-
30. Re: HTTPS on JBoss AS 7 - truststore configuration
ctomc Jan 11, 2012 5:05 PM (in response to project_mercy)Hi,
in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.
go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.
by default it tries to use APR and if you have them on path it won't even consider JSE configuration...
hope this helps,
tomaz
-
31. Re: HTTPS on JBoss AS 7 - truststore configuration
project_mercy Jan 11, 2012 5:38 PM (in response to ctomc)Thank you for your prompt reply. This is the part I don't understand
Hi,in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.
I read this in an earlier post, I suspect it probably works. My concern is, if these files were included in the distribution, don't they have a use? Unfortunately I'm new to JBOSS AS. I only have the examples and the documentation. Both right now show the JKS version that doesn't work anymore. So if a change was made to include those libraries, what is the new "better" way of doing it? Where am I using JSE? Should I not be using it? Or is the answer "the libraries are incorrectly included and should be deleted on every install"? I understand that 7.1 is still in development, so clearly some hacking is expected. What i'm trying to determine is if this is a temporary kludge, or if the answer you're giving is more of a work around to using JKS. Since I'm not set on JKS, I would rather not use a work-around if there was a valid implementation I could be using instead.
Thank you for your help,
-
32. Re: HTTPS on JBoss AS 7 - truststore configuration
ctomc Jan 12, 2012 5:09 AM (in response to project_mercy)Hi,
My concern is, if these files were included in the distribution, don't they have a use? Unfortunately I'm new to JBOSS AS. I only have the examples and the documentation. Both right now show the JKS version that doesn't work anymore. So if a change was made to include those libraries, what is the new "better" way of doing it? Where am I using JSE? Should I not be using it? Or is the answer "the libraries are incorrectly included and should be deleted on every install"? I understand that 7.1 is still in development, so clearly some hacking is expected. What i'm trying to determine is if this is a temporary kludge, or if the answer you're giving is more of a work around to using JKS. Since I'm not set on JKS, I would rather not use a work-around if there was a valid implementation I could be using instead.
No it is not a mistake that files are included in distribution. But guys that developed jbossweb are firmly convinced (rightly so) that APR extensions are better performance-wise and security-wise that is why this is included by default.
But from my point of view SSL via APR is great when you have app server directly serving the content without apache infront of them. But if you need ssl just for development/testing purposes you can use JSE without any problems but you have to enable it.
Trick is that APR configuration is a bit more complex and you usually need system administrator to help you with openssl and certificates.
To put it simply, use APR if jboss is directly (no proxy or balancer in front) serving content and jboss is SSL endpoint. For other cases you can use JSE, but my recommendation for you would be that for production and even staging environment you need Apache HTTPD or similar in front of app server, for development where you need for example client certificate auth you setup JSE as it is simple to share among developers.
but again, this is my point of view.
cheers,
tomaz
-
33. Re: HTTPS on JBoss AS 7 - truststore configuration
project_mercy Jan 12, 2012 12:40 PM (in response to ctomc)This gives me a lot more to go on, Thank you for your extensive explanation. I'll look into the two options and see which fits my needs.
-
34. Re: HTTPS on JBoss AS 7 - truststore configuration
project_mercy Jan 17, 2012 2:36 PM (in response to project_mercy)As an answer to myself, the simple answer to getting AS7.1 with APR working would be to generate a key and cert. If you're not using a known CA, then you can self-sign one. You will need an openssl install somewhere. the commands would be:
openssl genrsa -des3 -out newkey.pem 1024 openssl req -new -x509 -key newkey.pem -out newcert.pem -days 3650
this will ask for a password to create the key and to sign the cert. enter data as applicable in the cert generation. This will generate a PEM formatted key file named "newkey.pem" and cert file named "newcert.pem".
Then edit standalone.xml (if running standalone) and add find the "urn:jboss:domain:web:1.1" subsystem and add in, changing the password and paths as applicable to your cert and install.
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"> <ssl password="changeit" certificate-key-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/newkey.pem" certificate-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/newcert.pem"/> </connector>
For more info (or command to do this via CLI) you can see the man page at: https://docs.jboss.org/author/display/AS71/Native+Connectors
-
35. Re: HTTPS on JBoss AS 7 - truststore configuration
project_mercy Jan 17, 2012 9:15 PM (in response to project_mercy)Does anyone know why when I add verify-client="true" to
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"> <ssl password="changeit" certificate-key-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/newkey.pem" certificate-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/newcert.pem"/> </connector>
I don't get any requests for my cert on my browser?
I've tried adding CLIENT-CERT logins to web.xml/jboss-web.xml per the docs, but I just get null cert chain errors, because JBOSS doesn't seem to ask for the client's cert. I've tried it both with AS 7.0.2 and AS 7.1.0-CR1
Extra files:
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <security-constraint> <web-resource-collection> <web-resource-name>Cert Auth</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <role-name>AdminRole</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name>AdminRole</role-name> </security-role> </web-app>
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>test</context-root> <security-domain>RequireCertificateDomain</security-domain> </jboss-web>
standalone.xml
<security-domain name="RequireCertificateDomain"> <authentication> <login-module code="CertificateRoles" flag="required"> <module-option name="securityDomain" value="RequireCertificateDomain"/> <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/> <module-option name="usersProperties" value="file:/C:/jboss-as-7.1.0.CR1b/standalone/configuration/users.properties"/> <module-option name="rolesProperties" value="file:/C:/jboss-as-7.1.0.CR1b/standalone/configuration/roles.properties"/> </login-module> </authentication> <jsse keystore-password="changeit" keystore-type="pkcs12" keystore-url="file:/C:/jboss-as-7.1.0.CR1b/standalone/configuration/newCAcert.p12" truststore-password="changeit" truststore-type="pkcs12" truststore-url="file:/C:/jboss-as-7.1.0.CR1b/standalone/configuration/newCAcert.p12" client-auth="true"/> </security-domain>
-
36. Re: HTTPS on JBoss AS 7 - truststore configuration
fabrizio.benedetti Jan 18, 2012 3:54 AM (in response to project_mercy)In order browsers ask a certificate you have to meet these requisites:
1. your server must have verify-client to "want" or "true" on connector/ssl element
2. your server must have a security-domain (your is fine)
3. your app must have a security constraint and a login-config to CLIENT-CERT in web.xml (your is fine)
4. your app must have a security-domain in jboss-web.xml (your is fine)
5. your browser must have almost a certificate installed in personal section (import a .p12)
6. your certificate must be released by a CA trusted on your server truststore (or a self-signed trusted on server truststore)
Your connector configuration is for native connector (openssl), but your security-domain has a jsse element with java keystores.
Try to modify your standalone.xml or domain.xml to:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"> <ssl name="myssl" certificate-key-file="file://C:/jboss-as-7.1.0.CR1b/standalone/configuration/newCAcert.p12" keystore-type="PKCS12" password="changeit" key-alias="your_key_alias" ca-certificate-file="file://C:/jboss-as-7.1.0.CR1b/standalone/configuration/newCAcert.p12" truststore-type="PKCS12" verify-client="true"> </connector>
Then create a personal certificate (.p12), trust its public key (.cer) in newCAcert.p12 and import it (.p12) in your browser's personal certifcates.
Try to connect to https://localhost:8443/yourapp
Regards
/Fabrizio
-
37. Re: HTTPS on JBoss AS 7 - truststore configuration
jaikiran Jan 20, 2012 10:40 PM (in response to ctomc)Tomaz Cerar wrote:
Hi,
in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.
go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.
I just checked with the JBossWeb team and instead of deleting these files, the right way to switch back to JSE from OpenSSL is to set native=false in the web subsystem (standalone.xml/domain.xml) https://community.jboss.org/message/647986#647986
-
38. Re: HTTPS on JBoss AS 7 - truststore configuration
gregcharles Jan 23, 2012 7:01 PM (in response to jaikiran)Good for you Jaikiran. I came by to amend posts that I'd seen with the "delete native library" advice with that new information, but it's nice to see you were already on top of it.
-
39. Re: HTTPS on JBoss AS 7 - truststore configuration
ctomc Jan 25, 2012 9:51 AM (in response to jaikiran)Jaikiran,
tnx for that, I totally missed that!
-
40. Re: HTTPS on JBoss AS 7 - truststore configuration
dcraddo1 Jan 27, 2012 8:49 AM (in response to jaikiran)I tried using the native="false" in the web subsystem but it errors with, "Message: JBAS014788: Unexpected attribute 'native' encountered". Has the attribute been incorporated in version 7.1.0.CR1b ?
-
41. Re: HTTPS on JBoss AS 7 - truststore configuration
gregcharles Jan 30, 2012 1:44 PM (in response to dcraddo1)For 7.1.0.CR1b, I have:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
and that's working for me.
In 7.0.x, I had
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
Maybe you're trying to put in that native flag, while the namespace definition is still 1.0?
-
42. Re: HTTPS on JBoss AS 7 - truststore configuration
dcraddo1 Jan 30, 2012 5:12 PM (in response to gregcharles)Greg,
Thanks that worked. I had the attribute in the connector namespace.
-
43. Re: HTTPS on JBoss AS 7 - truststore configuration
dahm Mar 13, 2012 1:52 PM (in response to guinotphil)Hi,
I tried to gather some useful informations here:
https://docs.jboss.org/author/display/AS71/SSL+setup+guide
Cheers
Markus
-
44. Re: HTTPS on JBoss AS 7 - truststore configuration
chrisinmtown Apr 20, 2012 10:51 AM (in response to dahm)Thanks for all the posts! In large part to this forum thread I have managed to get JBoss AS 7.1.1.Final doing the following. Note that I am using Java Keystore files (jks), and the server's standalone.xml file marks the urn:jboss:domain:web:1.1 element with attribute native=false.
1. The server accepts https connections on port 8443 using a self-signed server certificate. This cert is configured in the ssl element using the
certificate-key-file
attribute and points to a JKS file.
2. The server accepts user-supplied client certificates in those https sessions. The truststore with the signing authority for those user certs is configured in the ssl element using the ca-certificate-file attribute and points to another JKS file.
3. My webapp requires client certificates for sessions. This is configured in the app's web.xml file. Browsers are challenged to supply a user cert. Here's the snippet of the web.xml
<login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> A side question: can this configuration - webapp requiring a client cert - be accomplished via annotations? Would be cool but it's not essential.
When I browse to my webapp using https on port 8443, the session is established successfully including selection of a user certificate. Please correct me but at this point the container seems to be handling the challenge and authentication. Note that I have no roles, no mapping of user name from the certificate to a role, nothing. I think the server will accept any client certificate that is signed using credentials cached in the server's truststore.
Here's my question. Inside my webapp (a little RESTful thing using Resteasy) I would like to obtain the user name from within the X509 certificate. What is the right way?
So far I tried this. I annotated a post method argument with "@Context HttpServletRequest servletRequest". From that object I can make this call to get an array of X509 certificates:
X509Certificate[] certificates = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
I've been reading quite a bit about configuring JBoss AS 7 with security domains, about authentication modules, etc. One hint seems to be that ClientLoginModule should be used. Would this let me use the injected SecurityContext parameter in a post method? I would like that a whole lot better!
One final question: The directions seem to suggest that the trust store file with signing authorities has to be provided to the jsse element AND to the ssl element. Do I understand that correctly?
Maybe JBoss AS 7 is just so new, because most of my googling has turned up directions for versions 4 and 5.
Thanks in advance.