Merge pull request #45 from MatthiasBechtold/master

Added configuration for SSL keystores

Author: AndrewJSchofield

Dockerfile

@@ -11,7 +11,7 @@ COPY --chown=esuser:esgroup --from=builder /opt/kafka/libs/ /opt/kafka/libs/
 COPY --chown=esuser:esgroup --from=builder /opt/kafka/config/connect-distributed.properties /opt/kafka/config/
 COPY --chown=esuser:esgroup --from=builder /opt/kafka/config/connect-log4j.properties /opt/kafka/config/
 RUN mkdir /opt/kafka/logs && chown esuser:esgroup /opt/kafka/logs
-COPY --chown=esuser:esgroup target/kafka-connect-mq-source-1.1.1-jar-with-dependencies.jar /opt/kafka/libs/
+COPY --chown=esuser:esgroup target/kafka-connect-mq-source-1.2.0-SNAPSHOT-jar-with-dependencies.jar /opt/kafka/libs/
 
 WORKDIR /opt/kafka
 

README.md

@@ -213,24 +213,28 @@ For troubleshooting, or to better understand the handshake performed by the IBM
 ## Configuration
 The configuration options for the Kafka Connect source connector for IBM MQ are as follows:
 
-| Name                         | Description                                                 | Type    | Default       | Valid values                                            |
-| ---------------------------- | ----------------------------------------------------------- | ------- | ------------- | ------------------------------------------------------- |
-| mq.queue.manager             | The name of the MQ queue manager                            | string  |               | MQ queue manager name                                   |
-| mq.connection.mode           | The connection mode - bindings or client                    | string  | client        | client, bindings                                        |
-| mq.connection.name.list      | List of connection names for queue manager                  | string  |               | host(port)[,host(port),...]                             |
-| mq.channel.name              | The name of the server-connection channel                   | string  |               | MQ channel name                                         |
-| mq.queue                     | The name of the source MQ queue                             | string  |               | MQ queue name                                           |
-| mq.user.name                 | The user name for authenticating with the queue manager     | string  |               | User name                                               |
-| mq.password                  | The password for authenticating with the queue manager      | string  |               | Password                                                |
-| mq.ccdt.url                  | The URL for the CCDT file containing MQ connection details  | string  |               | URL for obtaining a CCDT file                           |
-| mq.record.builder            | The class used to build the Kafka Connect record            | string  |               | Class implementing RecordBuilder                        |
-| mq.message.body.jms          | Whether to interpret the message body as a JMS message type | boolean | false         |                                                         |
-| mq.record.builder.key.header | The JMS message header to use as the Kafka record key       | string  |               | JMSMessageID, JMSCorrelationID, JMSCorrelationIDAsBytes, JMSDestination |
-| mq.ssl.cipher.suite          | The name of the cipher suite for TLS (SSL) connection       | string  |               | Blank or valid cipher suite                             |
-| mq.ssl.peer.name             | The distinguished name pattern of the TLS (SSL) peer        | string  |               | Blank or DN pattern                                     |
-| mq.batch.size                | The maximum number of messages in a batch (unit of work)    | integer | 250           | 1 or greater                                            |
-| mq.message.mqmd.read         | Whether to enable reading of all MQMD fields                | boolean | false         |                                                         |
-| topic                        | The name of the target Kafka topic                          | string  |               | Topic name                                              |
+| Name                         | Description                                                            | Type    | Default        | Valid values                                            |
+| ---------------------------- | ---------------------------------------------------------------------- | ------- | -------------- | ------------------------------------------------------- |
+| mq.queue.manager             | The name of the MQ queue manager                                       | string  |                | MQ queue manager name                                   |
+| mq.connection.mode           | The connection mode - bindings or client                               | string  | client         | client, bindings                                        |
+| mq.connection.name.list      | List of connection names for queue manager                             | string  |                | host(port)[,host(port),...]                             |
+| mq.channel.name              | The name of the server-connection channel                              | string  |                | MQ channel name                                         |
+| mq.queue                     | The name of the source MQ queue                                        | string  |                | MQ queue name                                           |
+| mq.user.name                 | The user name for authenticating with the queue manager                | string  |                | User name                                               |
+| mq.password                  | The password for authenticating with the queue manager                 | string  |                | Password                                                |
+| mq.ccdt.url                  | The URL for the CCDT file containing MQ connection details             | string  |                | URL for obtaining a CCDT file                           |
+| mq.record.builder            | The class used to build the Kafka Connect record                       | string  |                | Class implementing RecordBuilder                        |
+| mq.message.body.jms          | Whether to interpret the message body as a JMS message type            | boolean | false          |                                                         |
+| mq.record.builder.key.header | The JMS message header to use as the Kafka record key                  | string  |                | JMSMessageID, JMSCorrelationID, JMSCorrelationIDAsBytes, JMSDestination |
+| mq.ssl.cipher.suite          | The name of the cipher suite for TLS (SSL) connection                  | string  |                | Blank or valid cipher suite                             |
+| mq.ssl.peer.name             | The distinguished name pattern of the TLS (SSL) peer                   | string  |                | Blank or DN pattern                                     |
+| mq.ssl.keystore.location     | The path to the JKS keystore to use for SSL (TLS) connections          | string  | JVM keystore   | Local path to a JKS file                                |
+| mq.ssl.keystore.password     | The password of the JKS keystore to use for SSL (TLS) connections      | string  |                |                                                         |
+| mq.ssl.truststore.location   | The path to the JKS truststore to use for SSL (TLS) connections        | string  | JVM truststore | Local path to a JKS file                                |
+| mq.ssl.truststore.password   | The password of the JKS truststore to use for SSL (TLS) connections    | string  |                |                                                         |
+| mq.batch.size                | The maximum number of messages in a batch (unit of work)               | integer | 250            | 1 or greater                                            |
+| mq.message.mqmd.read         | Whether to enable reading of all MQMD fields                           | boolean | false          |                                                         |
+| topic                        | The name of the target Kafka topic                                     | string  |                | Topic name                                              |
 
 ### Using a CCDT file
 Some of the connection details for MQ can be provided in a [CCDT file](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.con.doc/q016730_.htm) by setting `mq.ccdt.url` in the MQ source connector configuration file. If using a CCDT file the `mq.connection.name.list` and `mq.channel.name` configuration options are not required.

pom.xml

@@ -20,7 +20,7 @@
   <groupId>com.ibm.eventstreams.connect</groupId>
   <artifactId>kafka-connect-mq-source</artifactId>
   <packaging>jar</packaging>
-  <version>1.1.1</version>
+  <version>1.2.0-SNAPSHOT</version>
   <name>kafka-connect-mq-source</name>
     <organization>
     <name>IBM Corporation</name>

src/main/java/com/ibm/eventstreams/connect/mqsource/JMSReader.java

@@ -22,8 +22,13 @@
 import com.ibm.mq.jms.*;
 import com.ibm.msg.client.wmq.WMQConstants;
 
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.*;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicBoolean;
 
@@ -32,6 +37,9 @@
 import javax.jms.JMSException;
 import javax.jms.JMSRuntimeException;
 import javax.jms.Message;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
 
 import org.apache.kafka.connect.errors.ConnectException;
 import org.apache.kafka.connect.errors.RetriableException;
@@ -96,6 +104,10 @@ public void configure(Map<String, String> props) {
         String mdr = props.get(MQSourceConnector.CONFIG_NAME_MQ_MESSAGE_MQMD_READ);
         String sslCipherSuite = props.get(MQSourceConnector.CONFIG_NAME_MQ_SSL_CIPHER_SUITE);
         String sslPeerName = props.get(MQSourceConnector.CONFIG_NAME_MQ_SSL_PEER_NAME);
+        String sslKeystoreLocation = props.get(MQSourceConnector.CONFIG_NAME_MQ_SSL_KEYSTORE_LOCATION);
+        String sslKeystorePassword = props.get(MQSourceConnector.CONFIG_NAME_MQ_SSL_KEYSTORE_PASSWORD);
+        String sslTruststoreLocation = props.get(MQSourceConnector.CONFIG_NAME_MQ_SSL_TRUSTSTORE_LOCATION);
+        String sslTruststorePassword = props.get(MQSourceConnector.CONFIG_NAME_MQ_SSL_TRUSTSTORE_PASSWORD);
         String topic = props.get(MQSourceConnector.CONFIG_NAME_TOPIC);
 
         int transportType = WMQConstants.WMQ_CM_CLIENT;
@@ -142,6 +154,11 @@ else if (connectionMode.equals(MQSourceConnector.CONFIG_VALUE_MQ_CONNECTION_MODE
                         mqConnFactory.setSSLPeerName(sslPeerName);
                     }
                 }
+
+                if (sslKeystoreLocation != null || sslTruststoreLocation != null) {
+                    final SSLContext sslContext = buildSslContext(sslKeystoreLocation, sslKeystorePassword, sslTruststoreLocation, sslTruststorePassword);
+                    mqConnFactory.setSSLSocketFactory(sslContext.getSocketFactory());
+                }
             }
 
             queue = new MQQueue(queueName);
@@ -464,4 +481,45 @@ else if (t instanceof JMSException) {
 
         return new ConnectException(exc);
     }
+
+    private SSLContext buildSslContext(String sslKeystoreLocation, String sslKeystorePassword, String sslTruststoreLocation, String sslTruststorePassword) {
+        log.trace("[{}] Entry {}.buildSslContext", Thread.currentThread().getId(), this.getClass().getName());
+
+        try {
+            final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+
+            if (sslKeystoreLocation != null) {
+                kmf.init(loadKeyStore(sslKeystoreLocation, sslKeystorePassword), sslKeystorePassword.toCharArray());
+            }
+
+            if (sslTruststoreLocation != null) {
+                tmf.init(loadKeyStore(sslTruststoreLocation, sslTruststorePassword));
+            }
+
+            final SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
+
+            log.trace("[{}]  Exit {}.buildSslContext, retval={}", Thread.currentThread().getId(), this.getClass().getName(), sslContext);
+            return sslContext;
+
+        } catch (GeneralSecurityException e) {
+            throw new ConnectException("Error creating SSLContext", e);
+        }
+    }
+
+    private KeyStore loadKeyStore(String location, String password) throws GeneralSecurityException {
+        log.trace("[{}] Entry {}.loadKeyStore", Thread.currentThread().getId(), this.getClass().getName());
+
+        try (final InputStream ksStr = new FileInputStream(location)) {
+            final KeyStore ks = KeyStore.getInstance("JKS");
+            ks.load(ksStr, password.toCharArray());
+
+            log.trace("[{}]  Exit {}.loadKeyStore, retval={}", Thread.currentThread().getId(), this.getClass().getName(), ks);
+            return ks;
+
+        } catch (IOException e) {
+            throw new ConnectException("Error reading keystore " + location, e);
+        }
+    }
 }

src/main/java/com/ibm/eventstreams/connect/mqsource/MQSourceConnector.java

@@ -93,6 +93,22 @@ public class MQSourceConnector extends SourceConnector {
     public static final String CONFIG_DOCUMENTATION_MQ_SSL_PEER_NAME = "The distinguished name pattern of the TLS (SSL) peer.";
     public static final String CONFIG_DISPLAY_MQ_SSL_PEER_NAME = "SSL peer name";
 
+    public static final String CONFIG_NAME_MQ_SSL_KEYSTORE_LOCATION = "mq.ssl.keystore.location";
+    public static final String CONFIG_DOCUMENTATION_MQ_SSL_KEYSTORE_LOCATION = "The path to the JKS keystore to use for the TLS (SSL) connection.";
+    public static final String CONFIG_DISPLAY_MQ_SSL_KEYSTORE_LOCATION = "SSL keystore location";
+
+    public static final String CONFIG_NAME_MQ_SSL_KEYSTORE_PASSWORD = "mq.ssl.keystore.password";
+    public static final String CONFIG_DOCUMENTATION_MQ_SSL_KEYSTORE_PASSWORD = "The password of the JKS keystore to use for the TLS (SSL) connection.";
+    public static final String CONFIG_DISPLAY_MQ_SSL_KEYSTORE_PASSWORD = "SSL keystore password";
+
+    public static final String CONFIG_NAME_MQ_SSL_TRUSTSTORE_LOCATION = "mq.ssl.truststore.location";
+    public static final String CONFIG_DOCUMENTATION_MQ_SSL_TRUSTSTORE_LOCATION = "The path to the JKS truststore to use for the TLS (SSL) connection.";
+    public static final String CONFIG_DISPLAY_MQ_SSL_TRUSTSTORE_LOCATION = "SSL truststore location";
+
+    public static final String CONFIG_NAME_MQ_SSL_TRUSTSTORE_PASSWORD = "mq.ssl.truststore.password";
+    public static final String CONFIG_DOCUMENTATION_MQ_SSL_TRUSTSTORE_PASSWORD = "The password of the JKS truststore to use for the TLS (SSL) connection.";
+    public static final String CONFIG_DISPLAY_MQ_SSL_TRUSTSTORE_PASSWORD = "SSL truststore password";
+
     public static final String CONFIG_NAME_MQ_BATCH_SIZE = "mq.batch.size";
     public static final String CONFIG_DOCUMENTATION_MQ_BATCH_SIZE = "The maximum number of messages in a batch. A batch uses a single unit of work.";
     public static final String CONFIG_DISPLAY_MQ_BATCH_SIZE = "Batch size";
@@ -107,7 +123,7 @@ public class MQSourceConnector extends SourceConnector {
     public static final String CONFIG_DOCUMENTATION_TOPIC = "The name of the target Kafka topic.";
     public static final String CONFIG_DISPLAY_TOPIC = "Target Kafka topic";
 
-    public static String VERSION = "1.1.1";
+    public static String VERSION = "1.2.0-SNAPSHOT";
 
     private Map<String, String> configProps;
 
@@ -240,15 +256,31 @@ public class MQSourceConnector extends SourceConnector {
                       CONFIG_DOCUMENTATION_MQ_SSL_PEER_NAME, CONFIG_GROUP_MQ, 13, Width.MEDIUM,
                       CONFIG_DISPLAY_MQ_SSL_PEER_NAME);
 
+        config.define(CONFIG_NAME_MQ_SSL_KEYSTORE_LOCATION, Type.STRING, null, Importance.MEDIUM,
+                      CONFIG_DOCUMENTATION_MQ_SSL_KEYSTORE_LOCATION, CONFIG_GROUP_MQ, 14, Width.MEDIUM,
+                      CONFIG_DISPLAY_MQ_SSL_KEYSTORE_LOCATION);
+
+        config.define(CONFIG_NAME_MQ_SSL_KEYSTORE_PASSWORD, Type.PASSWORD, null, Importance.MEDIUM,
+                      CONFIG_DOCUMENTATION_MQ_SSL_KEYSTORE_PASSWORD, CONFIG_GROUP_MQ, 15, Width.MEDIUM,
+                      CONFIG_DISPLAY_MQ_SSL_KEYSTORE_PASSWORD);
+
+        config.define(CONFIG_NAME_MQ_SSL_TRUSTSTORE_LOCATION, Type.STRING, null, Importance.MEDIUM,
+                      CONFIG_DOCUMENTATION_MQ_SSL_TRUSTSTORE_LOCATION, CONFIG_GROUP_MQ, 16, Width.MEDIUM,
+                      CONFIG_DISPLAY_MQ_SSL_TRUSTSTORE_LOCATION);
+
+        config.define(CONFIG_NAME_MQ_SSL_TRUSTSTORE_PASSWORD, Type.PASSWORD, null, Importance.MEDIUM,
+                      CONFIG_DOCUMENTATION_MQ_SSL_TRUSTSTORE_PASSWORD, CONFIG_GROUP_MQ, 17, Width.MEDIUM,
+                      CONFIG_DISPLAY_MQ_SSL_TRUSTSTORE_PASSWORD);
+
         config.define(CONFIG_NAME_MQ_BATCH_SIZE, Type.INT, CONFIG_VALUE_MQ_BATCH_SIZE_DEFAULT,
                       ConfigDef.Range.atLeast(CONFIG_VALUE_MQ_BATCH_SIZE_MINIMUM), Importance.LOW,
-                      CONFIG_DOCUMENTATION_MQ_BATCH_SIZE, CONFIG_GROUP_MQ, 14, Width.MEDIUM,
+                      CONFIG_DOCUMENTATION_MQ_BATCH_SIZE, CONFIG_GROUP_MQ, 18, Width.MEDIUM,
                       CONFIG_DISPLAY_MQ_BATCH_SIZE);
 
         config.define(CONFIG_NAME_MQ_MESSAGE_MQMD_READ, Type.BOOLEAN, Boolean.FALSE, Importance.LOW,
-                      CONFIG_DOCUMENTATION_MQ_MESSAGE_MQMD_READ, CONFIG_GROUP_MQ, 15, Width.SHORT,
+                      CONFIG_DOCUMENTATION_MQ_MESSAGE_MQMD_READ, CONFIG_GROUP_MQ, 19, Width.SHORT,
                       CONFIG_DISPLAY_MQ_MESSAGE_MQMD_READ);
-                  
+
         config.define(CONFIG_NAME_TOPIC, Type.STRING, ConfigDef.NO_DEFAULT_VALUE, Importance.HIGH,
                       CONFIG_DOCUMENTATION_TOPIC, null, 0, Width.MEDIUM,
                       CONFIG_DISPLAY_TOPIC);