-
1. Re: Client Certificate Authentication
starksm64 Jun 16, 2005 1:43 PM (in response to nothingman)See the verifier attribute of BaseCertLoginModule:
http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule -
2. Re: Client Certificate Authentication
rpa_rio Jun 16, 2005 3:52 PM (in response to nothingman)"nothingman" wrote:
Hi, I've read the ssl how-to http://www.jboss.org/wiki/Wiki.jsp?page=SSLSetup and it seams that, in order to do client authentication, you need to import all the clients certificates on the server. Is it correct ?
In our environment we already have users data and credentials stored on a db and we can associate the certificate to a particular user because the CN of the certificate contain the "social security number" which is stored in the db.
So in our environment the server should only verify the certificate and there is no need to store client certficate on the server.
How can I set up an login module like this ?
Thanx in advance.
Where you put your keystore? And how you passed the "social security number" to db? Do you have any tutorial about how this authentication is done?
Thanks for any help. -
3. Re: Client Certificate Authentication
rpa_rio Jun 16, 2005 4:11 PM (in response to nothingman)Have you followed the topics: "2 - Client authentication" and "2 - Client authentication with self-signed server cert" to make work as you need?
I'm in a very similar situation, because i have a webapp using a FORM authentication method and now i need to use CLIENT-CERT to perform authentication in my webservices and i'll use something like "social security number" to obtain the username/password and then authenticate in the JAAS... -
4. Re: Client Certificate Authentication
rpa_rio Jun 16, 2005 4:44 PM (in response to nothingman)Can i use the same securutyDomain for FORM authentication + DatabaseServerLoginModule and CLIENT-CERT + same DatabaseServerLoginModule?
-
5. Re: Client Certificate Authentication
nothingman Jun 17, 2005 3:07 AM (in response to nothingman)"scott.stark@jboss.org" wrote:
See the verifier attribute of BaseCertLoginModule:
http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule
Thanx I'll try today.
--
Nothingman -
6. Re: Client Certificate Authentication
nothingman Jun 17, 2005 3:09 AM (in response to nothingman)"rpa_rio" wrote:
Have you followed the topics: "2 - Client authentication" and "2 - Client authentication with self-signed server cert" to make work as you need?
Yes but I really cannot have the client certificate on the server. We already have a repository with all the users data (name, surnamane, uid, pwd, social security number) but we don't have the subject of the certificate in the db. We don't want to use an applet to read the smart-card and do a sort-of self-provisionig. We only want to associate the cert to the user simply extracting the social security number from the certificate subject. -
7. Re: Client Certificate Authentication
rpa_rio Jun 17, 2005 8:57 AM (in response to nothingman)"nothingman" wrote:
Yes but I really cannot have the client certificate on the server. We already have a repository with all the users data (name, surnamane, uid, pwd, social security number) but we don't have the subject of the certificate in the db. We don't want to use an applet to read the smart-card and do a sort-of self-provisionig. We only want to associate the cert to the user simply extracting the social security number from the certificate subject.
And how you extract this data from the certificate subject? -
8. Re: Client Certificate Authentication
rpa_rio Jun 17, 2005 11:23 AM (in response to nothingman)I followed the topic: "2 - Client authentication", but now i'm getting a "SSL Error getting client Certs" when i try to access my webapp using Firefox.
-
9. Re: Client Certificate Authentication
rpa_rio Jun 17, 2005 11:53 AM (in response to nothingman)I got this in STDOUT before the "SSL Error getting client Certs":
2005-06-17 12:45:01,601 INFO [STDOUT] *** Certificate chain
2005-06-17 12:45:01,601 INFO [STDOUT] ***
2005-06-17 12:45:01,601 INFO [STDOUT] %% Invalidated: [Session-1, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
2005-06-17 12:45:01,601 INFO [STDOUT] http-0.0.0.0-8443-Processor5
2005-06-17 12:45:01,601 INFO [STDOUT] , SEND TLSv1 ALERT:
2005-06-17 12:45:01,601 INFO [STDOUT] fatal,
2005-06-17 12:45:01,601 INFO [STDOUT] description = bad_certificate
2005-06-17 12:45:01,603 INFO [STDOUT] Padded plaintext before ENCRYPTION: len = 32
2005-06-17 12:45:01,603 INFO [STDOUT] : -
10. Re: Client Certificate Authentication
rpa_rio Jun 17, 2005 1:22 PM (in response to nothingman)I run the ReadHttpsURL2 with the arguments: -Djavax.net.ssl.trustStore=nexus_client.truststore -Djavax.net.ssl.trustStorePassword=nexusx acme/ReadHttpsURL2 https://rogerio.dyndns.org:8443 and the i got the jmx-console page, but when i try to access the url https://rogerio.dyndns.org:8443/eAIDF i'm getting a bar_certificate message.
-
11. Re: Client Certificate Authentication
rpa_rio Jun 17, 2005 1:23 PM (in response to nothingman)Sorry, a bad_certificate message...
-
12. Re: Client Certificate Authentication
starksm64 Jun 18, 2005 8:04 AM (in response to nothingman)Re-read the http://www.jboss.org/wiki/Wiki.jsp?page=SSLSetup as its been updated to document the additional steps required to extract the client cert private key necessary for importing into the browser.
-
13. Re: Client Certificate Authentication
rpa_rio Jun 18, 2005 9:28 AM (in response to nothingman)Thanks a lot!
-
14. Re: Client Certificate Authentication
rpa_rio Jun 21, 2005 10:11 AM (in response to nothingman)"nothingman" wrote:
"rpa_rio" wrote:
Have you followed the topics: "2 - Client authentication" and "2 - Client authentication with self-signed server cert" to make work as you need?
Yes but I really cannot have the client certificate on the server. We already have a repository with all the users data (name, surnamane, uid, pwd, social security number) but we don't have the subject of the certificate in the db. We don't want to use an applet to read the smart-card and do a sort-of self-provisionig. We only want to associate the cert to the user simply extracting the social security number from the certificate subject.
Now i got working here using DatabaseCertLoginModule, but i still need import the client certificate.