Version 3
Created by ndipiazza on Aug 17, 2013 3:57 AM. Last modified by ndipiazza on Aug 20, 2013 7:09 PM.

    Mutual Authentication on JBoss 7.2.0.Final

     

    These are steps that will get you to the point where JBoss 7.2.0.Final is set up with mutual authentication.


    OpenSSL Steps to Generate Server Certificate and Client Certificate Files

    1. Create the key pair for the CA:


    openssl genrsa -out ca.key 1024


    2. Create the root certificate:


    openssl req -new -x509 -days 3650 -key ca.key -out ca.crt


    3. Generate a keypair for the server:


    mkdir -p demoCA/newcerts

    touch demoCA/index.txt

    echo '01' > demoCA/serial

    openssl genrsa -out localhost.key 2048

     

    4. Create the CSR for the web server:


    openssl req -new -key localhost.key -out localhost.csr

     

    5. Sign it


    openssl ca -keyfile ca.key -cert ca.crt -out localhost.crt -policy policy_anything -infiles localhost.csr

     

    6. On the client, create the key pair for the client:


    openssl genrsa -out client.key 2048

     

    7. On the client, create a CSR:

     

    openssl req -new -key client.key -out client.csr

     

    8. On the server, our CA will sign the request:

     

    openssl ca -keyfile ca.key -cert ca.crt -out client.crt -policy policy_anything -infiles client.csr

     

    9. Verify you have 2 new pem files in demoCA/newcerts

     

    10. Create PKCS#12 file (that combines certificate with private key) for server:

     

    openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name aliasname

     

    11. Create PKCS#12 file (that combines certificate with private key) for client:


    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name aliasname


    Java Keystore Steps

    1. Run the keytool to create the keystore JKS file with the server PKCS#12 file we created in step 10:


    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore localhost.p12 -srcstoretype PKCS12 -alias aliasname


    2. Run the keytool to create the trust store file.

     

    keytool -import -keystore cacerts.jks -storepass changeit -alias aliasname -file ca.crt


    JBoss 7.2.0.Final Steps

    (Steps assume you are using standalone setup. Modify steps for domain if applicable)

    1. Copy both JKS keystore files from the previous steps into $JBOSS_HOME/standalone/conf
    2. Edit $JBOSS_HOME/standalone/standalone.xml

     

         In subsystem urn:jboss:domain:web:1.4, add:

    <connector name="https" protocol="HTTP/1.1" scheme="https"

                               socket-binding="https" secure="true">

                               <ssl name="https" key-alias="aliasname" password="changeit"

                                      certificate-key-file="../standalone/configuration/keystore.jks"

                                      ca-certificate-file="../standalone/configuration/cacerts.jks"

                                      verify-client="true" />

                         </connector>

     

    Test it

     

    1. Restart JBoss service.
    2. Try https://localhost:8443/ - you should get no access because you have not yet installed certificate.
    3. Install the client.p12 file you generated earlier into your browser.
    4. Repeat test, it should now work.

    References

    http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/

    https://community.jboss.org/message/625454

    http://stackoverflow.com/questions/8081381/setting-up-ssl-in-jboss-as-7