
Method Summary
 java.lang.Integer applyForRegistration(ResourceDescriptorRecord resource)
          Put the resource on the list of resources that can be registered, but need to wait for an authorised administrator to confirm the registration using the confirmRegistration call before the resource can have its certificates signed by the RCA.
 java.lang.Integer confirmRegistration(ResourceID id)
          Confirm the registration of a resource that has previously been applied for the registration using applyForRegistration.
 java.lang.String getHandledEventType()
           
 java.util.ArrayList<ResourceDescriptorRecord> getPendingResources()
          Returns a list of resource descriptions describing the resources listed in the RCA DB as pending for registration.
 java.util.ArrayList<ResourceDescriptorRecord> getRegisteredResources()
          Returns a list of resource descriptions describing the resources listed in the RCA DB as registered.
 java.lang.Integer getResourceStatus(ResourceID id)
          Retrieves the current status of the resource according to the RCA DB.
 void handleEvent(java.lang.Object event)
           
 void init()
           
 java.lang.Integer notifyVOMembershipChange(ResourceID id, java.lang.String vo, java.lang.Boolean addition)
          Lets manipulate with the resource's membership of a VO.
 java.lang.Integer processClientCertificateDeletion(java.lang.Integer result)
           
 java.lang.Integer processClientCertificateDeletionFailure(java.lang.Exception ex)
           
 java.lang.Integer processMachineCertForNodeNotification(java.security.cert.X509Certificate cert)
          Proceed with the execution from notifyVOMembershipChange, receiving the certificate from the client.
 java.lang.Integer processMachineCertForNodeNotificationFailed(java.lang.Exception ex)
           
 RCASignedResponse requestCertificate(ResourceID id, org.bouncycastle.jce.PKCS10CertificationRequest certRequest)
          Serves the client's request for signing the certificate.
 RCASignedResponse requestVOCertificate(ResourceID id, java.security.cert.X509Certificate certificate, java.lang.String vo)
           
 ResourceDescriptorRecord unregisterResource(ResourceID id)
          Remove the resource from the list of registered resources.
 
Methods inherited from class eu.xtreemos.system.eventmachine.stage.Abstract2wayStage
getContext, removeContext, SendException, SendException, SendException, SendReply, SendReply, SendReply, setSink
 
Methods inherited from class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
dequeue, getSource
 
Methods inherited from class eu.xtreemos.system.eventmachine.stage.AbstractStage
addHandler, addHandler, addServiceListener, getName, getShortName, getThreadCount, notifyServiceInitialised, notifyServiceStarted, notifyServiceStopped, processEvent, removeHandler, removeServiceListener, setThreadCount, start, stop
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

static org.apache.log4j.Logger logger

config

protected CRCAServerConfig config

isConfiguredCorrectly

protected boolean isConfiguredCorrectly
If certificates are missing, then server is not configured correctly.


resourceRegistration

protected ResourceRegistration resourceRegistration
The keeper of the resource registration collections. Basically this implements RCA DB.


serverProcessor

protected RCAServerProcessor serverProcessor
The implementation of the RCA server's main routines.

Constructor Detail

RCAServer

public RCAServer()
Method Detail

getRegisteredResources

public java.util.ArrayList<ResourceDescriptorRecord> getRegisteredResources()
Returns a list of resource descriptions describing the resources listed in the RCA DB as registered.

Returns:
A collection of resource descriptors of resources registered with the RCA.

getPendingResources

public java.util.ArrayList<ResourceDescriptorRecord> getPendingResources()
Returns a list of resource descriptions describing the resources listed in the RCA DB as pending for registration.

Returns:
A collection of resource descriptors of resources applied for registration with the RCA.

applyForRegistration

public java.lang.Integer applyForRegistration(ResourceDescriptorRecord resource)
Put the resource on the list of resources that can be registered, but need to wait for an authorised administrator to confirm the registration using the confirmRegistration call before the resource can have its certificates signed by the RCA. If the resource is already on any of the lists, then their entry gets replaced with the new value, thus updating the application or the registration.

Parameters:
resource - The descriptor of the resource applying for the registration.
Returns:
0 if the call was successful.

confirmRegistration

public java.lang.Integer confirmRegistration(ResourceID id)
Confirm the registration of a resource that has previously been applied for the registration using applyForRegistration. After this call, the RCA will sign certificates for the registered resource (requestCertificate).

Parameters:
id - The id of the resource record signifying the resource to be confirmed for the registration.
Returns:
0 if the call was successful.

unregisterResource

public ResourceDescriptorRecord unregisterResource(ResourceID id)
Remove the resource from the list of registered resources. Once the resource has been unregistered, it cannot have the machine certificates signed by the RCA.

Parameters:
id - The id of the resource record signifying the resource to be removed for the list of registered resources.
Returns:
0 if the call was successful.

requestCertificate

public RCASignedResponse requestCertificate(ResourceID id,
                                            org.bouncycastle.jce.PKCS10CertificationRequest certRequest)
                                     throws java.lang.IllegalArgumentException,
                                            java.security.InvalidKeyException,
                                            java.security.SignatureException,
                                            java.lang.Exception
Serves the client's request for signing the certificate. The method retrieves the data on the resource from the RCA DB, and uses the descriptor and the data in the config file to set up the attributes of the certificates that will be returned signed. The resource has to be a member of the registered resources, i.e. successful calls to applyForRegistration and confirmRegistration have to precede this call.

Parameters:
id - The id of the resource that requests the certificate signature.
certRequest - The certificate signature request.
Returns:
The signed certificates: identity certificate, attribute certificate, the type of which depends on the configuration.
Throws:
java.lang.IllegalArgumentException - Thrown when the certificate request is invalid.
java.security.InvalidKeyException
java.security.SignatureException
java.lang.Exception

requestVOCertificate

public RCASignedResponse requestVOCertificate(ResourceID id,
                                              java.security.cert.X509Certificate certificate,
                                              java.lang.String vo)
                                       throws java.lang.IllegalArgumentException,
                                              java.security.InvalidKeyException,
                                              java.security.SignatureException,
                                              BadResourceException,
                                              java.lang.Exception
Throws:
java.lang.IllegalArgumentException
java.security.InvalidKeyException
java.security.SignatureException
BadResourceException
java.lang.Exception

getResourceStatus

public java.lang.Integer getResourceStatus(ResourceID id)
Retrieves the current status of the resource according to the RCA DB.

Parameters:
id - The identifier of the resource to check the status of.
Returns:
The status of the resource.

notifyVOMembershipChange

public java.lang.Integer notifyVOMembershipChange(ResourceID id,
                                                  java.lang.String vo,
                                                  java.lang.Boolean addition)
                                           throws ResourceNotRegisteredException
Lets manipulate with the resource's membership of a VO. The method can set and unset the VO which the resource belongs to. The resource has to be on a registered resources list.

Parameters:
id - The identification of the resource we are setting the membership in a VO of.
vo - The VO to set the membership in.
addition - If true, the membership will be set, and if false, the VO will be removed from the list of VOs the resource is a member of.
Returns:
0 if the call was successful.
Throws:
ResourceNotRegisteredException - If the resource is not on the list of the registered resources.

processClientCertificateDeletion

public java.lang.Integer processClientCertificateDeletion(java.lang.Integer result)

processClientCertificateDeletionFailure

public java.lang.Integer processClientCertificateDeletionFailure(java.lang.Exception ex)

processMachineCertForNodeNotification

public java.lang.Integer processMachineCertForNodeNotification(java.security.cert.X509Certificate cert)
Proceed with the execution from notifyVOMembershipChange, receiving the certificate from the client.

Parameters:
cert - The client's certificate.
Returns:
Throws:
java.lang.Exception
BadResourceException
java.security.SignatureException
java.lang.IllegalArgumentException
java.security.InvalidKeyException

processMachineCertForNodeNotificationFailed

public java.lang.Integer processMachineCertForNodeNotificationFailed(java.lang.Exception ex)

init

public void init()
Specified by:
init in interface eu.xtreemos.system.eventmachine.stage.IStage
Overrides:
init in class eu.xtreemos.system.eventmachine.stage.AbstractStage

getHandledEventType

public java.lang.String getHandledEventType()
Specified by:
getHandledEventType in class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage

handleEvent

public void handleEvent(java.lang.Object event)
                 throws java.lang.Exception
Specified by:
handleEvent in interface eu.xtreemos.system.eventmachine.queue.IEventHandler
Specified by:
handleEvent in class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
Throws:
java.lang.Exception