Version 5
Created by jfclere on Oct 3, 2006 3:41 AM. Last modified by jfclere on Oct 3, 2006 12:25 PM.

    How to set a up a demo with client certficates with mod_jk and Jboss authentications.

     

    On RHEL4 you have to use CA from the openssl rpm, CA is the certificate

    authority management tools of openssl.

     

    1 - Create a new CA:

        /usr/share/ssl/misc/CA -newca

     

    2 - Create a new request:

        /usr/share/ssl/misc/CA -newreq

        (that creates a file named newreq.pem)

     

    3 - Separe the request and the private key:

        Put key in key.pem and request in newreq.pem

     

    4 - Sign the request using the CA you created on 1:

     

        /usr/share/ssl/misc/CA -signreq

     

        (that creates a file named newcert.pem)

     

     

    5 - openssl pkcs12 -export -inkey key.pem -in newcert.pem -out test.p12

        test.p12 can be imported in the browser.

     

    6 - Import the client certificate (test.p12) in the browser.

     

    7 - Apache httpd has to know the CA created in 1 (otherwise it won't accept it).

        Add the CA certificate (demoCA/cacert.pem) to $APACHE_HOME/.../ca-bundle.crt

        or add in httpd.conf:

     

        SSLCACertificateFile $PATH_TO/demoCA/cacert.pem
    SSLVerifyClient require
    SSLOptions +StdEnvVars +ExportCertData

     

     

    8 - Configure mod_jk to get the certificate to Tomcat.

        in httpd.conf use:

     

        JkExtractSSL on
    JkOptions     +ForwardKeySize

     

    9 - Add the pub key to the Jbossas keystore, for example:

     

        keytool -import -alias jfclere -keystore ./server/default/conf/localhost.keystore -file $PATH_TO/newcert.pem

     

    10 - Check the Owner:

     

        keytool -v -list -alias jfclere -keystore ./server/default/conf/localhost.keystore

     

        EMAILADDRESS=support@jboss.com, CN=support, OU=Jboss, O=Redhat, L=Neuchatel, ST=Neuchatel, C=CH

     

    11 - Create one entry like the following in server/default/conf/props/jmx-console-roles.properties

     

    EMAILADDRESS\=support@jboss.com,\ CN\=support,\ OU\=Jboss,\ O\=Redhat,\ L\=Neuchatel,\ ST\=Neuchatel,\ C\=CH=JBossAdmin

     

    12 - For the rest follow BaseCertLoginModule.

     

    Notes:

     

    If you want to use openssl certificate files with keytool remember

    that the comments (text) before the certificate disturbe keytool otherwise you will the error message:

     

    keytool error: java.lang.Exception: Input not an X.509 certificate

     

     

    To use a self signed certificate for Apache httpd do the following:

     

    CA.pl -newcert (creates 2 files: newcert.pem and newkey.pem).

     

    Use in httpd.conf:

     

    SSLCertificateKeyFile newkey.pem
SSLCertificateFile newcert.pem

     

    Example of a minimal entry for ssl in httpd.conf:

     

    <IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Listen 8443
SSLPassPhraseDialog  builtin
<VirtualHost _default_:8443>
SSLEngine on
SSLCertificateKeyFile _path_to_key/newkey.pem
SSLCertificateFile _path_to_cert/newcert.pem
</VirtualHost>
</IfModule>

     

    2035 Views Categories: Tags: