2 Replies Latest reply on Jan 20, 2011 1:03 PM by peterj

Enable Security

alan854 Jan 20, 2011 1:05 PM

Hello JBossCommunity,

I'm using jboss-as-distribution-6.0.0.20100429-M3 + WS (axis 1.4)

I have to provide a secure way to transmit data from client to server. I've read that SSL with mutual authentication is a good way to provide it. But, if any body has a better sugestion on how to do it, let me know.

I'm trying to configure mutual authentication with BaseCertLoginModule

over SSL, but I'm getting the following errors:

**************************************************************************************

error at server side

17:19:26,812 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] Handshake failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:523) [:1.6]

at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:355) [:1.6]

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789) [:1.6]

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120) [:1.6]

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147) [:1.6]

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131) [:1.6]

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:186)

at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:1143)

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)

at java.lang.Thread.run(Thread.java:619) [:1.6.0_20]

error at client side

java.net.SocketException: Software caused connection abort: socket write error

**************************************************************************************

Here follows my configuration files

script to generate the keys

**************************************************************************************

set SERVER_DN="CN=server, OU=X, O=Y, L=Z, S=XY, C=YZ"

set CLIENT_DN="CN=client, OU=X, O=Y, L=Z, S=XY, C=YZ"

set KSDEFAULTS=-storepass changeit -storetype JKS

set KEYINFO=-keyalg RSA

keytool -genkey -dname %SERVER_DN% %KSDEFAULTS% -keystore server.ks %KEYINFO% -keypass changeit

keytool -export -file temp$.cer %KSDEFAULTS% -keystore server.ks

keytool -import -file temp$.cer %KSDEFAULTS% -keystore client.ts -alias serverkey -noprompt

keytool -genkey -dname %CLIENT_DN% %KSDEFAULTS% -keystore client.ks %KEYINFO% -keypass changeit

keytool -export -file temp$.cer %KSDEFAULTS% -keystore client.ks

keytool -import -file temp$.cer %KSDEFAULTS% -keystore server.ts -alias clientkey -noprompt

**************************************************************************************

file:${jboss.server.home.dir}/conf/server.ks

**************************************************************************************

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey

Creation date: 17/01/2011

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

Issuer: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

Serial number: 4d34949e

Valid from: Mon Jan 17 17:12:30 BRST 2011 until: Sun Apr 17 16:12:30 BRT 2011

Certificate fingerprints:

MD5: 5A:56:DD:D8:5B:9E:94:55:77:7E:70:D3:AE:E5:0B:C5

SHA1: 14:B3:95:33:E7:D2:F3:BB:94:DA:E9:1C:38:8A:9F:03:1B:35:4E:8C

Signature algorithm name: SHA1withRSA

Version: 3

**************************************************************************************

file/${jboss.server.home.dir}/conf/server.ts

**************************************************************************************

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: clientkey

Creation date: 17/01/2011

Entry type: trustedCertEntry

Owner: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

Issuer: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

Serial number: 4d34949f

Valid from: Mon Jan 17 17:12:31 BRST 2011 until: Sun Apr 17 16:12:31 BRT 2011

Certificate fingerprints:

MD5: B2:C1:C8:9A:BB:84:F0:79:03:68:91:89:20:EC:85:CF

SHA1: C5:BC:7A:7D:E6:0E:5E:D4:1F:D9:BC:56:D3:91:20:A3:25:09:B2:2A

Signature algorithm name: SHA1withRSA

Version: 3

**************************************************************************************

file:c:/client.ks

**************************************************************************************

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey

Creation date: 17/01/2011

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

Issuer: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

Serial number: 4d3469a5

Valid from: Mon Jan 17 14:09:09 BRST 2011 until: Sun Apr 17 13:09:09 BRT 2011

Certificate fingerprints:

MD5: 91:57:82:07:38:34:C5:1F:AB:5C:0D:51:65:DB:5B:B0

SHA1: 7D:12:14:E1:75:78:E3:79:1B:62:B6:A3:17:A9:FA:11:51:A7:69:06

Signature algorithm name: SHA1withRSA

Version: 3

**************************************************************************************

file:c:/client.ts

**************************************************************************************

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: serverkey

Creation date: 17/01/2011

Entry type: trustedCertEntry

Owner: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

Issuer: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

Serial number: 4d3469a4

Valid from: Mon Jan 17 14:09:08 BRST 2011 until: Sun Apr 17 13:09:08 BRT 2011

Certificate fingerprints:

MD5: 99:9F:51:27:BA:40:C1:91:14:B6:1B:36:EB:39:4F:57

SHA1: 7A:98:0E:B5:99:2A:4A:41:6D:CC:D3:90:4D:AB:3A:93:81:87:AE:B8

Signature algorithm name: SHA1withRSA

Version: 3

**************************************************************************************

file:${jboss.server.home.dir}/deploy/interligation-service.xml

**************************************************************************************

<attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/server.ts</attribute>

<attribute name="KeyStorePass">changeit</attribute>

<depends>jboss.security:service=JaasSecurityManager</depends>

</mbean>

</server>

**************************************************************************************

file:${jboss.server.home.dir}/deploy/jbossweb.sar/server.xml

**************************************************************************************

...

...

<Connector protocol="HTTP/1.1" port="10101" address="${jboss.bind.address}"

maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="2"

maxSpareThreads="75" enableLookups="false" redirectPort="8443"

acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"

compression="on" compressionMinSize="1" noCompressionUserAgents="gozilla, traviata"

compressableMimeType="text/html,text/xml"/>

<Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443"

address="${jboss.bind.address}" scheme="https" secure="true"

clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/server.ks" keystorePass="changeit"

truststoreFile="${jboss.server.home.dir}/conf/server.ts"

sslProtocol="TLS"/>

...

</Service name="jboss.web">

...

</Server>

**************************************************************************************

file:${jboss.server.home.dir}/conf/login-config.xml

**************************************************************************************

...

<application-policy name="interligation-domain">

<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">

<module-option name="password-stacking">useFirstPass</module-option>

<module-option name="securityDomain">java:/jaas/interligation-domain</module-option>

</login-module>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

<module-option name="password-stacking">useFirstPass</module-option>

<module-option name="usersProperties">props/interligation-users.properties</module-option>

<module-option name="rolesProperties">props/interligation-roles.properties</module-option>

</login-module>

</authentication>

</application-policy>

...

</policy>

**************************************************************************************

file:${jboss.server.home.dir}/conf/props/interligation-users.properties

**************************************************************************************

CN\=server,\ OU\=X,\ O\=Y,\ L\=Z,\ ST\=XY,\ C\=YZ=JBossAdmin

admin=JBossAdmin

**************************************************************************************

file:${jboss.server.home.dir}/conf/props/interligation-roles.properties

**************************************************************************************

admin=JBossAdmin,HttpInvoker

**************************************************************************************

file:$webapp/WebContent/web.xml

**************************************************************************************

<web-app>

...

<security-constraint>

<web-resource-collection>

<web-resource-name>HtmlAdaptor</web-resource-name>

<description>An example security config that only allows users with

the role JBossAdmin to access the HTML JMX console web

application </description>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>JBossAdmin</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>JBoss JMX Console</realm-name>

</login-config>

<security-role>

<role-name>JBossAdmin</role-name>

</security-role>

...

</web-app>

**************************************************************************************

file:$webapp/WebContent/jboss-web.xml

**************************************************************************************

<jboss-web>

...

<security-domain>java:/jaas/interligation-domain</security-domain>

...

</jboss-web>

**************************************************************************************

file:$clientapp/client-config.wsdd

**************************************************************************************

<deployment

name="commonsHTTPConfig"

xmlns="http://xml.apache.org/axis/wsdd/"

xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

...

...

</handler>

...

</globalConfiguration>

</deployment>

**************************************************************************************

Thanks for your attention,

Alan

1. Re: Enable Security

alan854 Jan 20, 2011 1:05 PM (in response to alan854)

Hello again!!!
I was passing wrong port to server, than connector was redirecting to http instead of https.
But now I'm getting this following error:

server side:
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545289296 sessioncount 0
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545289296 sessioncount 0
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
15:41:39,765 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /datacenter/services/InterligationServiceController
15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[HtmlAdaptor]' against POST /services/InterligationServiceController --> true
15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[HtmlAdaptor]' against POST /services/InterligationServiceController --> true
15:41:39,765 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase]   Redirecting to https://127.0.0.1:8443/datacenter/services/InterligationServiceController
15:41:39,781 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed hasUserDataPermission() test
15:41:49,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545309296 sessioncount 0
15:41:49,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
15:41:49,812 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_3] - TORecoveryModule - first pass
15:41:49,968 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.firstpass] Local XARecoveryModule - first pass
15:41:59,968 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_6] - TORecoveryModule - second pass
15:41:59,968 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.secondpass] Local XARecoveryModule - second pass

client-side:
(302)Moved Temporarily

Thanks for advice,
Alan
Actions
2. Enable Security

peterj Jan 20, 2011 1:03 PM (in response to alan854)

Please stop yelling!
Actions

Go to original post