1 2 3 4 Previous Next 55 Replies Latest reply: Apr 23, 2013 1:11 PM by guillaume cornet Go to original post RSS
  • 45. Re: HTTPS on JBoss AS 7 - truststore configuration
    Chris Lott Newbie

    I'm answering my own question here : )  First a summary of my requirements for using JBoss AS 7.1.1.Final: (1) Server accepts https connections with self-signed certificate; (2) Webapp requires client to present a self-signed user certificate; and (3) webapp Java code obtains the authenticated user name.  This forum thread answers items 1 and 2 pretty well; I finally got all the errors out of my configurations and item 3 started working. 

     

    I'm using only Java Keystore (JKS) format in my server-side files; this is just how they were provided to me. I'm not exactly a crypto file expert so I'm trying to get this right.  The keystore.jks file has the self-signed server certificate and associated key.  The truststore.jks file has the certificates for the authorities that signed the client certificates that the browser will present to the server; it does not have the client certificate.   (Separately I imported user-cert.p12 files to the browser, but that's a different story.)

     

    I still don't quite understand why the server certificate keystore and user certificate truststore must be provided both to the "jsse" element *and* again to the "ssl" element.  I don't like this duplication, maybe there's a good reason, or maybe it's an issue that will be fixed some day.

     

    Anyhow here are portions of my config files, I hope I included everything relevant.  First the server files, then the webapp files.

     

    standalone.xml part 1

     

    <security-domain name="RequireCertificateDomain">
    <authentication>
    <login-module code="CertificateRoles" flag="required">
    <module-option name="securityDomain" value="RequireCertificateDomain"/>
    <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
    <module-option name="usersProperties" 
            value="file:/home/jboss-as-7.1.1.Final/standalone/configuration/my-users.properties"/>
    <module-option name="rolesProperties" 
            value="file:/home/jboss-as-7.1.1.Final/standalone/configuration/my-roles.properties"/>
    </login-module>
    </authentication>
    <jsse keystore-password="changeit" 
          keystore-url="file:/home/jboss-as-7.1.1.Final/standalone/configuration/localhost.jks" 
           truststore-password="changeit" 
           truststore-url="file:/home/jboss-as-7.1.1.Final/standalone/configuration/truststore.jks"/>
    </security-domain>
    

     

    standalone.xml part 2

     

    <subsystem xmlns="urn:jboss:domain:web:1.1"
                default-virtual-server="default-host" native="false">
                <connector name="http" protocol="HTTP/1.1" scheme="http"
                    socket-binding="http" />
                <connector name="https" protocol="HTTP/1.1" scheme="https"
                    socket-binding="https" secure="true">
                    <ssl password="changeit"
                        certificate-key-file="/home/jboss-as-7.1.1.Final/standalone/configuration/localhost.jks"
                        verify-client="want"
                        ca-certificate-file="/home/jboss-as-7.1.1.Final/standalone/configuration/truststore.jks" />
                </connector>
                <virtual-server name="default-host"
                    enable-welcome-root="true">
                    <alias name="localhost" />
                    <alias name="example.com" />
                </virtual-server>
    </subsystem>
    

     

    my-users.properties which actually has *no* valid entries, just comments

     

    # my-users.properties
    #
    # The format of this realm is as follows: -
    # username=HEX( MD5( username ':' realm ':' password))
    #
    # However, no user-password list should be required since a cert is used
    #
    #admin=2a0923285184943425d1f53ddd58ec7a
    

     

    my-roles.properties which has the string from a client certificate; must escape the spaces and equal signs

     

    # my-roles.properties
    
    # The format of this file is as follows: -
    # username=role1,role2,role3
    
    EMAILADDRESS\=user@googlegroups.com,\ CN\=Organization\ Test\ User\ tester,\ OU\=org\ testing,\ O\=Organization,\ L\=Hyattsville,\ ST\=Maryland,\ C\=US=role1
    

     

    That's all the server configuration.  On to the webapp.

     

    jboss-web.xml goes in WEB-INF:

     

    <?xml version="1.0" encoding="UTF-8"?>
    <!-- This file indicates that our webapp uses a security domain defined in the JBoss config file standalone.xml -->
    <jboss-web>
    <context-root>webapp</context-root>
    <security-domain>RequireCertificateDomain</security-domain>
    </jboss-web>
    

     

    web.xml also in WEB-INF:

     

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
        <!-- This deployment descriptor specifies client authentication via a certificate. 
            I could not find the annotations that accomplish the same task. -->
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>our web app</web-resource-name>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                <!-- Any role is acceptable; some day might have to constraint it -->
                <role-name>*</role-name>
            </auth-constraint>
            <user-data-constraint>
                <!-- Require HTTPS access -->
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
        </security-constraint>
        <login-config>
            <!-- Require the client to present a certificate -->
            <auth-method>CLIENT-CERT</auth-method>
        </login-config>
        <security-role>
            <!-- Any role is acceptable; some day might have to constraint it -->
            <role-name>*</role-name>
        </security-role>
    </web-app>
    

     

    Finally code within the webapp to retrieve the user name, which comes directly from the client certificate.  It is a long string with embedded spaces and such.

     

    package foo;
    
    import javax.ws.rs.core.Response;
    import javax.ws.rs.core.SecurityContext;
    import javax.ws.rs.core.UriInfo;
    
    @Consumes("application/x-www-form-urlencoded")
        public Response doPost(@Context UriInfo uriInfo,
                @Context SecurityContext securityContext,
                @FormParam("paramName") final String paramName) {
    
                String user = securityContext.getUserPrincipal().getName();
        }   
    

     


    I hope this helps someone.  Please note I'm not an expert in these things, I'd love to hear if I can improve this, thanks.

  • 46. Re: HTTPS on JBoss AS 7 - truststore configuration
    Alberto Flores Newbie

    Hi Chris,

     

    I didn't do any duplication of SSL configuration as you mentioned, however I used Spring security to help me with the certificate extraction.  Also, I was looking for 2-way SSL. Really, there was nothing to it, but my understanding is that what I did was for 2-way SSL configuration for webapps, so web service will need to have their own configuration as JBOSS seems to be following this modular approach to everything. I kept everything within the JBoss web module.

     

    I wrote a entry about this in my blog describing what I did (it has a sample standalone.xml file). If you are interested, you can find it here:

     

    http://alberto-flores.blogspot.com/2012/06/2-way-ssl-in-jboss-711.html

     

    Hope this helps anyone.

  • 47. Re: HTTPS on JBoss AS 7 - truststore configuration
    lagavulin Newbie

    I've also set up 2-way SSL on a standalone JBoss but wanted to test this out using the JBoss management console ... so what I would like to see happening is that my personal request (which I get to choose from a dropdown in Firefox) is somehow mapped to the admin user in JBoss....

     

    Does anybody know how this can be done and how?  (see below for my standalone.xml file)

     

    Is it me, or have there been substantial refactorings in the security part of JBoss...there are a bunch of classes that are no longer part of JBoss 7.1.1 that were initially part of the 7 release....mostly classes that have to do with role and user mapping, etc... Refactorings are of course A Good Thing since they lead to Better Code, unfortunately however the documentation seems to lag behind (e.g. org.jboss.as.security.auth package nowhere to be found, and also the xml schema's underlying the standalone.xml have changed, e.g. under server-identities, ssl, the keystore element doesn't support the key-alias or alias property anymore that I have found referenced in AS7 documentation.

     

    I understand that these things are hard to keep in sync, but a special effort for the security documentation would be a great idea since it is not the most trivial aspect of the server. Just saying...doesn't make it less of a great app server.

     

    ###########################

    Standalone.xml  for JBoss 7.1.1.Final running on Windows XP: 

     

    The security-domain "RequireCertificateDomain" is all good and so and I can understand how to configure this in a web.xml of an application, but I would like to log on to the admin console using my client certificate.... 

     

    <?xml version='1.0' encoding='UTF-8'?>
    
    
    <server xmlns="urn:jboss:domain:1.2">
    
    
        <extensions>
            <extension module="org.jboss.as.clustering.infinispan"/>
            <extension module="org.jboss.as.configadmin"/>
            <extension module="org.jboss.as.connector"/>
            <extension module="org.jboss.as.deployment-scanner"/>
            <extension module="org.jboss.as.ee"/>
            <extension module="org.jboss.as.ejb3"/>
            <extension module="org.jboss.as.jaxrs"/>
            <extension module="org.jboss.as.jdr"/>
            <extension module="org.jboss.as.jmx"/>
            <extension module="org.jboss.as.jpa"/>
            <extension module="org.jboss.as.logging"/>
            <extension module="org.jboss.as.mail"/>
            <extension module="org.jboss.as.naming"/>
            <extension module="org.jboss.as.osgi"/>
            <extension module="org.jboss.as.pojo"/>
            <extension module="org.jboss.as.remoting"/>
            <extension module="org.jboss.as.sar"/>
            <extension module="org.jboss.as.security"/>
            <extension module="org.jboss.as.threads"/>
            <extension module="org.jboss.as.transactions"/>
            <extension module="org.jboss.as.web"/>
            <extension module="org.jboss.as.webservices"/>
            <extension module="org.jboss.as.weld"/>
        </extensions>
    
    
        <management>
            <security-realms>
                <security-realm name="ManagementRealm">
                    <authentication>
                        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                    </authentication>
                </security-realm>
                <security-realm name="ManagementRealmForHttps">
                                            <server-identities>
                                                      <ssl>
                                                                <keystore path="osp_server.jks" relative-to="jboss.server.config.dir" password="xxxxxxxx" />
                                                      </ssl>
                                            </server-identities>
                    <authentication>
                        <truststore path="server.truststore" relative-to="jboss.server.config.dir" password="xxxxxxxx" />
                    </authentication>
                </security-realm>
                <security-realm name="ApplicationRealm">
                    <authentication>
                        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                    </authentication>
                </security-realm>
            </security-realms>
            <management-interfaces>
                <native-interface security-realm="ManagementRealm">
                    <socket-binding native="management-native"/>
                </native-interface>
                <http-interface security-realm="ManagementRealmForHttps">
                    <socket-binding https="management-https"/>
                </http-interface>
            </management-interfaces>
        </management>
    
    
        <profile>
            <subsystem xmlns="urn:jboss:domain:logging:1.1">
                <console-handler name="CONSOLE">
                    <level name="INFO"/>
                    <formatter>
                        <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                    </formatter>
                </console-handler>
                <periodic-rotating-file-handler name="FILE">
                    <formatter>
                        <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                    </formatter>
                    <file relative-to="jboss.server.log.dir" path="server.log"/>
                    <suffix value=".yyyy-MM-dd"/>
                    <append value="true"/>
                </periodic-rotating-file-handler>
                <logger category="com.arjuna">
                    <level name="WARN"/>
                </logger>
                <logger category="org.apache.tomcat.util.modeler">
                    <level name="WARN"/>
                </logger>
                <logger category="sun.rmi">
                    <level name="WARN"/>
                </logger>
                <logger category="jacorb">
                    <level name="WARN"/>
                </logger>
                <logger category="org.jboss.as.auth">
                    <level name="DEBUG"/>
                </logger>
                <logger category="org.jboss.as.web">
                    <level name="DEBUG"/>
                </logger>
                <logger category="org.jboss.as.domain">
                    <level name="DEBUG"/>
                </logger>
                <logger category="org.jboss.as.security">
                    <level name="DEBUG"/>
                </logger>
                <logger category="jacorb.config">
                    <level name="ERROR"/>
                </logger>
                <root-logger>
                    <level name="INFO"/>
                    <handlers>
                        <handler name="CONSOLE"/>
                        <handler name="FILE"/>
                    </handlers>
                </root-logger>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:configadmin:1.0"/>
            <subsystem xmlns="urn:jboss:domain:datasources:1.0">
                <datasources>
                    <!--datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
                        <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
                        <driver>h2</driver>
                        <security>
                            <user-name>sa</user-name>
                            <password>sa</password>
                        </security>
                    </datasource-->
                    <drivers>
                        <driver name="h2" module="com.h2database.h2">
                            <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                        </driver>
                    </drivers>
                </datasources>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
                <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:ee:1.0"/>
            <subsystem xmlns="urn:jboss:domain:ejb3:1.2">
                <session-bean>
                    <stateless>
                        <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
                    </stateless>
                    <stateful default-access-timeout="5000" cache-ref="simple"/>
                    <singleton default-access-timeout="5000"/>
                </session-bean>
                <pools>
                    <bean-instance-pools>
                        <strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
                        <strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
                    </bean-instance-pools>
                </pools>
                <caches>
                    <cache name="simple" aliases="NoPassivationCache"/>
                    <cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>
                </caches>
                <passivation-stores>
                    <file-passivation-store name="file"/>
                </passivation-stores>
                <async thread-pool-name="default"/>
                <timer-service thread-pool-name="default">
                    <data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>
                </timer-service>
                <remote connector-ref="remoting-connector" thread-pool-name="default"/>
                <thread-pools>
                    <thread-pool name="default">
                        <max-threads count="10"/>
                        <keepalive-time time="100" unit="milliseconds"/>
                    </thread-pool>
                </thread-pools>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="hibernate">
                <cache-container name="hibernate" default-cache="local-query">
                    <local-cache name="entity">
                        <transaction mode="NON_XA"/>
                        <eviction strategy="LRU" max-entries="10000"/>
                        <expiration max-idle="100000"/>
                    </local-cache>
                    <local-cache name="local-query">
                        <transaction mode="NONE"/>
                        <eviction strategy="LRU" max-entries="10000"/>
                        <expiration max-idle="100000"/>
                    </local-cache>
                    <local-cache name="timestamps">
                        <transaction mode="NONE"/>
                        <eviction strategy="NONE"/>
                    </local-cache>
                </cache-container>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
            <subsystem xmlns="urn:jboss:domain:jca:1.1">
                <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
                <bean-validation enabled="true"/>
                <default-workmanager>
                    <short-running-threads>
                        <core-threads count="50"/>
                        <queue-length count="50"/>
                        <max-threads count="50"/>
                        <keepalive-time time="10" unit="seconds"/>
                    </short-running-threads>
                    <long-running-threads>
                        <core-threads count="50"/>
                        <queue-length count="50"/>
                        <max-threads count="50"/>
                        <keepalive-time time="10" unit="seconds"/>
                    </long-running-threads>
                </default-workmanager>
                <cached-connection-manager/>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:jdr:1.0"/>
            <subsystem xmlns="urn:jboss:domain:jmx:1.1">
                <show-model value="true"/>
                <remoting-connector/>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:jpa:1.0">
                <jpa default-datasource=""/>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:mail:1.0">
                <mail-session jndi-name="java:jboss/mail/Default">
                    <smtp-server outbound-socket-binding-ref="mail-smtp"/>
                </mail-session>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:naming:1.1"/>
            <subsystem xmlns="urn:jboss:domain:osgi:1.2" activation="lazy">
                <properties>
                    <property name="org.osgi.framework.startlevel.beginning">
                        1
                    </property>
                </properties>
                <capabilities>
                    <capability name="javax.servlet.api:v25"/>
                    <capability name="javax.transaction.api"/>
                    <capability name="org.apache.felix.log" startlevel="1"/>
                    <capability name="org.jboss.osgi.logging" startlevel="1"/>
                    <capability name="org.apache.felix.configadmin" startlevel="1"/>
                    <capability name="org.jboss.as.osgi.configadmin" startlevel="1"/>
                </capabilities>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:pojo:1.0"/>
            <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>
            <subsystem xmlns="urn:jboss:domain:sar:1.0"/>
            <subsystem xmlns="urn:jboss:domain:security:1.1">
                <security-domains>
                    <security-domain name="other" cache-type="default">
                        <authentication>
                            <login-module code="Remoting" flag="optional">
                                <module-option name="password-stacking" value="useFirstPass"/>
                            </login-module>
                            <login-module code="RealmUsersRoles" flag="required">
                                <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                <module-option name="realm" value="ApplicationRealm"/>
                                <module-option name="password-stacking" value="useFirstPass"/>
                            </login-module>
                        </authentication>
                    </security-domain>
                    <security-domain name="jboss-web-policy" cache-type="default">
                        <authorization>
                            <policy-module code="Delegating" flag="required"/>
                        </authorization>
                    </security-domain>
                    <security-domain name="jboss-ejb-policy" cache-type="default">
                        <authorization>
                            <policy-module code="Delegating" flag="required"/>
                        </authorization>
                    </security-domain>
                                            <security-domain name="RequireCertificateDomain">
                                                      <authentication>
                                                                <login-module code="CertificateRoles" flag="required">
                                                                          <module-option name="securityDomain" value="RequireCertificateDomain"/>
                                                                          <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
                                                                          <module-option name="usersProperties" value="${jboss.server.config.dir}/certusers.properties"/>
                                                                          <module-option name="rolesProperties" value="${jboss.server.config.dir}/certroles.properties"/>
                                                                </login-module>
                                                      </authentication>
                                                      <jsse 
                                                                keystore-password="xxxxxxx" 
                                                                keystore-url="file:///D|/jboss-as-7.1.1.Final/standalone/configuration/osp_server.jks" 
                                                                truststore-password="xxxxxxxx" 
                                                                truststore-url="file:///D|/jboss-as-7.1.1.Final/standalone/configuration/server.truststore"/>
                                            </security-domain> <!-- wanted to use  ${jboss.server.config.dir} in the url attributes above, but it didn't evaluate the expression!!!!! :-( -->
                </security-domains>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
            <subsystem xmlns="urn:jboss:domain:transactions:1.1">
                <core-environment>
                    <process-id>
                        <uuid/>
                    </process-id>
                </core-environment>
                <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
                <coordinator-environment default-timeout="300"/>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
                <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                                            <ssl 
                                                      name="ssl" 
                                                      key-alias="osp" 
                                                      password="xxxxxxxx" 
                                                      certificate-key-file="${jboss.server.config.dir}/osp_server.jks" 
                                                      ca-certificate-file="${jboss.server.config.dir}/server.truststore"
                                                      verify-client="true"/>
                </connector>
                <virtual-server name="default-host" enable-welcome-root="true">
                    <alias name="localhost"/>
                    <alias name="example.com"/>
                </virtual-server>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:webservices:1.1">
                <modify-wsdl-address>true</modify-wsdl-address>
                <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
                <endpoint-config name="Standard-Endpoint-Config"/>
                <endpoint-config name="Recording-Endpoint-Config">
                    <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
                        <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
                    </pre-handler-chain>
                </endpoint-config>
            </subsystem>
            <subsystem xmlns="urn:jboss:domain:weld:1.0"/>
        </profile>
    
    
        <interfaces>
            <interface name="management">
                <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
            </interface>
            <interface name="public">
                <inet-address value="${jboss.bind.address:127.0.0.1}"/>
            </interface>
            <interface name="unsecure">
                <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
            </interface>
        </interfaces>
    
    
        <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
            <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
            <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
            <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
            <socket-binding name="ajp" port="8009"/>
            <socket-binding name="http" port="8080"/>
            <socket-binding name="https" port="8443"/>
            <socket-binding name="osgi-http" interface="management" port="8090"/>
            <socket-binding name="remoting" port="4447"/>
            <socket-binding name="txn-recovery-environment" port="4712"/>
            <socket-binding name="txn-status-manager" port="4713"/>
            <outbound-socket-binding name="mail-smtp">
                <remote-destination host="localhost" port="25"/>
            </outbound-socket-binding>
        </socket-binding-group>
    
    
    </server>
    
    
  • 48. Re: HTTPS on JBoss AS 7 - truststore configuration
    guillaume cornet Newbie

    Hi Chris,

     

    I still don't quite understand why the server certificate keystore and user certificate truststore must be provided both to the "jsse" element *and* again to the "ssl" element.  I don't like this duplication, maybe there's a good reason, or maybe it's an issue that will be fixed some day.

     

    In client-certificate authentication, ssl truststore configuration and jsse truststore configuration are not duplicated configuration. Here are more details.

     

    SSL element

    SSL truststore is used by the HTTP connector.

    It must contains the certificates of some certificate authorities.

    In order to be 'authorized', a client must select a client certificate and this client certificate must have been signed by one of the CA which was imported in your trustore.

     

    security-domain's JSSE element

    JSSE element's datas are used by security-domain's login-module 'org.jboss.security.auth.spi.BaseCertLoginModule' and 'org.jboss.security.auth.spi.CertRolesLoginModule'.

     

    The BaseCertLoginModule is a login-module which can perform additionnal certificate verifications, based on the client certificate which is presented to the server and the JSSE element configuration.

    • When you don't declare any 'verifier', the BaseCertLoginModule will try to find the client certificate in the JSSE truststore. The JSSE truststore should contains all 'authorized' client certificates, and the alias in the truststore of such a client certificate must be the subject DN of the client certificate. If the client certificate is not in the truststore, the client is not authorized to access to the application ; The error message displayed on the browser will not be a SSL-related error message but a 401/403 HTTP response code ;
    • If this behavior doesn't fit your need, you can create your own 'verifier' (which will implements your own certificate verification logic) and declare it through the 'verifier' module-option ;
    • 'AnyCertVerifier' is an out-of-the-box verifier, which ...  don't do any additionnal verification ! When using the 'AnyCertVerifier', you don't have to declare the JSSE element (because the AnyCertVerifier don't need it) ;

     

    The CertRolesLoginModule extends BaseCertLoginModule.

    It implements exactly the same logic + it assign roles, based on roles association described in properties's files.

     

     

    So :

    • When you are using the AnyCertVerifier, the JSSE element is not necessary ;
    • The trustore defined in the SSL element should have a different content than the truststore defined in the JSSE element ;
  • 49. Re: HTTPS on JBoss AS 7 - truststore configuration
    guillaume cornet Newbie

    In order to configure client-certificate, you must also declare a trustore in the ssl element. Just add the follwing attributes :

    • ca-certificate-file : contains the full path of the truststore :
      • Your truststore should contain the certificate of the certificate authorities you sign client certificates with ;
      • Note that your trustore must have the same storepass than the keystore ;
    • truststore-type : should contains either JKS or PKCS12, regarding the storetype of your truststore ;

     

     

    Here is a full sample :

    <connector name="https-cert" protocol="HTTP/1.1" scheme="https" socket-binding="https-cert" secure="true">
       <ssl name="https-cert"
         key-alias="https"
         password="mypassword"
         certificate-key-file="${jboss.server.config.dir}/keystore.jks"
         keystore-type="JKS"
         verify-client="true"
         ca-certificate-file="${jboss.server.config.dir}/truststore.jks"
         truststore-type="JKS"/>
    </connector>
    
  • 50. Re: HTTPS on JBoss AS 7 - truststore configuration
    Leonardo Devai Newbie

    Well, after struggling for a while to get JAX-WS @WebService CLIENT-CERT authentication working, this post helped me a lot in getting it done, specially to Chris!

     

    After debugging CertRolesLoginModule I noticed that the username used by the client was the DNAME, and it had to match the ALIAS of the client's certificate on the server's truststore!

    That was the trick for me, after I imported the client certificate do the keystore with the correct alias I got it working.

     

    Since this is quite not trivial on AS7 yet, but I know things are getting way better on 7.2, I don't know if this is the appropriate place but I'll post everything I did to get it working nicely, a part of it is pretty much the same as Chris', but here it goes:

     

    JBoss 7.1.1.Final

     

    Added jbossws-api-1.0.0.GA.jar to the classpath of my project for development

     

    Plain 3.0 web.xml

     

    @WebService(name = "TestService", targetNamespace = "http://ws.test.org/")
    @Stateless
    @SecurityDomain("test-domain")
    @RolesAllowed("test")
    @WebContext(contextRoot = "/ws/TestService", urlPattern = "/*", authMethod = "CLIENT-CERT", transportGuarantee = "CONFIDENTIAL", secureWSDLAccess = false)
    public class TestService implements ITestService {
              public String test(String protocol) {
                        return "Payload <" + protocol + ">";
              }
    }
    

     

     

     

    standalone.xml

    <system-properties>
              <property name="javax.net.ssl.trustStore" value="/path/to/localhost.jks"/>
              <property name="javax.net.ssl.trustStorePassword" value="abc123"/>
    </system-properties>
    
    ...
    
    <security-domain name="test-domain" cache-type="default">
              <authentication>
                        <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule" flag="required">
                                  <module-option name="securityDomain" value="test-domain"/>
                                  <module-option name="rolesProperties" value="/path/to/ws-roles.properties"/>
                        </login-module>
              </authentication>
              <jsse keystore-password="abc123" keystore-type="jks" keystore-url="/path/to/server.jks" truststore-password="abc123" truststore-type="jks" truststore-url="/path/to/server.jks" client-auth="true"/>
    </security-domain>
    
    ...
    
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
              <ssl name="ssl" key-alias="localhost" password="abc123" certificate-key-file="/path/to/localhost.jks" protocol="TLSv1, SSLv2Hello" verify-client="false"/>
    </connector>
    

     

     

     

    ws-roles.properties

    CN\=client,\ OU\=client,\ O\=client,\ L\=Brazil=test

     

     

    Server & Client Keystore

     

    keytool -genkeypair -alias localhost -keyalg RSA -keystore localhost.jks -storepass abc123 -keysize 2048 -dname "CN=localhost, OU=localhost, O=localhost, L=Brazil"

    keytool -export -alias localhost -keystore localhost.jks -storepass abc123 -file localhost.crt

    keytool -genkeypair -alias client -keyalg RSA -keystore client.jks -storepass abc123 -keysize 2048 -dname "CN=client, OU=client, O=client, L=Brazil"

    keytool -export -alias client -keystore client.jks -storepass abc123 -file client.crt

    keytool -keystore localhost.jks -storepass abc123 -import -file client.crt -alias "CN=client, OU=client, O=client, L=Brazil"

    keytool -keystore client.jks -storepass abc123 -import -file localhost.crt -alias localhost

    keytool -list -v -keystore localhost.jks -storepass abc123

    keytool -list -v -keystore client.jks -storepass abc123

     

     

    Client Code


    System.setProperty("javax.net.ssl.keyStore", "/path/to/client.jks");
    System.setProperty("javax.net.ssl.keyStorePassword", "abc123");
    System.setProperty("javax.net.ssl.trustStore", "/path/to/client.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "abc123");
    TestService svc = new TestServiceService().getPort(TestService.class);
    String result = svc.test("input");
    

     

     

     

     

    Hope it helps someone as well

  • 51. Re: HTTPS on JBoss AS 7 - truststore configuration
    Jure Jesenicnik Newbie

    Hi guys.

     

    I'm having issues with the client-cert authentication also.

     

    I was able to set up the ssl properly and I even managed to get the browser to ask mi for a certificate upon accessing the webapp. But when I select the certificate I want to authenticate with, I get the SSL error.

     

    Chrome says:

    Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

     

     

    FF:

    An error occurred during a connection to localhost:8443.

     

    Peer reports it experienced an internal error.

     

    (Error code: ssl_error_internal_error_alert)

     

     

    This happens even with the AnyCertVerifier. Now, if i get the things properly, this verifier shoul let you through even without the additional <jsse setup. I tried all sorts od stuff with/without the jsse, keystore/truststore only, verifier / no verifier, but no luck.

     

    Here's my current security-domain:

     

    <security-domain name="require-certificate" cache-type="default">
         <authentication>
              <login-module code="Certificate" flag="required">
                   <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
              </login-module>
         </authentication>
         <jsse       keystore-url="${jboss.server.base.dir}/ssl/cert/tomcatServerCert.p12"
                        keystore-type="PKCS12"
                        keystore-password="abc123"
                        truststore-url="${jboss.server.base.dir}/ssl/cert/ca_truststore.p12" 
                        truststore-type="PKCS12"
                        truststore-password="abc123"
                        client-auth="true"
         />
    </security-domain>
    

    Keystore contains the user cert and truststore the ca.

     

    And my ssl config:

     

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl         password="abc123" 
                   certificate-key-file="${jboss.server.base.dir}/ssl/cert/tomcatServerCert.p12" 
                   verify-client="false" 
                   ca-certificate-file="${jboss.server.base.dir}/ssl/cert/ca_truststore.p12" 
                   keystore-type="PKCS12"/>
    </connector>
    

     

    The "tomcatServerCert.p12" is the one that I have imported into the browser. I do get asked for the cert, so I guess the app is configured properly (I followd previous posts).

    I am using the 7.1.3.Final, I tried the same config on 7.1.1.Final also and the results were the same.

     

    I also tried following the steps that Leonardo provided, but still no luck. There are also some thing not qute clear regarding the last post, so I would be gratefull, if you coud clear this up Leonardo.

     

    truststore-url="/path/to/server.jks"

     

    What keystore is this? There is no server.jks step in the Keytool steps.

     

    also:

    verify-client="false"

     

    in the ssl section? Shouldn't this be set to true if you want the client-cert auth to fire up.

     

    I was also unable to import the *.crt files in the browser (chrome). The wizzard seemed to complete without any problems, but the cert is nowhere to be seen. I'm kinda lost.

     

    Is there aby way to get more feedback from the server to see why and where it fails. I really need some help here.

  • 52. Re: HTTPS on JBoss AS 7 - truststore configuration
    Tomaz Cerar Master

    I think you should start a new thread.

     

    but in short.

     

    main problem is that you dont have truststore configured properly.

    This can happen quickly when you use self-signed certs.

     

    In combination with client-cert this is quite hard to configure right.

     

    If ssl works up to the point where client cert auth is needed, then your truststore is missing CA certificate that was used to sign your client cert.

    also use verify-client="true" if you need this always, no need for security domain unless you need it for something else.

     

     

    --

    tomaz

  • 53. Re: HTTPS on JBoss AS 7 - truststore configuration
    guillaume cornet Newbie

    @jure

     

     

    "SSL protocol error" are related to your connector's configuration, and not to security-domain's configuration.

    So, to solve your error, you have to focus on the connector's configuration, and we will see the security-domain configuration later.

     

    For a general purpose, here are samples connector's configuration which perform client-cert authentication :

     

    1/ in this sample, we are using JKS for the truststore and PKCS12 for the keystore :

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
      <ssl name="https"
         key-alias="https"
         password="12345678"
         certificate-key-file="${jboss.server.config.dir}/server.p12"
         keystore-type="PKCS12"
         verify-client="true"
         ca-certificate-file="${jboss.server.config.dir}/truststore.jks"
         truststore-type="JKS"/>
    </connector>
    

     

    2/ in this sample, we are using only JKS:

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

      <ssl name="https"

         key-alias="https"

         password="12345678"

         certificate-key-file="${jboss.server.config.dir}/server.jks"

         keystore-type="JKS"

         verify-client="true"

         ca-certificate-file="${jboss.server.config.dir}/truststore.jks"

         truststore-type="JKS"/>

    </connector>

     

     

    Now, let's see your problems.

    1/ "The 'tomcatServerCert.p12' is the one that I have imported into the browser"

    => NO NO NO NO !!

    The client certificate is not necessary for the connector's configuration.

     

    The server's keystore (certificate-key-file) should contain the private key + certificate of the SERVER.

    The p12 file you give to your client contains the private key + certificate of the CLIENT.

    That's differents files !

     

    To solve your problem, you have to create a server's private key + a (selfsigned) certificate using the keytool -genkey command.

    Then, you will have to set the "certificate-key-file" attribute of the connector with the resulting keystore's path.

     

     

    2/ "I do get asked for the cert, so I guess the app is configured properly"

    I don't think so...

    you set verify-client to true and that's all...

     

     

    3/ You were right : you have to set the "verify-client" attribute of the connector to "true" to enable client-cert.

     

     

    4/ "I was also unable to import the *.crt"

    In order to "perform client-cert auth", you have to give each client a dedicated private key + the corresponding certificate, and to import this into the client's browser.

    Typically, .p12 files are used (because PKCS12 have the ability to store keys + cert).

     

    In order to "trust a server", you can import the server's certificate into your browser.

    Typically, .crt or .cer files are used.

  • 54. Re: HTTPS on JBoss AS 7 - truststore configuration
    Fanzhen Meng Newbie

    Here is my configurations in jboss7.1.1 final:

     

    standlone.xml

     

    <security-domain name="MySecurityDomain" cache-type="default">

                        <authentication>

                            <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">

                                <module-option name="securityDomain" value="java:/jaas/MySecurityDomain"/>

                                <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                            </login-module>

                        </authentication>

                    </security-domain>


     

    .............................

     

       <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                    <ssl name="jbossweb-ssl" password="123456" certificate-key-file="/home/fanzhen/Downloads/t420/keys/serverkey.pem" verify-client="require" certificate-file="/home/fanzhen/Downloads/t420/certs/server.cer" ca-certificate-file="/home/fanzhen/Downloads/t420/certs/ca.cer" keystore-type="PKCS12" truststore-type="PKCS12"/>

     

    and web.xml


    <security-constraint>

                        <web-resource-collection>

                                  <web-resource-name>MySecurityDomain</web-resource-name>

                                  <url-pattern>/*</url-pattern>

                                  <http-method>GET</http-method>

                                  <http-method>POST</http-method>

                                  <http-method>PUT</http-method>

                                  <http-method>DELETE</http-method>

                        </web-resource-collection>

                        <auth-constraint>

                                  <role-name>*</role-name>

                        </auth-constraint>

                        <user-data-constraint>

                                  <transport-guarantee>INTEGRAL</transport-guarantee>

                        </user-data-constraint>

              </security-constraint>

              <login-config>

                        <auth-method>CLIENT-CERT</auth-method>

                        <realm-name>MySecurityDomain</realm-name>

              </login-config>

              <security-role>

                        <role-name>*</role-name>

              </security-role>

     

    and jboss-web.xml

     

    <?xml version="1.0" encoding="UTF-8"?>

    <jboss-web>

       <security-domain>java:/jaas/MySecurityDomain</security-domain>

    </jboss-web>

     

     

     

    in this way I can get client cert in my code by :

     




    X509Certificate[] certs = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

     

     

    My question is :

     

    I don't want to use seacurity domain , with 


    <login-config>

      <auth-method>CLIENT-CERT</auth-method>

      <realm-name>MySecurityDomain</realm-name>

      </login-config>


     

    just want to get client cert in in my code !!!!

     

    I try to remove the security configuration  and use the below code ,

    <security-constraint>

                        <web-resource-collection>

                                  <web-resource-name>MySecurityDomain</web-resource-name>

                                  <url-pattern>/*</url-pattern>

                                  <http-method>GET</http-method>

                                  <http-method>POST</http-method>

                                  <http-method>PUT</http-method>

                                  <http-method>DELETE</http-method>

                        </web-resource-collection>

                        <auth-constraint>

                                  <role-name>*</role-name>

                        </auth-constraint>

                        <user-data-constraint>

                                  <transport-guarantee>INTEGRAL</transport-guarantee>

                        </user-data-constraint>

              </security-constraint>

     

    I always get null   by   (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");  crazy !!!!!

     

     

    is there another way which I do not use login-config !!!!

     

    ps :I am using openssl

  • 55. Re: HTTPS on JBoss AS 7 - truststore configuration
    guillaume cornet Newbie

    @Fanzhen Meng

     

     

    You previously said "I always get null   by   (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");  crazy !!!!!"

    => the easyest way to retrieve the client-cetificate is to use this "(X509Certificate)request.getUserPrincipal()".

    Note that BaseCertLoginModule and CertRolesLoginModules will register the X509Certificate as the principal.

1 2 3 4 Previous Next