2 Replies Latest reply on Jun 18, 2019 11:00 AM by valsaraj007

Wildfly - Remote EJB client-cert authentication

xibo_flair Oct 30, 2016 11:25 PM

Hi all,

I'm using the latest 10.1 wildfly server for development. I'm able to lookup EJBs from a remote client application by using the PLAIN mechanism (username and password) and secured by SSL.

Is it possible to use client certificate for authentication instead of using username and password, like the way we do in browser by choosing a soft certification or by a CAC reader?

Client side configuration:

Properties prop = new Properties();

prop.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

// EJB Client Global Properties

prop.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", true);

prop.put("org.jboss.ejb.client.scoped.context", "true");

// EJB Client Connection Properties

prop.put("remote.connections", "default");

prop.put("remote.connection.default.host", "host");

prop.put("remote.connection.default.port", "port");

prop.put("remote.connection.default.protocol", "https-remoting");

prop.put("remote.connection.default.username", "userName");

prop.put("remote.connection.default.password", "password");

prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", true);

prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_PROTOCOL", "TLSv1.2");

prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");

prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

final EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(prop);

final ConfigBasedEJBClientContextSelector selector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration);

EJBClientContext.setSelector(selector);

Context context = (Context) new InitialContext(prop).lookup("ejb:");

context.lookup(...);

// do something

The server is configured with SSL.

<security-realm name="HttpsRealm">

<server-identities>

<ssl>

</ssl>

</server-identities>

</authentication>

</security-realm>

1. Re: Wildfly - Remote EJB client-cert authentication

xibo_flair Nov 1, 2016 5:25 PM (in response to xibo_flair)

I also configured the https-listener as follows:
<https-listener name="default-https" socket-binding="https" max-post-size="32212254720" security-realm="HttpsRealm" enabled-protocols="TLSv1.2" verify-client="REQUESTED"/>

After turning on the ssl debug, I found that the server does send the CertificateRequest before the ServerHelloDone.

But it's expecting the KeyManager to provide the client certificate. Does it mean I need to implement the KeyManager and pass it along by setting the following property?
remote.connection.default.connect.options.org.xnio.Options.SSL_JSSE_KEY_MANAGER_CLASSES
Actions
2. Re: Wildfly - Remote EJB client-cert authentication

valsaraj007 Jun 18, 2019 11:00 AM (in response to xibo_flair)

PropertiesBasedEJBClientConfiguration in not in WildFly 16.
Actions

Go to original post