See the verifier attribute of BaseCertLoginModule:

http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule

"nothingman" wrote:
Hi, I've read the ssl how-to http://www.jboss.org/wiki/Wiki.jsp?page=SSLSetup and it seams that, in order to do client authentication, you need to import all the clients certificates on the server. Is it correct ?

In our environment we already have users data and credentials stored on a db and we can associate the certificate to a particular user because the CN of the certificate contain the "social security number" which is stored in the db.
So in our environment the server should only verify the certificate and there is no need to store client certficate on the server.
How can I set up an login module like this ?

Thanx in advance.

Have you followed the topics: "2 - Client authentication" and "2 - Client authentication with self-signed server cert" to make work as you need?
I'm in a very similar situation, because i have a webapp using a FORM authentication method and now i need to use CLIENT-CERT to perform authentication in my webservices and i'll use something like "social security number" to obtain the username/password and then authenticate in the JAAS...

Can i use the same securutyDomain for FORM authentication + DatabaseServerLoginModule and CLIENT-CERT + same DatabaseServerLoginModule?

"nothingman" wrote:

Yes but I really cannot have the client certificate on the server. We already have a repository with all the users data (name, surnamane, uid, pwd, social security number) but we don't have the subject of the certificate in the db. We don't want to use an applet to read the smart-card and do a sort-of self-provisionig. We only want to associate the cert to the user simply extracting the social security number from the certificate subject.

I followed the topic: "2 - Client authentication", but now i'm getting a "SSL Error getting client Certs" when i try to access my webapp using Firefox.

I got this in STDOUT before the "SSL Error getting client Certs":

2005-06-17 12:45:01,601 INFO [STDOUT] *** Certificate chain
2005-06-17 12:45:01,601 INFO [STDOUT] ***
2005-06-17 12:45:01,601 INFO [STDOUT] %% Invalidated: [Session-1, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
2005-06-17 12:45:01,601 INFO [STDOUT] http-0.0.0.0-8443-Processor5
2005-06-17 12:45:01,601 INFO [STDOUT] , SEND TLSv1 ALERT:
2005-06-17 12:45:01,601 INFO [STDOUT] fatal,
2005-06-17 12:45:01,601 INFO [STDOUT] description = bad_certificate
2005-06-17 12:45:01,603 INFO [STDOUT] Padded plaintext before ENCRYPTION: len = 32
2005-06-17 12:45:01,603 INFO [STDOUT] :

I run the ReadHttpsURL2 with the arguments: -Djavax.net.ssl.trustStore=nexus_client.truststore -Djavax.net.ssl.trustStorePassword=nexusx acme/ReadHttpsURL2 https://rogerio.dyndns.org:8443 and the i got the jmx-console page, but when i try to access the url https://rogerio.dyndns.org:8443/eAIDF i'm getting a bar_certificate message.

Sorry, a bad_certificate message...

Re-read the http://www.jboss.org/wiki/Wiki.jsp?page=SSLSetup as its been updated to document the additional steps required to extract the client cert private key necessary for importing into the browser.

Thanks a lot!

"nothingman" wrote:

"rpa_rio" wrote:
Have you followed the topics: "2 - Client authentication" and "2 - Client authentication with self-signed server cert" to make work as you need?

Yes but I really cannot have the client certificate on the server. We already have a repository with all the users data (name, surnamane, uid, pwd, social security number) but we don't have the subject of the certificate in the db. We don't want to use an applet to read the smart-card and do a sort-of self-provisionig. We only want to associate the cert to the user simply extracting the social security number from the certificate subject.