SSL Configuration to support CLIENT-CERT
fabboco Jun 2, 2004 11:01 AMHi,
I am trying to set up the SSL protocol and the CLIEN-CERT authentication, using the jboss-3.2.3 packaged with Tomcat.
This was my procedure:
1)I created the server cert:
keytool -genkey -alias taserver -keyalg RSA -keystore server.keystore
2)I created the client cert
keytool -genkey -alias client -keyalg RSA -keystore client.keystore
3)I changed my jboss-service.xml:
<Connector className = org.apache.coyote.tomcat4.CoyoteConnector" address="${jboss.bind.address}" port = "8443" scheme = https" secure = "true">
<Factory className = org.apache.coyote.tomcat4.CoyoteServerSocketFactory" keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="pwd"
protocol = "TLS"/>
4)I prepared a very simple application and web.xml contains:
.....
<user-data-constraint>
no description
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
.....
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>ssl</realm-name>
</login-config>
my jboss-web.xml contains:
<jboss-web>
<security-domain>java:/jaas/testSSL</security-domain>
</jboss-web>
my jboss.xml contains:
<security-domain>java:/jaas/testSSL</security-domain>
7) I changed my login-config.xml as follows:
<application-policy name="testSSL">
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name = "dsJndiName">java:/Documents</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name = "rolesQuery">select Role,RoleGroup from Roles where principalID=?</module-option>
</login-module>
</application-policy>
8)I changed run.conf adding
-Djavax.net.ssl.trustStore=/usr/local/jboss-3.2.3/server/default/conf/client.keystore -Djavax.net.ssl.trustStorePassword=pwd
I use the mozilla browser (1.4.2) in which I have my home-banking certificate and I set the option
that the browser should ask me the certificate to use.
When I call my application, the browser show me the server certificate but it doesn't ask me for the certificate to use and the following error appear on the jboss console:
16:37:37,685 INFO [JSSE14Support] SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:89)
at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:163)
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1010)
at org.apache.coyote.Request.action(Request.java:393)
at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:793)
at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:137)
at org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:220)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.jboss.web.tomcat.tc4.statistics.ContainerStatsValve.invoke(ContainerStatsValve.java:76)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:65)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:577)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:781)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:549)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
at java.lang.Thread.run(Thread.java:534)
I have tried to find a solution using the forum but, nothing seams to solve the problem.
Can anyone tell me the right configuration procedure ?
How can I import the certificate created with keytool into mozilla ?
Thank you in advance.
Regards
Fabrizio.