3 Replies Latest reply on Mar 27, 2012 12:54 PM by karink

JBoss 7.1.1: how to enable client-cert authentication for the management interface

karink Mar 15, 2012 1:47 PM

Hi all

in the release notes of 7.1.0 following is stated

Support for client certificate authentication on both the remoting interfaces and the HTTP management interface.

Also Darron has mentioned that in the following discussion https://community.jboss.org/message/723290.

How is that concretely configured

I tried the following config

<security-realm name="ManagementRealm">
<authentication>
<truststore path="karin.jks" relative-to="jboss.domain.config.dir" password="karin"/>
</authentication>
</security-realm>

<http-interface security-realm="ManagementRealm" >

</http-interface>

JBoss AS started successfully, but I cannot invoke the domain console on port 8888 (I guess the ssl connection is not really working, it might be that my truststore is not useful), anyway would that actually be the correct configuration?

What will exactly happen when a client tries to connect. I think it will be

1) client certificate is requested

2) client certificate is checked if it is issued by the truststore ca certificate (just standard ssl client authentication)

3) if yes CN from client certificate is set as principal

Thanks for your help

Karin

1. Re: JBoss 7.1.1: how to enable client-cert authentication for the management interface

dlofthouse Mar 15, 2012 2:02 PM (in response to karink)

Your server will also want a keystore setting for the identity of the server.
1 of 1 people found this helpful
Actions
2. Re: JBoss 7.1.1: how to enable client-cert authentication for the management interface

karink Mar 15, 2012 2:45 PM (in response to dlofthouse)

ok yes, I changed my config accordingly
now it looks like that

<security-realm name="ManagementRealm">
                <server-identities>
                        <ssl>
                            <keystore path="jboss.jks" relative-to="jboss.domain.config.dir" password="12345"/>
                        </ssl>
                 </server-identities>
                <authentication>
                
                    <truststore path="trusted.jks" relative-to="jboss.domain.config.dir" password="12345"/>
                    
                </authentication>
</security-realm>

SSL connection is now working fine (can choose in my browser the correct client certificate (issued by the trusted.jks store)), but at a whole authentication is failing -> I'm redirected to page https://localhost:8888/error/index_win.html#hosts/server-instances;host=master, http response code 307), did not see any error message anywhere.

do I have to insert my user somewhere. I tried to debug it but could not find out what would be the best class (I used ClientCertAuthenticator, but somehow it was never stopping there).
Actions
3. Re: JBoss 7.1.1: how to enable client-cert authentication for the management interface

karink Mar 27, 2012 12:54 PM (in response to karink)

are there any news on this issue
-> I still not know if I have to add the propagated user (e.g. the CN Name of the client certificate) somewhere -> this would make sense
Actions

Go to original post