CLOUDSTACK-5880: Communication between management server and hyper-v agent should be secure.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/823abe6a Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/823abe6a Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/823abe6a Branch: refs/heads/rbac Commit: 823abe6a2389371116c189069bb26ed41f62f467 Parents: fcd21eb Author: Anshul Gangwar <anshul.gang...@citrix.com> Authored: Fri Jan 10 17:18:35 2014 +0530 Committer: Devdeep Singh <devd...@gmail.com> Committed: Thu Jan 16 14:48:28 2014 +0530 ---------------------------------------------------------------------- .../ServerResource/AgentShell/AgentService.cs | 2 +- .../resource/HypervDirectConnectResource.java | 47 ++++++++++++++++++-- 2 files changed, 45 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/823abe6a/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/AgentService.cs ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/AgentService.cs b/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/AgentService.cs index e187097..9d66a5c 100644 --- a/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/AgentService.cs +++ b/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/AgentService.cs @@ -47,7 +47,7 @@ namespace CloudStack.Plugin.AgentShell logger.Info("Starting CloudStack agent"); InitializeComponent(); - UriBuilder baseUri = new UriBuilder("http", AgentSettings.Default.private_ip_address, AgentSettings.Default.port); + UriBuilder baseUri = new UriBuilder("https", AgentSettings.Default.private_ip_address, AgentSettings.Default.port); var config = new HttpSelfHostConfiguration(baseUri.Uri); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/823abe6a/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java b/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java index 72a5921..519f457 100644 --- a/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java +++ b/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java @@ -25,6 +25,12 @@ import java.net.URISyntaxException; import java.net.URL; import java.nio.channels.SocketChannel; import java.rmi.RemoteException; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -40,8 +46,15 @@ import org.apache.http.HttpStatus; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.HttpClient; import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ClientConnectionManager; +import org.apache.http.conn.scheme.Scheme; +import org.apache.http.conn.scheme.SchemeRegistry; +import org.apache.http.conn.ssl.AllowAllHostnameVerifier; +import org.apache.http.conn.ssl.SSLSocketFactory; +import org.apache.http.conn.ssl.TrustStrategy; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.DefaultHttpClient; +import org.apache.http.impl.conn.BasicClientConnectionManager; import org.apache.http.util.EntityUtils; import org.apache.log4j.Logger; @@ -302,7 +315,9 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S URI agentUri = null; try { String cmdName = StartupCommand.class.getName(); - agentUri = new URI("http", null, _agentIp, _port, "/api/HypervResource/" + cmdName, null, null); + agentUri = + new URI("https", null, _agentIp, _port, + "/api/HypervResource/" + cmdName, null, null); } catch (URISyntaxException e) { // TODO add proper logging String errMsg = "Could not generate URI for Hyper-V agent"; @@ -339,7 +354,9 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S Answer answer = null; try { String cmdName = cmd.getClass().getName(); - agentUri = new URI("http", null, _agentIp, _port, "/api/HypervResource/" + cmdName, null, null); + agentUri = + new URI("https", null, _agentIp, _port, + "/api/HypervResource/" + cmdName, null, null); } catch (URISyntaxException e) { // TODO add proper logging String errMsg = "Could not generate URI for Hyper-V agent"; @@ -1665,7 +1682,31 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S s_logger.debug("POST request to" + agentUri.toString() + " with contents" + jsonCmd); // Create request - HttpClient httpClient = new DefaultHttpClient(); + HttpClient httpClient = null; + TrustStrategy easyStrategy = new TrustStrategy() { + @Override + public boolean isTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + return true; + } + }; + + try { + SSLSocketFactory sf = new SSLSocketFactory(easyStrategy, new AllowAllHostnameVerifier()); + SchemeRegistry registry = new SchemeRegistry(); + registry.register(new Scheme("https", DEFAULT_AGENT_PORT, sf)); + ClientConnectionManager ccm = new BasicClientConnectionManager(registry); + httpClient = new DefaultHttpClient(ccm); + } catch (KeyManagementException e) { + s_logger.error("failed to initialize http client " + e.getMessage()); + } catch (UnrecoverableKeyException e) { + s_logger.error("failed to initialize http client " + e.getMessage()); + } catch (NoSuchAlgorithmException e) { + s_logger.error("failed to initialize http client " + e.getMessage()); + } catch (KeyStoreException e) { + s_logger.error("failed to initialize http client " + e.getMessage()); + } + String result = null; // TODO: are there timeout settings and worker thread settings to tweak?
