JBossDeveloper

I thought so too, so I changed to basic authentication, removed the basecertloginmodule from the login-config.xml so it was only using userroleloginmodule, and that works.

Since userroleloginmodule works with the same user/roles properties files I don't think that's the problem. It seems to be directly related to the basecertloginmodule.

Hello,

I've got some more information. I set my log levels to debug to find the differences between the two instances and here's what I came up with.

from my workstation (successful)

08:51:23,125 DEBUG [JSSE14Support] Cert #0 = [
[
 Version: V1
 Subject: CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US
 Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

 Key: SunJSSE RSA public key:
 public exponent:
 010001
 modulus:
 c3e2f08a 900ecfb9 3703f44b 2a65201d 0a1a54c7 2b5cac75 c7461763 3792c211
 e9d62af9 9aadb282 7149556f 2520f3a3 f9f4466d 8f344820 0d0c8b15 af2d377b
 9d729a2c 8018815e b734bec0 e4960567 ce315272 88252d1c e79c72b3 ad46e26b
 4c82c81f 6a3998da b8cfbbc3 ed14d649 8dbb6d74 9b36b1be 1f48ad61 151ebcb7
 Validity: [From: Tue Nov 02 09:39:28 MST 2004,
 To: Mon Jan 31 09:39:28 MST 2005]
 Issuer: CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US
 SerialNumber: [ 4187b840]

]
 Algorithm: [MD5withRSA]
 Signature:
0000: 1D FE 8C 38 E6 1A 07 2D 53 B0 7F F8 F1 DE CF C4 ...8...-S.......
0010: C6 02 F6 7F 6B 48 A1 A5 AF 5C 51 1C 47 37 76 01 ....kH...\Q.G7v.
0020: 77 E5 EC 8A 97 83 64 AE 7C 48 EA BA 25 33 4A 3E w.....d..H..%3J>
0030: 79 24 5D 00 E7 ED 73 E0 7F 29 A5 57 28 6D 52 D4 y$]...s..).W(mR.
0040: 6C 38 6A 7E 11 94 E8 F1 B2 12 35 D8 61 78 A1 B2 l8j.......5.ax..
0050: 44 9A 26 E7 EA 21 DC 0A BC 09 88 87 A8 9A 7E 0B D.&..!..........
0060: A7 2C 7C FA 07 F2 6B 31 D0 95 A3 00 33 BA 16 7E .,....k1....3...
0070: 2D 1A 2C CA 2D 79 48 50 C8 F4 FD 08 E5 80 B5 2D -.,.-yHP.......-

]
08:51:23,156 DEBUG [BaseCertLoginModule] securityDomain=java:/jaas/ws-cert
08:51:23,156 DEBUG [BaseCertLoginModule] found domain: org.jboss.security.plugins.JaasSecurityDomain
08:51:23,156 DEBUG [BaseCertLoginModule] exit: initialize(Subject, CallbackHandler, Map, Map)
08:51:23,156 DEBUG [BaseCertLoginModule] enter: login()
08:51:23,156 DEBUG [BaseCertLoginModule] enter: getAliasAndCert()
08:51:23,156 DEBUG [BaseCertLoginModule] exit: getAliasAndCert()
08:51:23,156 DEBUG [BaseCertLoginModule] enter: validateCredentail(String, X509Certificate)
08:51:23,171 DEBUG [BaseCertLoginModule]
 Supplied Credential: 4187b840
 CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US

 Existing Credential: 4187b840
 CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US

08:51:23,171 DEBUG [BaseCertLoginModule] The supplied certificate matched the certificate in the keystore.
08:51:23,171 DEBUG [BaseCertLoginModule] exit: validateCredentail(String, X509Certificate)
08:51:23,171 DEBUG [BaseCertLoginModule] exit: login()
08:51:23,234 DEBUG [AuthenticatorBase] Authenticated 'CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorad
o, L=Denver, ST=CO, C=US' with type 'CLIENT-CERT'
08:51:23,234 DEBUG [AuthenticatorBase] Calling accessControl()
08:51:23,234 DEBUG [RealmBase] Checking roles GenericPrincipal[CN=CO CSE Client, OU=Child Support Enforcement, O=State
 of Colorado, L=Denver, ST=CO, C=US(W,)]
08:51:23,234 DEBUG [RealmBase] Username CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, S
T=CO, C=US has role W
08:51:23,234 DEBUG [AuthenticatorBase] Successfully passed all security constraints

2005-01-14 08:57:53,365 DEBUG [org.apache.tomcat.util.net.jsse.JSSE14Support] Cert #0 = [
[
 Version: V1
 Subject: CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US
 Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

 Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@ffffff0d
 Validity: [From: Tue Nov 02 09:39:28 MST 2004,
 To: Mon Jan 31 09:39:28 MST 2005]
 Issuer: CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US
 SerialNumber: [ 4187b840]

]
 Algorithm: [MD5withRSA]
 Signature:
0000: 1D FE 8C 38 E6 1A 07 2D 53 B0 7F F8 F1 DE CF C4 ...8...-S.......
0010: C6 02 F6 7F 6B 48 A1 A5 AF 5C 51 1C 47 37 76 01 ....kH...\Q.G7v.
0020: 77 E5 EC 8A 97 83 64 AE 7C 48 EA BA 25 33 4A 3E w.....d..H..%3J>
0030: 79 24 5D 00 E7 ED 73 E0 7F 29 A5 57 28 6D 52 D4 y$]...s..).W(mR.
0040: 6C 38 6A 7E 11 94 E8 F1 B2 12 35 D8 61 78 A1 B2 l8j.......5.ax..
0050: 44 9A 26 E7 EA 21 DC 0A BC 09 88 87 A8 9A 7E 0B D.&..!..........
0060: A7 2C 7C FA 07 F2 6B 31 D0 95 A3 00 33 BA 16 7E .,....k1....3...
0070: 2D 1A 2C CA 2D 79 48 50 C8 F4 FD 08 E5 80 B5 2D -.,.-yHP.......-

]
2005-01-14 08:57:53,387 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] securityDomain=java:/jaas/ws-cert
2005-01-14 08:57:53,388 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] found domain: org.jboss.security.plugins.JaasSecurityDomain
2005-01-14 08:57:53,388 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: initialize(Subject, CallbackHandler, Map, Map)
2005-01-14 08:57:53,388 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: login()
2005-01-14 08:57:53,388 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: getAliasAndCert()
2005-01-14 08:57:53,390 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: getAliasAndCert()
2005-01-14 08:57:53,390 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: validateCredentail(String, X509Certificate)
2005-01-14 08:57:53,390 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule]
 Supplied Credential: 4187b840
 CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US

 Existing Credential: No match for alias: CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US, we have aliases [root, az-client, jboss-server-dev, brian-client, mykey, ricardo-client, brian-client-2]
2005-01-14 08:57:53,390 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] The supplied certificate DID NOT match the certificate in the keystore.
2005-01-14 08:57:53,390 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: validateCredentail(String, X509Certificate)
2005-01-14 08:57:53,390 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US
2005-01-14 08:57:53,402 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US
2005-01-14 08:57:53,403 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

also just to confirm that my certs match.

From my client keystore:

jwsdpco-client, Nov 2, 2004, keyEntry,
Certificate fingerprint (MD5): 57:8A:30:61:23:53:C6:34:B0:0A:38:3E:56:ED:EE:98

brian-client, Dec 21, 2004, trustedCertEntry,
Certificate fingerprint (MD5): 57:8A:30:61:23:53:C6:34:B0:0A:38:3E:56:ED:EE:98

From what I read in the JBoss docs, the alias in the keystore needs to be the x509 subject line of the cert (with escapes for spaces and delimiters). So my advice would be to modify the keystore aliases.

The log clearly describes what the problem is. The principal name passed to the BaseCertLoginModule is 'CN=CO CSE Client, OU=Child Support Enforcement, O=State of Colorado, L=Denver, ST=CO, C=US' and there is matching entry in the keystore with an alias matching this name. The log displays the only keystore aliases as: [root, az-client, jboss-server-dev, brian-client, mykey, ricardo-client, brian-client-2]

okay, so if I change the alias to the DN it does work.

However, my question is why does it work on my workstation without the DN as the alias? I would prefer to use any alias I chose since the DN becomes unweildly when I want to insert or delete keystore entries.

Thanks for your help.

brian