rev 10350 : 8048050: Agent NullPointerException when rmi.port in use
Reviewed-by: jbachorik, dfuchs

   1 /*
   2  * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.management.jmxremote;
  27 
  28 import java.io.BufferedInputStream;
  29 import java.io.File;
  30 import java.io.FileInputStream;
  31 import java.io.IOException;
  32 import java.io.InputStream;
  33 import java.lang.management.ManagementFactory;
  34 import java.net.InetAddress;
  35 import java.net.MalformedURLException;
  36 import java.net.UnknownHostException;
  37 import java.rmi.NoSuchObjectException;
  38 import java.rmi.Remote;
  39 import java.rmi.RemoteException;
  40 import java.rmi.registry.Registry;
  41 import java.rmi.server.RMIClientSocketFactory;
  42 import java.rmi.server.RMIServerSocketFactory;
  43 import java.rmi.server.RemoteObject;
  44 import java.rmi.server.UnicastRemoteObject;
  45 import java.security.KeyStore;
  46 import java.security.Principal;
  47 import java.util.HashMap;
  48 import java.util.HashSet;
  49 import java.util.Iterator;
  50 import java.util.Map;
  51 import java.util.Properties;
  52 import java.util.Set;
  53 import java.util.StringTokenizer;
  54 
  55 import javax.management.MBeanServer;
  56 import javax.management.remote.JMXAuthenticator;
  57 import javax.management.remote.JMXConnectorServer;
  58 import javax.management.remote.JMXConnectorServerFactory;
  59 import javax.management.remote.JMXServiceURL;
  60 import javax.management.remote.rmi.RMIConnectorServer;
  61 import javax.net.ssl.KeyManagerFactory;
  62 import javax.net.ssl.SSLContext;
  63 import javax.net.ssl.TrustManagerFactory;
  64 import javax.rmi.ssl.SslRMIClientSocketFactory;
  65 import javax.rmi.ssl.SslRMIServerSocketFactory;
  66 import javax.security.auth.Subject;
  67 
  68 import com.sun.jmx.remote.internal.RMIExporter;
  69 import com.sun.jmx.remote.security.JMXPluggableAuthenticator;
  70 import com.sun.jmx.remote.util.ClassLogger;
  71 
  72 import sun.management.Agent;
  73 import sun.management.AgentConfigurationError;
  74 import static sun.management.AgentConfigurationError.*;
  75 import sun.management.ConnectorAddressLink;
  76 import sun.management.FileSystem;
  77 import sun.rmi.server.UnicastRef;
  78 import sun.rmi.server.UnicastServerRef;
  79 import sun.rmi.server.UnicastServerRef2;
  80 
  81 /**
  82  * This class initializes and starts the RMIConnectorServer for JSR 163
  83  * JMX Monitoring.
  84  **/
  85 public final class ConnectorBootstrap {
  86 
  87     /**
  88      * Default values for JMX configuration properties.
  89      **/
  90     public static interface DefaultValues {
  91 
  92         public static final String PORT = "0";
  93         public static final String CONFIG_FILE_NAME = "management.properties";
  94         public static final String USE_SSL = "true";
  95         public static final String USE_LOCAL_ONLY = "true";
  96         public static final String USE_REGISTRY_SSL = "false";
  97         public static final String USE_AUTHENTICATION = "true";
  98         public static final String PASSWORD_FILE_NAME = "jmxremote.password";
  99         public static final String ACCESS_FILE_NAME = "jmxremote.access";
 100         public static final String SSL_NEED_CLIENT_AUTH = "false";
 101     }
 102 
 103     /**
 104      * Names of JMX configuration properties.
 105      **/
 106     public static interface PropertyNames {
 107 
 108         public static final String PORT =
 109                 "com.sun.management.jmxremote.port";
 110         public static final String RMI_PORT =
 111                 "com.sun.management.jmxremote.rmi.port";
 112         public static final String CONFIG_FILE_NAME =
 113                 "com.sun.management.config.file";
 114         public static final String USE_LOCAL_ONLY =
 115                 "com.sun.management.jmxremote.local.only";
 116         public static final String USE_SSL =
 117                 "com.sun.management.jmxremote.ssl";
 118         public static final String USE_REGISTRY_SSL =
 119                 "com.sun.management.jmxremote.registry.ssl";
 120         public static final String USE_AUTHENTICATION =
 121                 "com.sun.management.jmxremote.authenticate";
 122         public static final String PASSWORD_FILE_NAME =
 123                 "com.sun.management.jmxremote.password.file";
 124         public static final String ACCESS_FILE_NAME =
 125                 "com.sun.management.jmxremote.access.file";
 126         public static final String LOGIN_CONFIG_NAME =
 127                 "com.sun.management.jmxremote.login.config";
 128         public static final String SSL_ENABLED_CIPHER_SUITES =
 129                 "com.sun.management.jmxremote.ssl.enabled.cipher.suites";
 130         public static final String SSL_ENABLED_PROTOCOLS =
 131                 "com.sun.management.jmxremote.ssl.enabled.protocols";
 132         public static final String SSL_NEED_CLIENT_AUTH =
 133                 "com.sun.management.jmxremote.ssl.need.client.auth";
 134         public static final String SSL_CONFIG_FILE_NAME =
 135                 "com.sun.management.jmxremote.ssl.config.file";
 136     }
 137 
 138     /**
 139      * JMXConnectorServer associated data.
 140      */
 141     private static class JMXConnectorServerData {
 142 
 143         public JMXConnectorServerData(
 144                 JMXConnectorServer jmxConnectorServer,
 145                 JMXServiceURL jmxRemoteURL) {
 146             this.jmxConnectorServer = jmxConnectorServer;
 147             this.jmxRemoteURL = jmxRemoteURL;
 148         }
 149         JMXConnectorServer jmxConnectorServer;
 150         JMXServiceURL jmxRemoteURL;
 151     }
 152 
 153     /**
 154      * <p>Prevents our RMI server objects from keeping the JVM alive.</p>
 155      *
 156      * <p>We use a private interface in Sun's JMX Remote API implementation
 157      * that allows us to specify how to export RMI objects.  We do so using
 158      * UnicastServerRef, a class in Sun's RMI implementation.  This is all
 159      * non-portable, of course, so this is only valid because we are inside
 160      * Sun's JRE.</p>
 161      *
 162      * <p>Objects are exported using {@link
 163      * UnicastServerRef#exportObject(Remote, Object, boolean)}.  The
 164      * boolean parameter is called <code>permanent</code> and means
 165      * both that the object is not eligible for Distributed Garbage
 166      * Collection, and that its continued existence will not prevent
 167      * the JVM from exiting.  It is the latter semantics we want (we
 168      * already have the former because of the way the JMX Remote API
 169      * works).  Hence the somewhat misleading name of this class.</p>
 170      */
 171     private static class PermanentExporter implements RMIExporter {
 172 
 173         public Remote exportObject(Remote obj,
 174                 int port,
 175                 RMIClientSocketFactory csf,
 176                 RMIServerSocketFactory ssf)
 177                 throws RemoteException {
 178 
 179             synchronized (this) {
 180                 if (firstExported == null) {
 181                     firstExported = obj;
 182                 }
 183             }
 184 
 185             final UnicastServerRef ref;
 186             if (csf == null && ssf == null) {
 187                 ref = new UnicastServerRef(port);
 188             } else {
 189                 ref = new UnicastServerRef2(port, csf, ssf);
 190             }
 191             return ref.exportObject(obj, null, true);
 192         }
 193 
 194         // Nothing special to be done for this case
 195         public boolean unexportObject(Remote obj, boolean force)
 196                 throws NoSuchObjectException {
 197             return UnicastRemoteObject.unexportObject(obj, force);
 198         }
 199         Remote firstExported;
 200     }
 201 
 202     /**
 203      * This JMXAuthenticator wraps the JMXPluggableAuthenticator and verifies
 204      * that at least one of the principal names contained in the authenticated
 205      * Subject is present in the access file.
 206      */
 207     private static class AccessFileCheckerAuthenticator
 208             implements JMXAuthenticator {
 209 
 210         public AccessFileCheckerAuthenticator(Map<String, Object> env) throws IOException {
 211             environment = env;
 212             accessFile = (String) env.get("jmx.remote.x.access.file");
 213             properties = propertiesFromFile(accessFile);
 214         }
 215 
 216         public Subject authenticate(Object credentials) {
 217             final JMXAuthenticator authenticator =
 218                     new JMXPluggableAuthenticator(environment);
 219             final Subject subject = authenticator.authenticate(credentials);
 220             checkAccessFileEntries(subject);
 221             return subject;
 222         }
 223 
 224         private void checkAccessFileEntries(Subject subject) {
 225             if (subject == null) {
 226                 throw new SecurityException(
 227                         "Access denied! No matching entries found in " +
 228                         "the access file [" + accessFile + "] as the " +
 229                         "authenticated Subject is null");
 230             }
 231             final Set<Principal> principals = subject.getPrincipals();
 232             for (Principal p1: principals) {
 233                 if (properties.containsKey(p1.getName())) {
 234                     return;
 235                 }
 236             }
 237 
 238             final Set<String> principalsStr = new HashSet<>();
 239             for (Principal p2: principals) {
 240                 principalsStr.add(p2.getName());
 241             }
 242             throw new SecurityException(
 243                     "Access denied! No entries found in the access file [" +
 244                     accessFile + "] for any of the authenticated identities " +
 245                     principalsStr);
 246         }
 247 
 248         private static Properties propertiesFromFile(String fname)
 249                 throws IOException {
 250             Properties p = new Properties();
 251             if (fname == null) {
 252                 return p;
 253             }
 254             try (FileInputStream fin = new FileInputStream(fname)) {
 255                 p.load(fin);
 256             }
 257             return p;
 258         }
 259         private final Map<String, Object> environment;
 260         private final Properties properties;
 261         private final String accessFile;
 262     }
 263 
 264     // The variable below is here to support stop functionality
 265     // It would be overriten if you call startRemoteCommectionServer second
 266     // time. It's OK for now as logic in Agent.java forbids mutiple agents
 267     private static Registry registry = null;
 268 
 269     public static void unexportRegistry() {
 270         // Remove the entry from registry
 271         try {
 272             if (registry != null) {
 273                 UnicastRemoteObject.unexportObject(registry, true);
 274                 registry = null;
 275             }
 276         } catch(NoSuchObjectException ex) {
 277             // This exception can appears only if we attempt
 278             // to unexportRegistry second time. So it's safe
 279             // to ignore it without additional messages.
 280         }
 281     }
 282 
 283      /**
 284       * Initializes and starts the JMX Connector Server.
 285       * If the com.sun.management.jmxremote.port property is not defined,
 286       * simply return. Otherwise, attempts to load the config file, and
 287       * then calls {@link #startRemoteConnectorServer
 288       *                            (java.lang.String, java.util.Properties)}.
 289       *
 290       * This method is used by some jtreg tests.
 291       **/
 292       public static synchronized JMXConnectorServer initialize() {
 293 
 294          // Load a new management properties
 295          final Properties props = Agent.loadManagementProperties();
 296          if (props == null) {
 297               return null;
 298          }
 299 
 300          final String portStr = props.getProperty(PropertyNames.PORT);
 301          return startRemoteConnectorServer(portStr, props);
 302      }
 303 
 304     /**
 305      * This method is used by some jtreg tests.
 306      *
 307      * @see #startRemoteConnectorServer
 308      *             (String portStr, Properties props)
 309      */
 310     public static synchronized JMXConnectorServer initialize(String portStr, Properties props)  {
 311          return startRemoteConnectorServer(portStr, props);
 312     }
 313 
 314     /**
 315      * Initializes and starts a JMX Connector Server for remote
 316      * monitoring and management.
 317      **/
 318     public static synchronized JMXConnectorServer startRemoteConnectorServer(String portStr, Properties props) {
 319 
 320         // Get port number
 321         final int port;
 322         try {
 323             port = Integer.parseInt(portStr);
 324         } catch (NumberFormatException x) {
 325             throw new AgentConfigurationError(INVALID_JMXREMOTE_PORT, x, portStr);
 326         }
 327         if (port < 0) {
 328             throw new AgentConfigurationError(INVALID_JMXREMOTE_PORT, portStr);
 329         }
 330 
 331         // User can specify a port to be used to export rmi object,
 332         // in order to simplify firewall rules
 333         // if port is not specified random one will be allocated.
 334         int rmiPort = 0;
 335         String rmiPortStr = props.getProperty(PropertyNames.RMI_PORT);
 336         try {
 337             if (rmiPortStr != null) {
 338                rmiPort = Integer.parseInt(rmiPortStr);
 339             }
 340         } catch (NumberFormatException x) {
 341             throw new AgentConfigurationError(INVALID_JMXREMOTE_RMI_PORT, x, rmiPortStr);
 342         }
 343         if (rmiPort < 0) {
 344             throw new AgentConfigurationError(INVALID_JMXREMOTE_RMI_PORT, rmiPortStr);
 345         }
 346 
 347         // Do we use authentication?
 348         final String useAuthenticationStr =
 349                 props.getProperty(PropertyNames.USE_AUTHENTICATION,
 350                 DefaultValues.USE_AUTHENTICATION);
 351         final boolean useAuthentication =
 352                 Boolean.valueOf(useAuthenticationStr).booleanValue();
 353 
 354         // Do we use SSL?
 355         final String useSslStr =
 356                 props.getProperty(PropertyNames.USE_SSL,
 357                 DefaultValues.USE_SSL);
 358         final boolean useSsl =
 359                 Boolean.valueOf(useSslStr).booleanValue();
 360 
 361         // Do we use RMI Registry SSL?
 362         final String useRegistrySslStr =
 363                 props.getProperty(PropertyNames.USE_REGISTRY_SSL,
 364                 DefaultValues.USE_REGISTRY_SSL);
 365         final boolean useRegistrySsl =
 366                 Boolean.valueOf(useRegistrySslStr).booleanValue();
 367 
 368         final String enabledCipherSuites =
 369                 props.getProperty(PropertyNames.SSL_ENABLED_CIPHER_SUITES);
 370         String enabledCipherSuitesList[] = null;
 371         if (enabledCipherSuites != null) {
 372             StringTokenizer st = new StringTokenizer(enabledCipherSuites, ",");
 373             int tokens = st.countTokens();
 374             enabledCipherSuitesList = new String[tokens];
 375             for (int i = 0; i < tokens; i++) {
 376                 enabledCipherSuitesList[i] = st.nextToken();
 377             }
 378         }
 379 
 380         final String enabledProtocols =
 381                 props.getProperty(PropertyNames.SSL_ENABLED_PROTOCOLS);
 382         String enabledProtocolsList[] = null;
 383         if (enabledProtocols != null) {
 384             StringTokenizer st = new StringTokenizer(enabledProtocols, ",");
 385             int tokens = st.countTokens();
 386             enabledProtocolsList = new String[tokens];
 387             for (int i = 0; i < tokens; i++) {
 388                 enabledProtocolsList[i] = st.nextToken();
 389             }
 390         }
 391 
 392         final String sslNeedClientAuthStr =
 393                 props.getProperty(PropertyNames.SSL_NEED_CLIENT_AUTH,
 394                 DefaultValues.SSL_NEED_CLIENT_AUTH);
 395         final boolean sslNeedClientAuth =
 396                 Boolean.valueOf(sslNeedClientAuthStr).booleanValue();
 397 
 398         // Read SSL config file name
 399         final String sslConfigFileName =
 400                 props.getProperty(PropertyNames.SSL_CONFIG_FILE_NAME);
 401 
 402         String loginConfigName = null;
 403         String passwordFileName = null;
 404         String accessFileName = null;
 405 
 406         // Initialize settings when authentication is active
 407         if (useAuthentication) {
 408 
 409             // Get non-default login configuration
 410             loginConfigName =
 411                     props.getProperty(PropertyNames.LOGIN_CONFIG_NAME);
 412 
 413             if (loginConfigName == null) {
 414                 // Get password file
 415                 passwordFileName =
 416                         props.getProperty(PropertyNames.PASSWORD_FILE_NAME,
 417                         getDefaultFileName(DefaultValues.PASSWORD_FILE_NAME));
 418                 checkPasswordFile(passwordFileName);
 419             }
 420 
 421             // Get access file
 422             accessFileName = props.getProperty(PropertyNames.ACCESS_FILE_NAME,
 423                     getDefaultFileName(DefaultValues.ACCESS_FILE_NAME));
 424             checkAccessFile(accessFileName);
 425         }
 426 
 427         if (log.debugOn()) {
 428             log.debug("startRemoteConnectorServer",
 429                     Agent.getText("jmxremote.ConnectorBootstrap.starting") +
 430                     "\n\t" + PropertyNames.PORT + "=" + port +
 431                     "\n\t" + PropertyNames.RMI_PORT + "=" + rmiPort +
 432                     "\n\t" + PropertyNames.USE_SSL + "=" + useSsl +
 433                     "\n\t" + PropertyNames.USE_REGISTRY_SSL + "=" + useRegistrySsl +
 434                     "\n\t" + PropertyNames.SSL_CONFIG_FILE_NAME + "=" + sslConfigFileName +
 435                     "\n\t" + PropertyNames.SSL_ENABLED_CIPHER_SUITES + "=" +
 436                     enabledCipherSuites +
 437                     "\n\t" + PropertyNames.SSL_ENABLED_PROTOCOLS + "=" +
 438                     enabledProtocols +
 439                     "\n\t" + PropertyNames.SSL_NEED_CLIENT_AUTH + "=" +
 440                     sslNeedClientAuth +
 441                     "\n\t" + PropertyNames.USE_AUTHENTICATION + "=" +
 442                     useAuthentication +
 443                     (useAuthentication ? (loginConfigName == null ? ("\n\t" + PropertyNames.PASSWORD_FILE_NAME + "=" +
 444                     passwordFileName) : ("\n\t" + PropertyNames.LOGIN_CONFIG_NAME + "=" +
 445                     loginConfigName)) : "\n\t" +
 446                     Agent.getText("jmxremote.ConnectorBootstrap.noAuthentication")) +
 447                     (useAuthentication ? ("\n\t" + PropertyNames.ACCESS_FILE_NAME + "=" +
 448                     accessFileName) : "") +
 449                     "");
 450         }
 451 
 452         final MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
 453         JMXConnectorServer cs = null;
 454         JMXServiceURL url = null;
 455         try {
 456             final JMXConnectorServerData data = exportMBeanServer(
 457                     mbs, port, rmiPort, useSsl, useRegistrySsl,
 458                     sslConfigFileName, enabledCipherSuitesList,
 459                     enabledProtocolsList, sslNeedClientAuth,
 460                     useAuthentication, loginConfigName,
 461                     passwordFileName, accessFileName);
 462             cs = data.jmxConnectorServer;
 463             url = data.jmxRemoteURL;
 464             log.config("startRemoteConnectorServer",
 465                     Agent.getText("jmxremote.ConnectorBootstrap.ready",
 466                     url.toString()));
 467         } catch (Exception e) {
 468             throw new AgentConfigurationError(AGENT_EXCEPTION, e, e.toString());
 469         }
 470         try {
 471             // Export remote connector address and associated configuration
 472             // properties to the instrumentation buffer.
 473             Map<String, String> properties = new HashMap<>();
 474             properties.put("remoteAddress", url.toString());
 475             properties.put("authenticate", useAuthenticationStr);
 476             properties.put("ssl", useSslStr);
 477             properties.put("sslRegistry", useRegistrySslStr);
 478             properties.put("sslNeedClientAuth", sslNeedClientAuthStr);
 479             ConnectorAddressLink.exportRemote(properties);
 480         } catch (Exception e) {
 481             // Remote connector server started but unable to export remote
 482             // connector address and associated configuration properties to
 483             // the instrumentation buffer - non-fatal error.
 484             log.debug("startRemoteConnectorServer", e);
 485         }
 486         return cs;
 487     }
 488 
 489     /*
 490      * Creates and starts a RMI Connector Server for "local" monitoring
 491      * and management.
 492      */
 493     public static JMXConnectorServer startLocalConnectorServer() {
 494         // Ensure cryptographically strong random number generater used
 495         // to choose the object number - see java.rmi.server.ObjID
 496         System.setProperty("java.rmi.server.randomIDs", "true");
 497 
 498         // This RMI server should not keep the VM alive
 499         Map<String, Object> env = new HashMap<>();
 500         env.put(RMIExporter.EXPORTER_ATTRIBUTE, new PermanentExporter());
 501 
 502         // The local connector server need only be available via the
 503         // loopback connection.
 504         String localhost = "localhost";
 505         InetAddress lh = null;
 506         try {
 507             lh = InetAddress.getByName(localhost);
 508             localhost = lh.getHostAddress();
 509         } catch (UnknownHostException x) {
 510         }
 511 
 512         // localhost unknown or (somehow) didn't resolve to
 513         // a loopback address.
 514         if (lh == null || !lh.isLoopbackAddress()) {
 515             localhost = "127.0.0.1";
 516         }
 517 
 518         MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
 519         try {
 520             JMXServiceURL url = new JMXServiceURL("rmi", localhost, 0);
 521             // Do we accept connections from local interfaces only?
 522             Properties props = Agent.getManagementProperties();
 523             if (props ==  null) {
 524                 props = new Properties();
 525             }
 526             String useLocalOnlyStr = props.getProperty(
 527                     PropertyNames.USE_LOCAL_ONLY, DefaultValues.USE_LOCAL_ONLY);
 528             boolean useLocalOnly = Boolean.valueOf(useLocalOnlyStr).booleanValue();
 529             if (useLocalOnly) {
 530                 env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE,
 531                         new LocalRMIServerSocketFactory());
 532             }
 533             JMXConnectorServer server =
 534                     JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);
 535             server.start();
 536             return server;
 537         } catch (Exception e) {
 538             throw new AgentConfigurationError(AGENT_EXCEPTION, e, e.toString());
 539         }
 540     }
 541 
 542     private static void checkPasswordFile(String passwordFileName) {
 543         if (passwordFileName == null || passwordFileName.length() == 0) {
 544             throw new AgentConfigurationError(PASSWORD_FILE_NOT_SET);
 545         }
 546         File file = new File(passwordFileName);
 547         if (!file.exists()) {
 548             throw new AgentConfigurationError(PASSWORD_FILE_NOT_FOUND, passwordFileName);
 549         }
 550 
 551         if (!file.canRead()) {
 552             throw new AgentConfigurationError(PASSWORD_FILE_NOT_READABLE, passwordFileName);
 553         }
 554 
 555         FileSystem fs = FileSystem.open();
 556         try {
 557             if (fs.supportsFileSecurity(file)) {
 558                 if (!fs.isAccessUserOnly(file)) {
 559                     final String msg = Agent.getText("jmxremote.ConnectorBootstrap.password.readonly",
 560                             passwordFileName);
 561                     log.config("startRemoteConnectorServer", msg);
 562                     throw new AgentConfigurationError(PASSWORD_FILE_ACCESS_NOT_RESTRICTED,
 563                             passwordFileName);
 564                 }
 565             }
 566         } catch (IOException e) {
 567             throw new AgentConfigurationError(PASSWORD_FILE_READ_FAILED,
 568                     e, passwordFileName);
 569         }
 570     }
 571 
 572     private static void checkAccessFile(String accessFileName) {
 573         if (accessFileName == null || accessFileName.length() == 0) {
 574             throw new AgentConfigurationError(ACCESS_FILE_NOT_SET);
 575         }
 576         File file = new File(accessFileName);
 577         if (!file.exists()) {
 578             throw new AgentConfigurationError(ACCESS_FILE_NOT_FOUND, accessFileName);
 579         }
 580 
 581         if (!file.canRead()) {
 582             throw new AgentConfigurationError(ACCESS_FILE_NOT_READABLE, accessFileName);
 583         }
 584     }
 585 
 586     private static void checkRestrictedFile(String restrictedFileName) {
 587         if (restrictedFileName == null || restrictedFileName.length() == 0) {
 588             throw new AgentConfigurationError(FILE_NOT_SET);
 589         }
 590         File file = new File(restrictedFileName);
 591         if (!file.exists()) {
 592             throw new AgentConfigurationError(FILE_NOT_FOUND, restrictedFileName);
 593         }
 594         if (!file.canRead()) {
 595             throw new AgentConfigurationError(FILE_NOT_READABLE, restrictedFileName);
 596         }
 597         FileSystem fs = FileSystem.open();
 598         try {
 599             if (fs.supportsFileSecurity(file)) {
 600                 if (!fs.isAccessUserOnly(file)) {
 601                     final String msg = Agent.getText(
 602                             "jmxremote.ConnectorBootstrap.file.readonly",
 603                             restrictedFileName);
 604                     log.config("startRemoteConnectorServer", msg);
 605                     throw new AgentConfigurationError(
 606                             FILE_ACCESS_NOT_RESTRICTED, restrictedFileName);
 607                 }
 608             }
 609         } catch (IOException e) {
 610             throw new AgentConfigurationError(
 611                     FILE_READ_FAILED, e, restrictedFileName);
 612         }
 613     }
 614 
 615     /**
 616      * Compute the full path name for a default file.
 617      * @param basename basename (with extension) of the default file.
 618      * @return ${JRE}/lib/management/${basename}
 619      **/
 620     private static String getDefaultFileName(String basename) {
 621         final String fileSeparator = File.separator;
 622         return System.getProperty("java.home") + fileSeparator + "lib" +
 623                 fileSeparator + "management" + fileSeparator +
 624                 basename;
 625     }
 626 
 627     private static SslRMIServerSocketFactory createSslRMIServerSocketFactory(
 628             String sslConfigFileName,
 629             String[] enabledCipherSuites,
 630             String[] enabledProtocols,
 631             boolean sslNeedClientAuth) {
 632         if (sslConfigFileName == null) {
 633             return new SslRMIServerSocketFactory(
 634                     enabledCipherSuites,
 635                     enabledProtocols,
 636                     sslNeedClientAuth);
 637         } else {
 638             checkRestrictedFile(sslConfigFileName);
 639             try {
 640                 // Load the SSL keystore properties from the config file
 641                 Properties p = new Properties();
 642                 try (InputStream in = new FileInputStream(sslConfigFileName)) {
 643                     BufferedInputStream bin = new BufferedInputStream(in);
 644                     p.load(bin);
 645                 }
 646                 String keyStore =
 647                         p.getProperty("javax.net.ssl.keyStore");
 648                 String keyStorePassword =
 649                         p.getProperty("javax.net.ssl.keyStorePassword", "");
 650                 String trustStore =
 651                         p.getProperty("javax.net.ssl.trustStore");
 652                 String trustStorePassword =
 653                         p.getProperty("javax.net.ssl.trustStorePassword", "");
 654 
 655                 char[] keyStorePasswd = null;
 656                 if (keyStorePassword.length() != 0) {
 657                     keyStorePasswd = keyStorePassword.toCharArray();
 658                 }
 659 
 660                 char[] trustStorePasswd = null;
 661                 if (trustStorePassword.length() != 0) {
 662                     trustStorePasswd = trustStorePassword.toCharArray();
 663                 }
 664 
 665                 KeyStore ks = null;
 666                 if (keyStore != null) {
 667                     ks = KeyStore.getInstance(KeyStore.getDefaultType());
 668                     try (FileInputStream ksfis = new FileInputStream(keyStore)) {
 669                         ks.load(ksfis, keyStorePasswd);
 670                     }
 671                 }
 672                 KeyManagerFactory kmf = KeyManagerFactory.getInstance(
 673                         KeyManagerFactory.getDefaultAlgorithm());
 674                 kmf.init(ks, keyStorePasswd);
 675 
 676                 KeyStore ts = null;
 677                 if (trustStore != null) {
 678                     ts = KeyStore.getInstance(KeyStore.getDefaultType());
 679                     try (FileInputStream tsfis = new FileInputStream(trustStore)) {
 680                         ts.load(tsfis, trustStorePasswd);
 681                     }
 682                 }
 683                 TrustManagerFactory tmf = TrustManagerFactory.getInstance(
 684                         TrustManagerFactory.getDefaultAlgorithm());
 685                 tmf.init(ts);
 686 
 687                 SSLContext ctx = SSLContext.getInstance("SSL");
 688                 ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
 689 
 690                 return new SslRMIServerSocketFactory(
 691                         ctx,
 692                         enabledCipherSuites,
 693                         enabledProtocols,
 694                         sslNeedClientAuth);
 695             } catch (Exception e) {
 696                 throw new AgentConfigurationError(AGENT_EXCEPTION, e, e.toString());
 697             }
 698         }
 699     }
 700 
 701     private static JMXConnectorServerData exportMBeanServer(
 702             MBeanServer mbs,
 703             int port,
 704             int rmiPort,
 705             boolean useSsl,
 706             boolean useRegistrySsl,
 707             String sslConfigFileName,
 708             String[] enabledCipherSuites,
 709             String[] enabledProtocols,
 710             boolean sslNeedClientAuth,
 711             boolean useAuthentication,
 712             String loginConfigName,
 713             String passwordFileName,
 714             String accessFileName)
 715             throws IOException, MalformedURLException {
 716 
 717         /* Make sure we use non-guessable RMI object IDs.  Otherwise
 718          * attackers could hijack open connections by guessing their
 719          * IDs.  */
 720         System.setProperty("java.rmi.server.randomIDs", "true");
 721 
 722         JMXServiceURL url = new JMXServiceURL("rmi", null, rmiPort);
 723 
 724         Map<String, Object> env = new HashMap<>();
 725 
 726         PermanentExporter exporter = new PermanentExporter();
 727 
 728         env.put(RMIExporter.EXPORTER_ATTRIBUTE, exporter);
 729 
 730         if (useAuthentication) {
 731             if (loginConfigName != null) {
 732                 env.put("jmx.remote.x.login.config", loginConfigName);
 733             }
 734             if (passwordFileName != null) {
 735                 env.put("jmx.remote.x.password.file", passwordFileName);
 736             }
 737 
 738             env.put("jmx.remote.x.access.file", accessFileName);
 739 
 740             if (env.get("jmx.remote.x.password.file") != null ||
 741                     env.get("jmx.remote.x.login.config") != null) {
 742                 env.put(JMXConnectorServer.AUTHENTICATOR,
 743                         new AccessFileCheckerAuthenticator(env));
 744             }
 745         }
 746 
 747         RMIClientSocketFactory csf = null;
 748         RMIServerSocketFactory ssf = null;
 749 
 750         if (useSsl || useRegistrySsl) {
 751             csf = new SslRMIClientSocketFactory();
 752             ssf = createSslRMIServerSocketFactory(
 753                     sslConfigFileName, enabledCipherSuites,
 754                     enabledProtocols, sslNeedClientAuth);
 755         }
 756 
 757         if (useSsl) {
 758             env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,
 759                     csf);
 760             env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE,
 761                     ssf);
 762         }
 763 
 764         JMXConnectorServer connServer = null;
 765         try {
 766             connServer =
 767                     JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);
 768             connServer.start();
 769         } catch (IOException e) {
 770             if (connServer == null) {
 771                 throw new AgentConfigurationError(CONNECTOR_SERVER_IO_ERROR,
 772                         e, url.toString());
 773             } else {
 774                 throw new AgentConfigurationError(CONNECTOR_SERVER_IO_ERROR,
 775                         e, connServer.getAddress().toString());
 776             }
 777         }
 778 
 779         if (useRegistrySsl) {
 780             registry =
 781                     new SingleEntryRegistry(port, csf, ssf,
 782                     "jmxrmi", exporter.firstExported);
 783         } else {
 784             registry =
 785                     new SingleEntryRegistry(port,
 786                     "jmxrmi", exporter.firstExported);
 787         }
 788 
 789 
 790         int registryPort =
 791             ((UnicastRef) ((RemoteObject) registry).getRef()).getLiveRef().getPort();
 792         String jmxUrlStr =  String.format("service:jmx:rmi:///jndi/rmi://%s:%d/jmxrmi",
 793                                            url.getHost(), registryPort);
 794         JMXServiceURL remoteURL = new JMXServiceURL(jmxUrlStr);
 795 
 796         /* Our exporter remembers the first object it was asked to
 797         export, which will be an RMIServerImpl appropriate for
 798         publication in our special registry.  We could
 799         alternatively have constructed the RMIServerImpl explicitly
 800         and then constructed an RMIConnectorServer passing it as a
 801         parameter, but that's quite a bit more verbose and pulls in
 802         lots of knowledge of the RMI connector.  */
 803 
 804         return new JMXConnectorServerData(connServer, remoteURL);
 805     }
 806 
 807     /**
 808      * This class cannot be instantiated.
 809      **/
 810     private ConnectorBootstrap() {
 811     }
 812 
 813     private static final ClassLogger log =
 814         new ClassLogger(ConnectorBootstrap.class.getPackage().getName(),
 815                         "ConnectorBootstrap");
 816 }
--- EOF ---