Regarding Mutual Authentication in Jboss 7.1.1
I have configured two way SSL in standalone.xml as below
<connector name="https"
protocol="HTTP/1.1" scheme="https"
socket-binding="https" secure="true">
<ssl name="cm2-tls" key-alias="CM2_1845" protocol="TLSv1,TLSv1.2" password="***"
certificate-key-file="${jboss.server.config.dir}/ServerKeyStore.jks"
ca-certificate-file="${jboss.server.config.dir}/trustStore.jks session-timeout="1800"/>
</connector>
Here ServerKeyStore.jks
is the container of public key and private key . I have imported self signed certificate
to ServerKeyStore.jks
The trustStore.jks contains the public key of Client .
I have deployed a webServiceTest.war inside the Jboss(https://remotemachine:8443
I have written following standalone java client using apache http client 4.5.2 and Java 7
Public class RestClient {
public static void main(String[] args) throws Exception {
getCm2ApiResponseForPost("/webServiceTest/endPOintUrl",
"TestJson");
}
public static CloseableHttpClient createHttpsClientwithssL() throws Exception {
CloseableHttpClient httpClient = null;
final String KEY_STORE_PATH = "C:\\Personal\\ClientKeyStore.jks";
final String KEY_STORE_PASSWORD = "***";
final String TRUST_STORE_PATH = "C:\\Personal\\serverTrustStore.jks";
final String TRUST_STORE_PASSWORD = "***";
PoolingHttpClientConnectionManager pool = new PoolingHttpClientConnectionManager();
pool.setMaxTotal(200);
pool.setDefaultMaxPerRoute(20);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream keystoreInput = new FileInputStream(KEY_STORE_PATH);
keystore.load(keystoreInput, KEY_STORE_PASSWORD.toCharArray());
System.out.println("Keystore has " + keystore.size() + " keys");
// load the truststore, leave it null to rely on cacerts distributed
// with the JVM
KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream truststoreInput = new FileInputStream(TRUST_STORE_PATH);
truststore.load(truststoreInput, TRUST_STORE_PASSWORD.toCharArray());
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(truststore, new TrustSelfSignedStrategy())
.loadKeyMaterial(keystore, KEY_STORE_PASSWORD.toCharArray()).build();
System.err.println(sslContext.getProtocol());
httpClient = HttpClients.custom().setConnectionManager(pool).setSSLContext(sslContext).build();
//httpClient = HttpClients.custom().setConnectionManager(pool).build();
return httpClient;
}
public static JSONArray getCm2ApiResponseForPost(String cm2Endpoint, String requestJson) throws Exception
{
JSONArray jsonArray = null;
HttpEntity entity = null;
HttpResponse response = null;
StringEntity stringEntity;
InputStream inStream = null;
String jsonResponseString = null;
HttpPost post = null;
CloseableHttpClient client = null;
try {
stringEntity = new StringEntity(requestJson);
client = createHttpsClientwithssL();
stringEntity.setContentType("application/json");
String cm2EndpointUrl = "https://remotemachine:8443" + cm2Endpoint;
if (cm2EndpointUrl != null) {
post = new HttpPost(cm2EndpointUrl);
}
if (post != null) {
post.setEntity(stringEntity);
response = client.execute(post);
}
if (response != null) {
entity = response.getEntity();
}
if (jsonResponseString != null) {
jsonArray = (JSONArray) parser.parse(jsonResponseString);
}
} catch (SSLHandshakeException e) {
e.printStackTrace();
}
catch (Exception e) {
e.printStackTrace();
}
return jsonArray;
}
}
Everything is working fine. I am able to get response from https://remotemachine:8443".
But If I have enabled verify client true in Jboss standalone.xml
<connector name="https"
protocol="HTTP/1.1" scheme="https"
socket-binding="https" secure="true">
<ssl name="cm2-tls" key-alias="CM2_1845"
password="***" certificate-key-file="${jboss.server.config.dir}/ServerKeyStore.jks"
ca-certificate-file="${jboss.server.config.dir}/trustStore.jks" session-timeout="1800" verify-client="true"
/>
Getting the following exception:
- javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at
sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
httpClient.RestClient.getCm2ApiResponseForPost(RestClient.java:113)
at
httpClient.RestClient.main(RestClient.java:30)
Please help me to resolve the problem.
I need to enable verify client in standalone.xml for Mutual authentication.