CertificateStoreManager should be a proper module.

1f4d6288 · Guus der Kinderen · 953b85af · 1f4d6288 · 1f4d6288 · 1f4d6288
Commit 1f4d6288 authored Nov 28, 2015 by Guus der Kinderen
18 changed files
--- a/src/conf/modules.xml
+++ b/src/conf/modules.xml
@@ -28,7 +28,8 @@
  <module interface="org.jivesoftware.openfire.OfflineMessageStrategy" implementation="org.jivesoftware.openfire.OfflineMessageStrategy" />
  <module interface="org.jivesoftware.openfire.OfflineMessageStore" implementation="org.jivesoftware.openfire.OfflineMessageStore" />
  <module interface="org.jivesoftware.openfire.vcard.VCardManager" implementation="org.jivesoftware.openfire.vcard.VCardManager" />
+  <module interface="org.jivesoftware.openfire.keystore.CertificateStoreManager"" implementation="org.jivesoftware.openfire.keystore.CertificateStoreManager" />
  <!--  Standard Modules -->  
  <module interface="org.jivesoftware.openfire.handler.IQBindHandler" implementation="org.jivesoftware.openfire.handler.IQBindHandler" />
  <module interface="org.jivesoftware.openfire.handler.IQSessionEstablishmentHandler" implementation="org.jivesoftware.openfire.handler.IQSessionEstablishmentHandler" />

--- a/src/java/org/jivesoftware/openfire/XMPPServer.java
+++ b/src/java/org/jivesoftware/openfire/XMPPServer.java
@@ -373,13 +373,22 @@ public class XMPPServer {
            // Set default SASL SCRAM-SHA-1 iteration count
            JiveGlobals.setProperty("sasl.scram-sha-1.iteration-count", Integer.toString(ScramUtils.DEFAULT_ITERATION_COUNT));
-            // Update certificates (if required)
+            // Check if keystore (that out-of-the-box is a fallback for all keystores) already has certificates for current domain.
+            CertificateStoreManager certificateStoreManager = null; // Will be a module after finishing setup.
            try {
-                // Check if keystore (that out-of-the-box is a fallback for all keystores) already has certificates for current domain.
+                certificateStoreManager = new CertificateStoreManager();
-                final IdentityStore storeConfig = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_C2S );
+                certificateStoreManager.initialize( this );
-                storeConfig.ensureDomainCertificates( "DSA", "RSA" );
+                certificateStoreManager.start();
+                final IdentityStore identityStore = certificateStoreManager.getIdentityStore( ConnectionType.SOCKET_C2S );
+                identityStore.ensureDomainCertificates( "DSA", "RSA" );
            } catch (Exception e) {
                logger.error("Error generating self-signed certificates", e);
+            } finally {
+                if (certificateStoreManager != null)
+                {
+                    certificateStoreManager.stop();
+                    certificateStoreManager.destroy();
+                }
            }
            // Initialize list of admins now (before we restart Jetty)
@@ -1408,6 +1417,16 @@ public class XMPPServer {
        return (InternalComponentManager) modules.get(InternalComponentManager.class.getName());
    }
+    /**
+     * Returns the <code>CertificateStoreManager</code> registered with this server. The
+     * <code>CertificateStoreManager</code> was registered with the server as a module while starting up
+     * the server.
+     *
+     * @return the <code>CertificateStoreManager</code> registered with this server.
+     */
+    public CertificateStoreManager getCertificateStoreManager() {
+        return (CertificateStoreManager) modules.get( CertificateStoreManager.class.getName() );
+    }
    /**
     * Returns the locator to use to find sessions hosted in other cluster nodes. When not running
     * in a cluster a <tt>null</tt> value is returned.

--- a/src/java/org/jivesoftware/openfire/clearspace/SSLProtocolSocketFactory.java
+++ b/src/java/org/jivesoftware/openfire/clearspace/SSLProtocolSocketFactory.java
@@ -35,6 +35,7 @@ import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.HttpClientError;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
 import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.CertificateStoreManager;
 import org.jivesoftware.openfire.spi.ConnectionType;
 import org.slf4j.Logger;
@@ -70,7 +71,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
                            new ClearspaceX509TrustManager(
                                    host,
                                    manager.getProperties(),
-                                    CertificateStoreManager.getTrustStore( ConnectionType.SOCKET_S2S ).getStore() )
+                                    XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( ConnectionType.SOCKET_S2S ).getStore() )
                    },
                    null);
            return context;

--- a/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java
+++ b/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java
@@ -141,7 +141,7 @@ public class AdminConsolePlugin implements Plugin {
        // Create a connector for https traffic if it's enabled.
        sslEnabled = false;
        try {
-            final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( ConnectionType.WEBADMIN );
+            final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.WEBADMIN );
            if (adminSecurePort > 0 )
            {
                if ( identityStore.getAllCertificates().isEmpty() )

--- a/src/java/org/jivesoftware/openfire/http/HttpBindManager.java
+++ b/src/java/org/jivesoftware/openfire/http/HttpBindManager.java
@@ -248,7 +248,7 @@ public final class HttpBindManager {
    private void createSSLConnector(int securePort, int bindThreads) {
        httpsConnector = null;
        try {
-            final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( ConnectionType.BOSH_C2S );
+            final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.BOSH_C2S );
            if (securePort > 0 && identityStore.getStore().aliases().hasMoreElements() ) {
                if ( !identityStore.containsDomainCertificate( "RSA" ) ) {

--- a/src/java/org/jivesoftware/openfire/keystore/CertificateStoreManager.java
+++ b/src/java/org/jivesoftware/openfire/keystore/CertificateStoreManager.java
 package org.jivesoftware.openfire.keystore;
 import org.jivesoftware.openfire.XMPPServer;
+import org.jivesoftware.openfire.container.BasicModule;
 import org.jivesoftware.openfire.spi.ConnectionListener;
 import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
 import org.jivesoftware.openfire.spi.ConnectionType;
@@ -19,7 +20,7 @@ import java.util.concurrent.ConcurrentMap;
 */
 // TODO Code duplication should be reduced.
 // TODO Allow changing the store type.
-public class CertificateStoreManager
+public class CertificateStoreManager extends BasicModule
 {
    private final static Logger Log = LoggerFactory.getLogger( CertificateStoreManager.class );
@@ -28,17 +29,16 @@ public class CertificateStoreManager
    private final ConcurrentMap<CertificateStoreConfiguration, IdentityStore>  identityStores      = new ConcurrentHashMap<>();
    private final ConcurrentMap<CertificateStoreConfiguration, TrustStore>     trustStores         = new ConcurrentHashMap<>();
-    private static CertificateStoreManager INSTANCE;
+    public CertificateStoreManager( )
+    {
-    static synchronized CertificateStoreManager getInstance( ) {
+        super( "Certificate Store Manager" );
-        if (INSTANCE == null) {
-            INSTANCE = new CertificateStoreManager();
-        }
-        return INSTANCE;
    }
-    private CertificateStoreManager( )
+    @Override
+    public synchronized void initialize( XMPPServer server )
    {
+        super.initialize( server );
        for ( ConnectionType type : ConnectionType.values() )
        {
            try
@@ -73,21 +73,29 @@ public class CertificateStoreManager
        }
    }
-    public static IdentityStore getIdentityStore( ConnectionType type )
+    @Override
+    public synchronized void destroy()
    {
-        final CertificateStoreManager manager = getInstance();
+        typeToIdentityStore.clear();
-        final CertificateStoreConfiguration configuration = manager.typeToIdentityStore.get( type );
+        typeToTrustStore.clear();
-        return manager.identityStores.get( configuration );
+        identityStores.clear();
+        trustStores.clear();
+        super.destroy();
    }
-    public static TrustStore getTrustStore( ConnectionType type )
+    public IdentityStore getIdentityStore( ConnectionType type )
    {
-        final CertificateStoreManager manager = getInstance();
+        final CertificateStoreConfiguration configuration = typeToIdentityStore.get( type );
-        final CertificateStoreConfiguration configuration = manager.typeToTrustStore.get( type );
+        return identityStores.get( configuration );
-        return manager.trustStores.get( configuration );
    }
-    public static void replaceIdentityStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
+    public TrustStore getTrustStore( ConnectionType type )
+    {
+        final CertificateStoreConfiguration configuration = typeToTrustStore.get( type );
+        return trustStores.get( configuration );
+    }
+    public void replaceIdentityStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
    {
        if ( type == null)
        {
@@ -98,27 +106,25 @@ public class CertificateStoreManager
            throw new IllegalArgumentException( "Argument 'configuration' cannot be null." );
        }
-        final CertificateStoreManager manager = getInstance();
+        final CertificateStoreConfiguration oldConfig = typeToIdentityStore.get( type ); // can be null if persisted properties are invalid
-        final CertificateStoreConfiguration oldConfig = manager.typeToIdentityStore.get( type ); // can be null if persisted properties are invalid
        if ( oldConfig == null || !oldConfig.equals( configuration ) )
        {
            // If the new store is not already being used by any other type, it'll need to be registered.
-            if ( !manager.identityStores.containsKey( configuration ) )
+            if ( !identityStores.containsKey( configuration ) )
            {
                // This constructor can throw an exception. If it does, the state of the manager should not have already changed.
                final IdentityStore store = new IdentityStore( configuration, true );
-                manager.identityStores.put( configuration, store );
+                identityStores.put( configuration, store );
            }
-            manager.typeToIdentityStore.put( type, configuration );
+            typeToIdentityStore.put( type, configuration );
            // If the old store is not used by any other type, it can be shut down.
-            if ( oldConfig != null && !manager.typeToIdentityStore.containsValue( oldConfig ) )
+            if ( oldConfig != null && !typeToIdentityStore.containsValue( oldConfig ) )
            {
-                manager.identityStores.remove( oldConfig );
+                identityStores.remove( oldConfig );
            }
            // Update all connection listeners that were using the old configuration.
@@ -137,7 +143,7 @@ public class CertificateStoreManager
        JiveGlobals.setProperty( type.getPrefix() + "keypass", new String( configuration.getPassword() ) );
    }
-    public static void replaceTrustStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
+    public void replaceTrustStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
    {
        if ( type == null)
        {
@@ -148,27 +154,25 @@ public class CertificateStoreManager
            throw new IllegalArgumentException( "Argument 'configuration' cannot be null." );
        }
-        final CertificateStoreManager manager = getInstance();
+        final CertificateStoreConfiguration oldConfig = typeToTrustStore.get( type ); // can be null if persisted properties are invalid
-        final CertificateStoreConfiguration oldConfig = manager.typeToTrustStore.get( type ); // can be null if persisted properties are invalid
        if ( oldConfig == null || !oldConfig.equals( configuration ) )
        {
            // If the new store is not already being used by any other type, it'll need to be registered.
-            if ( !manager.trustStores.containsKey( configuration ) )
+            if ( !trustStores.containsKey( configuration ) )
            {
                // This constructor can throw an exception. If it does, the state of the manager should not have already changed.
                final TrustStore store = new TrustStore( configuration, true );
-                manager.trustStores.put( configuration, store );
+                trustStores.put( configuration, store );
            }
-            manager.typeToTrustStore.put( type, configuration );
+            typeToTrustStore.put( type, configuration );
            // If the old store is not used by any other type, it can be shut down.
-            if ( oldConfig != null && !manager.typeToTrustStore.containsValue( oldConfig ) )
+            if ( oldConfig != null && !typeToTrustStore.containsValue( oldConfig ) )
            {
-                manager.trustStores.remove( oldConfig );
+                trustStores.remove( oldConfig );
            }
            // Update all connection listeners that were using the old configuration.
@@ -188,7 +192,7 @@ public class CertificateStoreManager
        JiveGlobals.setProperty( type.getPrefix() + "trustpass", new String( configuration.getPassword() )  );
    }
-    public static CertificateStoreConfiguration getIdentityStoreConfiguration( ConnectionType type ) throws IOException
+    public CertificateStoreConfiguration getIdentityStoreConfiguration( ConnectionType type ) throws IOException
    {
        // Getting individual properties might use fallbacks. It is assumed (but not asserted) that each property value
        // is obtained from the same connectionType (which is either the argument to this method, or one of its
@@ -201,7 +205,7 @@ public class CertificateStoreManager
        return new CertificateStoreConfiguration( keyStoreType, file, password.toCharArray() );
    }
-    public static CertificateStoreConfiguration getTrustStoreConfiguration( ConnectionType type ) throws IOException
+    public CertificateStoreConfiguration getTrustStoreConfiguration( ConnectionType type ) throws IOException
    {
        // Getting individual properties might use fallbacks. It is assumed (but not asserted) that each property value
        // is obtained from the same connectionType (which is either the argument to this method, or one of its

--- a/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
@@ -656,9 +656,10 @@ public class SASLAuthentication {
    }
    public static boolean verifyCertificates(Certificate[] chain, String hostname, boolean isS2S) {
+        final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
        final ConnectionType connectionType = isS2S ? ConnectionType.SOCKET_S2S : ConnectionType.SOCKET_C2S;
-        final KeyStore keyStore   = CertificateStoreManager.getIdentityStore( connectionType ).getStore();
+        final KeyStore keyStore   = certificateStoreManager.getIdentityStore( connectionType ).getStore();
-        final KeyStore trustStore = CertificateStoreManager.getTrustStore( connectionType ).getStore();
+        final KeyStore trustStore = certificateStoreManager.getTrustStore( connectionType ).getStore();
        final X509Certificate trusted = CertificateManager.getEndEntityCertificate( chain, keyStore, trustStore );
        if (trusted != null) {
            return verifyCertificate(trusted, hostname);

--- a/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
@@ -34,6 +34,7 @@ import org.dom4j.io.XMPPPacketReader;
 import org.jivesoftware.openfire.Connection;
 import org.jivesoftware.openfire.SessionManager;
 import org.jivesoftware.openfire.StreamID;
+import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.keystore.CertificateStoreManager;
 import org.jivesoftware.openfire.net.SASLAuthentication;
@@ -153,7 +154,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
 	                            Connection.TLSPolicy.required;
 	            boolean hasCertificates = false;
 	            try {
-	                hasCertificates = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_S2S ).getStore().size() > 0;
+	                hasCertificates = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore().size() > 0;
 	            }
 	            catch (Exception e) {
 	                Log.error(e.getMessage(), e);
@@ -374,7 +375,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
        	usingSelfSigned = true;
        } else {
        	try {
-                final KeyStore keyStore = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_S2S ).getStore();
+                final KeyStore keyStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore();
 				usingSelfSigned = CertificateManager.isSelfSignedCertificate(keyStore, (X509Certificate) chain[0]);
 			} catch (KeyStoreException ex) {
 				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);

--- a/src/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java
+++ b/src/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java
@@ -3,6 +3,7 @@ package org.jivesoftware.openfire.spi;
 import org.apache.mina.filter.ssl.SslFilter;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.jivesoftware.openfire.Connection;
+import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -375,8 +376,9 @@ public class ConnectionConfiguration
        this.cipherSuitesEnabled = Collections.unmodifiableSet( suitesEnabled );
        this.cipherSuitesDisabled = Collections.unmodifiableSet( cipherSuitesDisabled );
-        this.identityStore = CertificateStoreManager.getIdentityStore( type );
+        final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
-        this.trustStore = CertificateStoreManager.getTrustStore( type );
+        this.identityStore = certificateStoreManager.getIdentityStore( type );
+        this.trustStore = certificateStoreManager.getTrustStore( type );
        this.Log = LoggerFactory.getLogger( this.getClass().getName() + "["+port+"-"+type+"]" );
    }

--- a/src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java
+++ b/src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java
@@ -85,6 +85,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
            Log.warn( "Unable to resolve bind address: ", e );
        }
+        final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
        // client-to-server
        clientListener = new ConnectionListener(
                ConnectionType.SOCKET_C2S,
@@ -96,8 +98,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                ConnectionSettings.Client.TLS_POLICY,
                ConnectionSettings.Client.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
        );
        clientSslListener = new ConnectionListener(
                ConnectionType.SOCKET_C2S,
@@ -109,8 +111,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                Connection.TLSPolicy.legacyMode.name(), // force legacy mode
                ConnectionSettings.Client.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
        );
        // BOSH / HTTP-bind
        boshListener = new ConnectionListener(
@@ -123,8 +125,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                Connection.TLSPolicy.disabled.name(), // StartTLS over HTTP? Should use boshSslListener instead.
                HttpBindManager.HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
        );
        boshSslListener = new ConnectionListener(
                ConnectionType.BOSH_C2S,
@@ -136,8 +138,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                Connection.TLSPolicy.legacyMode.name(),
                HttpBindManager.HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
        );
        // server-to-server (federation)
        serverListener = new ConnectionListener(
@@ -150,8 +152,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                ConnectionSettings.Server.TLS_POLICY,
                ConnectionSettings.Server.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_S2S ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_S2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_S2S )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_S2S )
        );
        // external components (XEP 0114)
        componentListener = new ConnectionListener(
@@ -164,8 +166,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                ConnectionSettings.Component.TLS_POLICY,
                ConnectionSettings.Component.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
        );
        componentSslListener = new ConnectionListener(
                ConnectionType.COMPONENT,
@@ -177,8 +179,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                Connection.TLSPolicy.legacyMode.name(), // force legacy mode
                ConnectionSettings.Component.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
        );
        // Multiplexers (our propertietary connection manager implementation)
@@ -192,8 +194,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                ConnectionSettings.Multiplex.TLS_POLICY,
                ConnectionSettings.Multiplex.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
        );
        connectionManagerSslListener = new ConnectionListener(
                ConnectionType.CONNECTION_MANAGER,
@@ -205,23 +207,23 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                Connection.TLSPolicy.legacyMode.name(), // force legacy mode
                ConnectionSettings.Multiplex.AUTH_PER_CLIENTCERT_POLICY,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
        );
        // Admin console (the Openfire web-admin) // TODO these use the XML properties instead of normal properties!
        webAdminListener = new ConnectionListener(
-            ConnectionType.WEBADMIN,
+                ConnectionType.WEBADMIN,
-            "adminConsole.port",
+                "adminConsole.port",
-            9090,
+                9090,
-            null,
+                null,
-            "adminConsole.serverThreads",
+                "adminConsole.serverThreads",
-            null,
+                null,
-            Connection.TLSPolicy.disabled.name(), // StartTLS over HTTP? Should use webAdminSslListener instead.
+                Connection.TLSPolicy.disabled.name(), // StartTLS over HTTP? Should use webAdminSslListener instead.
-            null,
+                null,
-            bindAddress,
+                bindAddress,
-            CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
-            CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
        );
        webAdminSslListener = new ConnectionListener(
@@ -234,8 +236,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                Connection.TLSPolicy.legacyMode.name(),
                null,
                bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
        );
    }

--- a/src/resources/jar/admin-sidebar.xml
+++ b/src/resources/jar/admin-sidebar.xml
@@ -141,28 +141,99 @@
                  url="security-certificate-store-management.jsp"
                  description="Manage Openfire Certificate stores">
-            <!--&lt;!&ndash; Certificate key stores ("Openfire Certificates") &ndash;&gt;-->
+                <sidebar id="sidebar-certificate-store-socket-c2s" name="${sidebar.client-connections-settings}">
+                    <item id="sidebar-certificate-store-SOCKET_C2S-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=SOCKET_C2S"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+                    <item id="sidebar-certificate-store-SOCKET_C2S-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=SOCKET_C2S"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+                </sidebar>
+                <sidebar id="sidebar-certificate-store-socket-s2s" name="${sidebar.server2server-settings}">
+                    <item id="sidebar-certificate-store-SOCKET_S2S-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=SOCKET_S2S"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+                    <item id="sidebar-certificate-store-SOCKET_S2S-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=SOCKET_S2S"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+                </sidebar>
+                <sidebar id="sidebar-certificate-store-bosh-c2s" name="${sidebar.http-bind}">
+                    <item id="sidebar-certificate-store-BOSH_C2S-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=BOSH_C2S"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+                    <item id="sidebar-certificate-store-BOSH_C2S-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=BOSH_C2S"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+                </sidebar>
+                <sidebar id="sidebar-certificate-store-component" name="${sidebar.external-components-settings}">
+                    <item id="sidebar-certificate-store-COMPONENT-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=COMPONENT"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+                    <item id="sidebar-certificate-store-COMPONENT-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=COMPONENT"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+                </sidebar>
+                <sidebar id="sidebar-certificate-store-connection-manager" name="${sidebar.connection-managers-settings}">
+                    <item id="sidebar-certificate-store-CONNECTION_MANAGER-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=CONNECTION_MANAGER"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+                    <item id="sidebar-certificate-store-CONNECTION_MANAGER-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=CONNECTION_MANAGER"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+                </sidebar>
+                <sidebar id="sidebar-certificate-store-webadmin" name="${admin.console}">
+                    <item id="sidebar-certificate-store-WEBADMIN-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=WEBADMIN"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+                    <item id="sidebar-certificate-store-WEBADMIN-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=WEBADMIN"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+                </sidebar>
+                <!--&lt;!&ndash; Certificate key stores ("Openfire Certificates") &ndash;&gt;-->
            <!--<item id="sidebar-certificates-keys" name="${sidebar.sidebar-certificates-keys}"-->
                    <!--url="security-keystore.jsp">-->
-                <sidebar id="sidebar-certificates-keys-submenu" name="${sidebar.sidebar-certificates-keys-submenu}">
+                <!--<sidebar id="sidebar-certificates-keys-submenu" name="${sidebar.sidebar-certificates-keys-submenu}">-->
-                    <!-- Socket Server Certificates -->
+                    <!--&lt;!&ndash; Socket Server Certificates &ndash;&gt;-->
-                    <item id="security-keystore-socket" name="${sidebar.security-keystore-socket}"
+                    <!--<item id="security-keystore-socket" name="${sidebar.security-keystore-socket}"-->
-                          url="security-keystore.jsp?connectivityType=socket"
+                          <!--url="security-keystore.jsp?connectivityType=socket"-->
-                          description="${sidebar.security-keystore-socket.descr}"/>
+                          <!--description="${sidebar.security-keystore-socket.descr}"/>-->
-                    <!-- BOSH Server Certificates -->
+                    <!--&lt;!&ndash; BOSH Server Certificates &ndash;&gt;-->
-                    <item id="security-keystore-bosh" name="${sidebar.security-keystore-bosh}"
+                    <!--<item id="security-keystore-bosh" name="${sidebar.security-keystore-bosh}"-->
-                          url="security-keystore.jsp?connectivityType=bosh"
+                          <!--url="security-keystore.jsp?connectivityType=bosh"-->
-                          description="${sidebar.security-keystore-bosh.descr}"/>
+                          <!--description="${sidebar.security-keystore-bosh.descr}"/>-->
-                    <!-- Administrative Server Certificates -->
+                    <!--&lt;!&ndash; Administrative Server Certificates &ndash;&gt;-->
-                    <item id="security-keystore-administrative" name="${sidebar.security-keystore-administrative}"
+                    <!--<item id="security-keystore-administrative" name="${sidebar.security-keystore-administrative}"-->
-                          url="security-keystore.jsp?connectivityType=administrative"
+                          <!--url="security-keystore.jsp?connectivityType=administrative"-->
-                          description="${sidebar.security-keystore-administrative.descr}"/>
+                          <!--description="${sidebar.security-keystore-administrative.descr}"/>-->
-                </sidebar>
+                <!--</sidebar>-->
            </item>

--- a/src/web/import-keystore-certificate.jsp
+++ b/src/web/import-keystore-certificate.jsp
 <%@ page errorPage="error.jsp" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
@@ -42,7 +41,7 @@
        }
        if (errors.isEmpty()) {
            try {
-                final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( storeConnectionType );
+                final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( storeConnectionType );
                // Create an alias for the signed certificate
                String domain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();

--- a/src/web/import-truststore-certificate.jsp
+++ b/src/web/import-truststore-certificate.jsp
 <%@ page errorPage="error.jsp"%>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager"%>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -33,7 +33,7 @@
    if (save && errors.isEmpty())
    {
-        final TrustStore trustStoreConfig = CertificateStoreManager.getTrustStore( storeConnectionType );
+        final TrustStore trustStoreConfig = XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( storeConnectionType );
        if (alias == null || "".equals(alias))
        {

--- a/src/web/index.jsp
+++ b/src/web/index.jsp
@@ -32,7 +32,6 @@
 <%@ page import="org.jivesoftware.openfire.container.AdminConsolePlugin" %>
 <%@ page import="org.jivesoftware.openfire.filetransfer.proxy.FileTransferProxy" %>
 <%@ page import="org.jivesoftware.openfire.http.HttpBindManager" %>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
@@ -243,7 +242,7 @@
                    <fmt:message key="index.server_name" />
                </td>
                <td class="c2">
-                    <% final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_C2S ); %>
+                    <% final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_C2S ); %>
                    <% try { %>
                    <% if (!identityStore.containsDomainCertificate( "RSA" )) {%>
                    <img src="images/warning-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="index.certificate-warning" />" title="<fmt:message key="index.certificate-warning" />">&nbsp;

--- a/src/web/security-certificate-details.jsp
+++ b/src/web/security-certificate-details.jsp
@@ -9,6 +9,7 @@
 <%@ page import="java.security.cert.X509Certificate" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -43,11 +44,12 @@
    {
        try
        {
+            final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
            final CertificateStore store;
            if (isTrustStore) {
-                store = CertificateStoreManager.getTrustStore( storeConnectionType );
+                store = certificateStoreManager.getTrustStore( storeConnectionType );
            } else {
-                store = CertificateStoreManager.getIdentityStore( storeConnectionType );
+                store = certificateStoreManager.getIdentityStore( storeConnectionType );
            }
            // Get the certificate

--- a/src/web/security-certificate-store-management.jsp
+++ b/src/web/security-certificate-store-management.jsp
 <%@ page errorPage="error.jsp"%>
->
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
-<%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="java.util.HashMap" %>
+<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
+<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
-<%  webManager.init( request, response, session, application, out );
+<jsp:useBean id="now" class="java.util.Date"/>
+<%  webManager.init(request, response, session, application, out );
-    // Read parameters
-    final boolean save                       = request.getParameter("save") != null;
-    // TODO actually save something!
-    // Pre-update property values
    final Map<String, String> errors = new HashMap<>();
    pageContext.setAttribute( "errors", errors );
+    pageContext.setAttribute( "connectionTypes", ConnectionType.values() );
+    pageContext.setAttribute( "certificateStoreManager", XMPPServer.getInstance().getCertificateStoreManager());
 %>
 <html>
 <head>
    <title>Certificate Stores</title>
    <meta name="pageID" content="security-certificate-store-management"/>
 </head>
-<>
 <c:forEach var="err" items="${errors}">
    <admin:infobox type="error">
-        <c:if test="${not empty err.value}">
+        <c:choose>
-            <fmt:message key="admin.error"/>: <c:out value="${err.value}"/>
+            <!--Use the template below for specific error messages. -->
-        </c:if>
+            <c:when test="${err.key eq 'template'}">
-        (<c:out value="${err.key}"/>)
+                An unexpected error occurred.
+            </c:when>
+            <c:otherwise>
+                <c:if test="${not empty err.value}">
+                    <fmt:message key="admin.error"/>: <c:out value="${err.value}"/>
+                </c:if>
+                (<c:out value="${err.key}"/>)
+            </c:otherwise>
+        </c:choose>
    </admin:infobox>
 </c:forEach>
-<c:if test="${param.success}">
-    <admin:infobox type="success">Settings Updated Successfully</admin:infobox>
-</c:if>
-<c:if test="${param.noChange}">
-    <admin:infobox type="info">The provided settings were no different than before. Nothing changed.</admin:infobox>
-</c:if>
 <p>
    Certificates are used (through TLS and SSL protocols) to establish secure connections between servers and clients.
    When a secured connection is being created, parties can retrieve a certificate from the other party and (amongst
@@ -66,46 +64,37 @@
 <p>
    This section of the admin panel is dedicated to management of the various key and trust stores that act as
    repositories for sets of security certificates. By default, a small set of stores is re-used for various purposes,
-    but Openfire allows you to configure a distinct set of stores for each type. To do so, please change the store
+    but Openfire allows you to configure a distinct set of stores for each connection type.
-    locations below.
 </p>
-<form action="security-certificate-store-management.jsp" method="post">
+<c:forEach items="${connectionTypes}" var="connectionType">
-    <div class="jive-contentBoxHeader">
+    <c:set var="trustStore" value="${certificateStoreManager.
-        Regular XMPP connection Stores
+    <admin:contentBox title="XMPP Client Connection Stores">
-    </div>
-    <div class="jive-contentBox">
-        <p>
-            These stores are used for regular, TCP-based XMPP communication. Three stores are provided: one identity store
-            and two trust stores. One of the trust stores applies to server-to-server federation. The other trust store
-            applies to the optional client-based mutual authentication feature in Openfire.
-        </p>
        <p>
-            Openfire ships with an empty client trust store, as in typical environments, certificate-based authentication of
+            These stores are used for regular, TCP-based client-to-server XMPP communication. Two stores are provided:
-            clients is not required.
+            one identity store and a trust store. Openfire ships with an empty client trust store, as in typical
+            environments, certificate-based authentication of clients is not required.
        </p>
        <table cellpadding="0" cellspacing="0" border="0">
            <tbody>
-                <tr>
+            <tr>
-                    <td><label for="loc-key-socket">Identity Store:</label></td>
+                <td><label for="loc-key-socket">Identity Store:</label></td>
-                    <td><input id="loc-key-socket" name="loc-key-socket" type="text" size="40" value="${locKeySocket}"/></td>
+                <td><input id="loc-key-socket" name="loc-key-socket" type="text" size="40" value="${locKeySocket}"/></td>
-                    <td><a href="security-keystore.jsp?storeConnectionType=SOCKETBASED_IDENTITYSTORE">Manage Store Contents</a></td>
+                <td><a href="security-keystore.jsp?connectionType=${connectionType}">Manage Store Contents</a></td>
-                </tr>
+            </tr>
-                <tr>
+            <tr>
-                    <td><label for="loc-trust-socket-s2s">Server Trust Store:</label></td>
+                <td><label for="loc-trust-socket-c2s">Trust Store:</label></td>
-                    <td><input id="loc-trust-socket-s2s" name="loc-trust-socket-s2s" type="text" size="40" value="${locTrustSocketS2S}"/></td>
+                <td><input id="loc-trust-socket-c2s" name="loc-trust-socket-c2s" type="text" size="40" value="${locTrustSocketC2S}"/></td>
-                    <td><a href="security-truststore.jsp?storeConnectionType=SOCKETBASED_S2S_TRUSTSTORE">Manage Store Contents</a></td>
+                <td><a href="security-truststore.jsp?storeConnectionType=${connectionType}">Manage Store Contents</a></td>
-                </tr>
+            </tr>
-                <tr>
-                    <td><label for="loc-trust-socket-c2s">Client Trust Store:</label></td>
-                    <td><input id="loc-trust-socket-c2s" name="loc-trust-socket-c2s" type="text" size="40" value="${locTrustSocketC2S}"/></td>
-                    <td><a href="security-truststore.jsp?storeConnectionType=SOCKETBASED_C2S_TRUSTSTORE">Manage Store Contents</a></td>
-                </tr>
            </tbody>
        </table>
-    </div>
+    </admin:contentBox>
+</c:forEach>
    <div class="jive-contentBoxHeader">
        BOSH (HTTP Binding) connection Stores
@@ -188,8 +177,8 @@
        </table>
    </div>
-    <!-- TODO enable me <input type="submit" name="save" value="<fmt:message key="global.save_settings" />"> -->
 </form>
+-->
 </body>
 </html>
--- a/src/web/security-keystore.jsp
+++ b/src/web/security-keystore.jsp
@@ -2,7 +2,6 @@
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.container.AdminConsolePlugin" %>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
@@ -15,26 +14,27 @@
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
 <jsp:useBean id="now" class="java.util.Date"/>
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"/>
 <% webManager.init(request, response, session, application, out); %>
 <% // Get parameters:
-    final boolean generate        = ParamUtils.getBooleanParameter(request, "generate");
+    final boolean generate          = ParamUtils.getBooleanParameter(request, "generate");
-    final boolean delete          = ParamUtils.getBooleanParameter(request, "delete");
+    final boolean delete            = ParamUtils.getBooleanParameter(request, "delete");
-    final boolean importReply     = ParamUtils.getBooleanParameter(request, "importReply");
+    final boolean importReply       = ParamUtils.getBooleanParameter(request, "importReply");
-    final String alias            = ParamUtils.getParameter( request, "alias" );
+    final String alias              = ParamUtils.getParameter( request, "alias" );
-    final String storePurposeText = ParamUtils.getParameter( request, "storeConnectionType" );
+    final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
-    final Map<String, String> errors = new HashMap<String, String>();
+    final Map<String, String> errors = new HashMap<>();
-    ConnectionType storeConnectionType = null;
+    ConnectionType connectionType = null;
    IdentityStore identityStore = null;
    try
    {
-        storeConnectionType = ConnectionType.valueOf( storePurposeText );
+        connectionType = ConnectionType.valueOf( connectionTypeText );
-        identityStore = CertificateStoreManager.getIdentityStore( storeConnectionType );
+        identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( connectionType );
        if ( identityStore == null )
        {
            errors.put( "identityStore", "Unable to get an instance." );
@@ -42,15 +42,15 @@
    }
    catch (RuntimeException ex)
    {
-        errors.put( "storeConnectionType", ex.getMessage() );
+        errors.put( "connectionType", ex.getMessage() );
    }
    if ( errors.isEmpty() )
    {
-        pageContext.setAttribute( "storeConnectionType", storeConnectionType );
+        pageContext.setAttribute( "connectionType", connectionType );
        pageContext.setAttribute( "identityStore", identityStore );
-        final Set<ConnectionType> sameStoreConnectionTypes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( storeConnectionType );
+        final Set<ConnectionType> sameStoreConnectionTypes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( connectionType );
        pageContext.setAttribute( "sameStoreConnectionTypes", sameStoreConnectionTypes );
        final Map<String, X509Certificate> certificates = identityStore.getAllCertificates();
@@ -72,8 +72,8 @@
                    identityStore.delete( alias );
                    // Log the event
-                    webManager.logEvent( "deleted SSL cert from " + storePurposeText + " with alias " + alias, null );
+                    webManager.logEvent( "deleted SSL cert from " + connectionType + " with alias " + alias, null );
-                    response.sendRedirect( "security-keystore.jsp?storeConnectionType=" + storePurposeText + "&deletesuccess=true" );
+                    response.sendRedirect( "security-keystore.jsp?connectionType=" + connectionType+ "&deletesuccess=true" );
                    return;
                }
                catch ( Exception e )
@@ -141,13 +141,13 @@
 <html>
    <head>
        <title><fmt:message key="ssl.certificates.keystore.title"/></title>
-        <meta name="pageID" content="security-keystore"/>
+        <meta name="subPageID" content="sidebar-certificate-store-${fn:toLowerCase(connectionType)}-identity-store"/>
    </head>
    <body>
        <c:if test="${restartNeeded}">
            <admin:infobox type="warning">
                <fmt:message key="ssl.certificates.keystore.restart_server">
-                    <fmt:param value="<a href='server-restart.jsp?page=security-keystore.jsp&storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='server-restart.jsp?page=security-keystore.jsp&connectionType=${connectionType}'>"/>
                    <fmt:param value="</a>"/>
                </fmt:message>
            </admin:infobox>
@@ -175,9 +175,9 @@
        <c:if test="${not validDSACert or not validRSACert}">
            <admin:infobox type="warning">
                <fmt:message key="ssl.certificates.keystore.no_installed">
-                    <fmt:param value="<a href='security-keystore.jsp?generate=true&storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='security-keystore.jsp?generate=true&connectionType=${connectionType}'>"/>
                    <fmt:param value="</a>"/>
-                    <fmt:param value="<a href='import-keystore-certificate.jsp?storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
                    <fmt:param value="</a>"/>
                </fmt:message>
            </admin:infobox>
@@ -200,7 +200,7 @@
        <p>
            <fmt:message key="ssl.certificates.keystore.info">
-                <fmt:param value="<a href='import-keystore-certificate.jsp?storeConnectionType=${storeConnectionType}'>"/>
+                <fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
                <fmt:param value="</a>"/>
            </fmt:message>
        </p>
@@ -274,7 +274,7 @@
                            %>
                            <tr valign="top">
                                <td>
-                                    <a href="security-certificate-details.jsp?storeConnectionType=${storeConnectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
+                                    <a href="security-certificate-details.jsp?connectionType=${connectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
                                        <c:forEach items="${identities}" var="currentItem" varStatus="stat">
                                            <c:out value="${stat.first ? '' : ','} ${currentItem}"/>
                                        </c:forEach>
@@ -326,7 +326,7 @@
                                    <c:out value="${certificate.publicKey.algorithm}"/>
                                </td>
                                <td width="1" align="center">
-                                    <a href="security-keystore.jsp?alias=${alias}&storeConnectionType=${storeConnectionType}&delete=true"
+                                    <a href="security-keystore.jsp?alias=${alias}&connectionType=${connectionType}&delete=true"
                                       title="<fmt:message key="global.click_delete"/>"
                                       onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                            ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

--- a/src/web/security-truststore.jsp
+++ b/src/web/security-truststore.jsp
 <%@ page errorPage="error.jsp"%>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager"%>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
@@ -8,6 +7,7 @@
 <%@ page import="java.util.Map" %>
 <%@ page import="java.util.Set" %>
 <%@ page import="java.security.cert.X509Certificate" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -20,29 +20,29 @@
    final boolean delete          = ParamUtils.getBooleanParameter( request, "delete" );
    final String alias            = ParamUtils.getParameter( request, "alias" );
-    final String storePurposeText = ParamUtils.getParameter(request, "storeConnectionType");
+    final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
    final Map<String, String> errors = new HashMap<>();
-    ConnectionType storeConnectionType = null;
+    ConnectionType connectionType = null;
    TrustStore trustStore = null;
    try
    {
-        storeConnectionType = ConnectionType.valueOf( storePurposeText );
+        connectionType = ConnectionType.valueOf( connectionTypeText );
-        trustStore = CertificateStoreManager.getTrustStore( storeConnectionType );
+        trustStore = XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( connectionType );
        if ( trustStore == null )
        {
            errors.put( "trustStore", "Unable to get an instance." );
        }
    }
-    catch (RuntimeException ex)
+    catch ( RuntimeException ex )
    {
-        errors.put( "storeConnectionType", ex.getMessage() );
+        errors.put( "connectionType", ex.getMessage() );
    }
    if ( errors.isEmpty() )
    {
-        pageContext.setAttribute( "storeConnectionType", storeConnectionType );
+        pageContext.setAttribute( "connectionType", connectionType );
        pageContext.setAttribute( "trustStore", trustStore );
        final Set<ConnectionType> sameStoreConnectionTypes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( storeConnectionType );
@@ -64,8 +64,8 @@
                    trustStore.delete( alias );
                    // Log the event
-                    webManager.logEvent( "deleted SSL cert from " + storePurposeText + " with alias " + alias, null );
+                    webManager.logEvent( "deleted SSL cert from " + connectionType + " with alias " + alias, null );
-                    response.sendRedirect( "security-truststore.jsp?storeConnectionType=" + storePurposeText + "&deletesuccess=true" );
+                    response.sendRedirect( "security-keystore.jsp?connectionType=" + connectionType+ "&deletesuccess=true" );
                    return;
                }
                catch ( Exception e )
@@ -81,7 +81,7 @@
 <html>
    <head>
-        <title><fmt:message key="certificate-management.connectionType.${storeConnectionType}.title"/></title>
+        <title><fmt:message key="certificate-management.connectionType.${connectionType}.title"/></title>
        <meta name="pageID" content="security-truststore"/>
        <style>
            .info-header {
@@ -133,9 +133,9 @@
            <admin:infobox type="success"><fmt:message key="ssl.certificates.added_updated"/></admin:infobox>
        </c:if>
-        <c:if test="${storeConnectionType != null}">
+        <c:if test="${connectionType != null}">
            <p>
-                <fmt:message key="certificate-management.connectionType.${storeConnectionType}.description"/>
+                <fmt:message key="certificate-management.connectionType.${connectionType}.description"/>
            </p>
            <table border="0" width="100%">
@@ -177,7 +177,7 @@
            <p>
                <fmt:message key="ssl.certificates.truststore.link-to-import">
-                    <fmt:param value="<a href='import-truststore-certificate.jsp?storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='import-truststore-certificate.jsp?connectionType=${connectionType}'>"/>
                    <fmt:param value="</a>"/>
                </fmt:message>
            </p>
@@ -230,7 +230,7 @@
                                <tr valign="top">
                                    <td>
-                                        <a href="security-certificate-details.jsp?storeConnectionType=${storeConnectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
+                                        <a href="security-certificate-details.jsp?connectionType=${connectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
                                            <c:choose>
                                                <c:when test="${empty fn:trim(organization)}">
                                                    <c:out value="${commonname}"/>
@@ -264,7 +264,7 @@
                                        <c:out value="${certificate.publicKey.algorithm}"/>
                                    </td>
                                    <td width="1" align="center">
-                                        <a href="security-truststore.jsp?storeConnectionType=${storeConnectionType}&alias=${alias}&delete=true"
+                                        <a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true"
                                           title="<fmt:message key="global.click_delete"/>"
                                           onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                                ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>