0 Replies Latest reply on Mar 23, 2014 1:09 PM by slopez01

    Picketlink and Mutual Authentication using SSL

    slopez01
    slopez01 Mar 23, 2014 1:09 PM

      I've been working with PicketLink for a while now and have username/password working correctly.  The project I'm working on requires that we use certificates for machine to machine communication.  An article on the internet showed that to use SSL authentication that you configure the WS-Trust client as follows.

       

      WSTrustClient trustClient = new WSTrustClient("PicketLinkSTS","PicketLinkSTS", "https://localhost:8443/picketlink-sts/PicketLinkSTS",new SecurityInfo(null, (String)null));

       

      When I configure the settings this way I get a null pointer error because the picket link code has a check for verifying that both of these fields are not null and have a length greater than 0.

       

      So I tried the following:

       

      WSTrustClient trustClient = new WSTrustClient("PicketLinkSTS", "PicketLinkSTS", "https://localhost:8443/picketlink-sts/PicketLinkSTS", new SecurityInfo("a", "a"}));

       

      The call goes through and fails on authentication as expected.  Below are the configuration options for the certificates:

       

      System.getProperties().put("javax.net.ssl.keyStore","c:\\projects\\jks2\\KEYSTORE.p12");

      System.getProperties().put("javax.net.ssl.keyStorePassword","password");

      System.getProperties().put("javax.net.ssl.keyStoreType","PKCS12");

                     

      System.getProperties().put("javax.net.ssl.trustStore", "c:\\projects\\jks2\\csg_trust.jks");

      System.getProperties().put("javax.net.ssl.trustStorePassword", "password");

       

      I also set the SSL debug switch to show all communications.

       

      When I run this using the SSL cert configuration on JBoss from a standalone client, the JBoss side of the SSL communication indicates that the client is not sending it's certificates, it states that the certificate chain is null.

       

      To investigate further, I created a simple servlet.  Set the same parameters of CLIENT-CERT and JBoss encryption in the server.xml file.  I am able to retrieve and verify the user using this process.  It works as expected.

       

      This leads me to believe that the WSTrustClient is changing information/configuration for the communication.

       

      My preference is to use WSTrustClient.  I'm fairly certain that I can generate code from the wsdl and the schema that's used but I'd rather use something that already exists.

       

      Any suggestions greatly appreciated.  Thanks in advance.

       

      Version Information:

       

      PicketLink 2.1.8

      JBoss soa-p 5.3.1

      Java version 7

      CXF version 2.7.10

      • 388 Views
      • Tags: