1 Reply Latest reply on Mar 16, 2018 10:15 PM by armahdi

mutual Authentication PBOX00052: Supplied credential did not match existing credential for alias

armahdi Mar 16, 2018 12:11 AM

Wildfly10 , Spring boot Application.

I have created a server.keystore and then a client.keyStore with a client.crt which i used to client.truststore

the server.keystore with alias devmyserverkey

/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -genkey -alias devmyserverkey -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore myserver.keystore -validity 730 -storepass samepassword -dname "CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country" -keypass samepassword

the client.keystore with alias devclientkey

/myserver_opt/jdk1.8.0_latest/jre/bin/keytool  -genkey -keystore client.keystore -storepass samepassword  -keyalg RSA -keysize 2048 -storetype pkcs12  -alias devclientkey -dname "CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country"

then the client crt with alias devclientkey

/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -exportcert -keystore client.keystore  -storetype pkcs12 -storepass samepassword  -keypass samepassword  -file client.crt -alias devclientkey

then the client truststore

/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -import -file client.crt -keystore client.truststore

then the pkc12 keystore

 /myserver_opt/jdk1.8.0_latest/jre/bin/keytool -importkeystore -srckeystore client.keystore -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass samepassword

the client.truststore and server.keystore are in the configuration directory on my widlfly instance and when i try to access my application I get the following:

2018-03-16 08:23:18,177 TRACE [org.jboss.security] (default task-28) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@3e1567dc, cache entry: null 2018-03-16 08:23:18,177 TRACE [org.jboss.security] (default task-28) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@3e1567dc 2018-03-16 08:23:18,178 TRACE [org.jboss.security] (default task-28) PBOX00221: Begin getAppConfigurationEntry(mygenwebservicessecurity), size: 6 2018-03-16 08:23:18,179 TRACE [org.jboss.security] (default task-28) PBOX00224: End getAppConfigurationEntry(mygenwebservicessecurity), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.BaseCertLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=securityDomain, value=mygenwebservicessecurity 2018-03-16 08:23:18,181 TRACE [org.jboss.security] (default task-28) PBOX00236: Begin initialize method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00245: Found security domain: org.jboss.security.JBossJSSESecurityDomain 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00239: End initialize method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00240: Begin login method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00240: Begin login method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00252: Begin getAliasAndCert method 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00253: Found certificate, serial number: 13e04227, subject DN: CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00255: End getAliasAndCert method 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00256: Begin validateCredential method 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00056: Supplied credential: 13e04227 CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country PBOX00057: Existing credential: PBOX00058: No match for alias CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country, existing aliases: [mykey]

2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00260: End validateCredential method, result: false 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00244: Begin abort method, overall result: false 2018-03-16 08:23:18,201 DEBUG [org.jboss.security] (default task-28) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00052: Supplied credential did not match existing credential for alias CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country at org.jboss.security.auth.spi.BaseCertLoginModule.login(BaseCertLoginModule.java:231) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

I do not see any difference between the two. the only difference i see is the alias mykey. that si a default alias. but where is this coming from as I have supplied the alias myself for both.

This is what i added in the standalone.xml

<security-realm name="SSLRealm"> <server-identities> <ssl> <keystore path="myserver.keystore" relative-to="jboss.server.config.dir" keystore-password="samepassword" alias="devmyserverkey" key-password="samepassword"/> </ssl> </server-identities> <authentication> <truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="samepassword"/> <local default-user="$local" skip-group-loading="true"/> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> </security-realms> <subsystem xmlns="urn:jboss:domain:remoting:3.0"> <endpoint/> <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/> <http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="SSLRealm"/> </subsystem> <subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="mygenwebservicessecurity" cache-type="default"> <authentication> <login-module code="Certificate" flag="required"> <module-option name="securityDomain" value="mygenwebservicessecurity"/>  </login-module> </authentication> <jsse keystore-password="samepassword" keystore-url="file:/myserver_opt/wildfly10_javatest/mlws/configuration/myserver.keystore" truststore-password="samepassword" truststore-url="file:/myserver_opt/wildfly10_javatest/mlws/configuration/client.truststore" client-auth="true"/> </security-domain> </security-domains> </subsystem> <subsystem xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="defaultHTTP" socket-binding="http" redirect-socket="https"/> <https-listener name="default" enabled-protocols="TLSv1.2" verify-client="REQUIRED" security-realm="SSLRealm" socket-binding="https"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <access-log predicate="not equals[%a, %A]" suffix=".log" prefix="access" pattern="%h %l %u %t "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" %D %T"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server>

After adding the above in my standalone.xml, when i try to access my application through http it comes also as Forbidden. but the above exception is the one that comes with https and doesn't make sense.

I also tried with removing all alias references and made all the certs again and checked with

keytool -list - v -keystore ( truststore/pC12Store/Server.keystore/client.keystore)

they all have the same alias mykey

i even looked into the code for the class throwing the error it seems that the alias coming down to this class is not 'mykey' but the DN definition/Subject

I was following quickstart/helloworld-client-ssl at 10.x · wildfly/quickstart · GitHub to setup the mutual authentication in Wildfly.

1. Re: mutual Authentication PBOX00052: Supplied credential did not match existing credential for alias

armahdi Mar 16, 2018 10:15 PM (in response to armahdi)

I solved the issue by adding

<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
this made the certs validate perfectly.

Now i am getting an issue where after the validate ends with true then it states:
2018-03-17 00:00:35,678 TRACE [org.jboss.security] (default task-11) PBOX00201: End isValid, result = true
2018-03-17 00:00:35,718 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null
2018-03-17 00:00:40,238 TRACE [org.jboss.security] (default task-13) PBOX00354: Setting security roles ThreadLocal: null

So i looked into the SecurityRolesAssociation.java in picket box which was the only place this is fired and it was not able to load Security Roles. I supplied the roles.properties and it did not work cos rolesProperties option is not available in that. So i changed my security domain as :

<login-module code="CertificateRoles" flag="required">
this took the roles.properties.

It did solve the issue but the message still comes again after it has given me the results back from my backend :/ So not sure. At least my app is working.

Ahh success is so surreal.
Actions