How to set a up a demo with client certficates with mod_jk and Jboss authentications.
On RHEL4 you have to use CA from the openssl rpm, CA is the certificate
authority management tools of openssl.
1 - Create a new CA:
/usr/share/ssl/misc/CA -newca
2 - Create a new request:
/usr/share/ssl/misc/CA -newreq
(that creates a file named newreq.pem)
3 - Separe the request and the private key:
Put key in key.pem and request in newreq.pem
4 - Sign the request using the CA you created on 1:
/usr/share/ssl/misc/CA -signreq
(that creates a file named newcert.pem)
5 - openssl pkcs12 -export -inkey key.pem -in newcert.pem -out test.p12
test.p12 can be imported in the browser.
6 - Import the client certificate (test.p12) in the browser.
7 - Apache httpd has to know the CA created in 1 (otherwise it won't accept it).
Add the CA certificate (demoCA/cacert.pem) to $APACHE_HOME/.../ca-bundle.crt
or add in httpd.conf:
SSLCACertificateFile $PATH_TO/demoCA/cacert.pem SSLVerifyClient require SSLOptions +StdEnvVars +ExportCertData
8 - Configure mod_jk to get the certificate to Tomcat.
in httpd.conf use:
JkExtractSSL on JkOptions +ForwardKeySize
9 - Add the pub key to the Jbossas keystore, for example:
keytool -import -alias jfclere -keystore ./server/default/conf/localhost.keystore -file $PATH_TO/newcert.pem
10 - Check the Owner:
keytool -v -list -alias jfclere -keystore ./server/default/conf/localhost.keystore
EMAILADDRESS=support@jboss.com, CN=support, OU=Jboss, O=Redhat, L=Neuchatel, ST=Neuchatel, C=CH
11 - Create one entry like the following in server/default/conf/props/jmx-console-roles.properties
EMAILADDRESS\=support@jboss.com,\ CN\=support,\ OU\=Jboss,\ O\=Redhat,\ L\=Neuchatel,\ ST\=Neuchatel,\ C\=CH=JBossAdmin
12 - For the rest follow BaseCertLoginModule.
Notes:
If you want to use openssl certificate files with keytool remember
that the comments (text) before the certificate disturbe keytool otherwise you will the error message:
keytool error: java.lang.Exception: Input not an X.509 certificate
To use a self signed certificate for Apache httpd do the following:
CA.pl -newcert (creates 2 files: newcert.pem and newkey.pem).
Use in httpd.conf:
SSLCertificateKeyFile newkey.pem SSLCertificateFile newcert.pem
Example of a minimal entry for ssl in httpd.conf:
<IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin Listen 8443 SSLPassPhraseDialog builtin <VirtualHost _default_:8443> SSLEngine on SSLCertificateKeyFile _path_to_key/newkey.pem SSLCertificateFile _path_to_cert/newcert.pem </VirtualHost> </IfModule>
Comments