Mutual Authentication on JBoss 7.2.0.Final
These are steps that will get you to the point where JBoss 7.2.0.Final is set up with mutual authentication.
OpenSSL Steps to Generate Server Certificate and Client Certificate Files
1. Create the key pair for the CA:
openssl genrsa -out ca.key 1024
2. Create the root certificate:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
3. Generate a keypair for the server:
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo '01' > demoCA/serial
openssl genrsa -out localhost.key 2048
4. Create the CSR for the web server:
openssl req -new -key localhost.key -out localhost.csr
5. Sign it
openssl ca -keyfile ca.key -cert ca.crt -out localhost.crt -policy policy_anything -infiles localhost.csr
6. On the client, create the key pair for the client:
openssl genrsa -out client.key 2048
7. On the client, create a CSR:
openssl req -new -key client.key -out client.csr
8. On the server, our CA will sign the request:
openssl ca -keyfile ca.key -cert ca.crt -out client.crt -policy policy_anything -infiles client.csr
9. Verify you have 2 new pem files in demoCA/newcerts
10. Create PKCS#12 file (that combines certificate with private key) for server:
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name aliasname
11. Create PKCS#12 file (that combines certificate with private key) for client:
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name aliasname
Java Keystore Steps
1. Run the keytool to create the keystore JKS file with the server PKCS#12 file we created in step 10:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore localhost.p12 -srcstoretype PKCS12 -alias aliasname
2. Run the keytool to create the trust store file.
keytool -import -keystore cacerts.jks -storepass changeit -alias aliasname -file ca.crt
JBoss 7.2.0.Final Steps
(Steps assume you are using standalone setup. Modify steps for domain if applicable)
- Copy both JKS keystore files from the previous steps into $JBOSS_HOME/standalone/conf
- Edit $JBOSS_HOME/standalone/standalone.xml
In subsystem urn:jboss:domain:web:1.4, add:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="https" key-alias="aliasname" password="changeit" certificate-key-file="../standalone/configuration/keystore.jks" ca-certificate-file="../standalone/configuration/cacerts.jks" verify-client="true" /> </connector> |
Test it
- Restart JBoss service.
- Try https://localhost:8443/ - you should get no access because you have not yet installed certificate.
- Install the client.p12 file you generated earlier into your browser.
- Repeat test, it should now work.
References
http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/
http://stackoverflow.com/questions/8081381/setting-up-ssl-in-jboss-as-7
Comments