4 Replies Latest reply on Jan 18, 2019 3:49 AM by leenam

    TLS and Client Cert Authentication

    leenam Newbie

      Our application is a Java webservice which was deployed on JBoss Enterprise Application Platform - Version 6.2.0.GA on our existing servers.

      On the new AWS servers we deployed our application on WildFly 14.0.1.Final. 

       

      We are trying to

      • Enforce SSL/TLS mutual authentication.
      • Configure certificate login module, which authenticates clients based on certificates and  authorizes roles using a property file which maintains the roles

       

      We are able to access WSDL and see the server certificate. But when we try to call our webservice, we are getting errors like

      1. There was an error connecting to https://abc.com/Service
      2. Cannot establish connection to https://abc.com/Service because it cannot be trusted
      3. Sometimes we are getting 403 Forbidden error.

       

      Please find the cli scripts below.

      Could you please guide me in configuring CLIENT_CERT authentication module.

       

       

      ****************** CLI commands

      # Start batching commands

      batch

      # Set logging to Debug Level

      /subsystem=logging/root-logger=ROOT:write-attribute(name="level", value="DEBUG")

       

       

      # Add WSDL attributes to webservices subsystem

      ./subsystem=webservices/:write-attribute(name=modify-wsdl-address,value=true)

      ./subsystem=webservices/:write-attribute(name=wsdl-host,value=abc.amazonaws.com)

      ./subsystem=webservices/:write-attribute(name=wsdl-secure-port,value=443)

       

       

      # Add the keystores, key manager, trust manager and ssl context configuration in the elytron subsystem

      ./subsystem=elytron/key-store=asSecurityTrustStore:add(path=ASCertAuth.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})

      ./subsystem=elytron/key-store=asKeyStore:add(path=as-dev.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})

      ./subsystem=elytron/key-store=asTrustStore:add(path=cacert.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})

      ./subsystem=elytron/key-manager=asKeyManager:add(algorithm=SunX509,key-store=asKeyStore,credential-reference={clear-text=changeit})

      ./subsystem=elytron/trust-manager=asTrustManager:add(key-store=asTrustStore)

      ./subsystem=elytron/server-ssl-context=asSSLContext:add(key-manager=asKeyManager,trust-manager=asTrustManager,protocols=[TLSv1.2],need-client-auth=true)

       

       

      # Remove the reference to the legacy security realm and update the https-listener to use the ssl-context configured above

      ./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)

      ./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=asSSLContext)

      #./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=socket-binding,value=https)

       

       

      # Add a keystore realm that relies on the truststore to authenticate requests

      ./subsystem=elytron/key-store-realm=asTrustStoreRealm:add(key-store=asSecurityTrustStore)

       

       

      #./subsystem=elytron/filesystem-realm=asRolesRealm:add(path=/opt/wildfly/standalone/configuration/ASCertAuth-users.properties)

      #./subsystem=elytron/properties-realm=asPropertiesRealm:add(users-properties={relative-to=jboss.server.config.dir, path=as-users.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=jboss.server.config.dir, path=as-roles.properties})

       

       

      ./subsystem=elytron/security-domain=as-cert-sec-domain:add(realms=[{realm=asTrustStoreRealm}], default-realm=asTrustStoreRealm, permission-mapper=default-permission-mapper)

      ./subsystem=elytron/constant-realm-mapper=asTrustStoreRealm:add(realm-name=asTrustStoreRealm)

      ./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)

       

       

      ./subsystem=elytron/http-authentication-factory=client-cert-digest:add(http-server-mechanism-factory=global, security-domain=as-cert-sec-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=asTrustStoreRealm, pre-realm-principal-transformer=x500-decoder}, {mechanism-name=DIGEST, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])

       

      ./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=elytron, security-domain=as-cert-sec-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=asTrustStoreRealm, pre-realm-principal-transformer=x500-decoder}, {mechanism-name=DIGEST, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])

       

       

      ./subsystem=elytron/server-ssl-context=localhost:add(key-manager=asKeyManager, trust-manager=asTrustManager, security-domain=as-cert-sec-domain, authentication-optional=false, need-client-auth=true)

       

       

      # Run the batch commands

      run-batch

      # Reload the server configuration

      reload

        • 1. Re: TLS and Client Cert Authentication
          Martin Choma Master

          Couple of notes:

          * when you are using Elytron you are not using certificate login module. Certificate login module is legacy picketbox solution.

          * Not sure how to to set ssl context for webservices. Maybe just setting ssl context for Undertow is enough  - that is how you do.

               * Configure Authentication with Certificates WildFly Elytron Security - Latest WildFly Documentation - Project Documentation Editor

          * wsdl is exposed on 443 port but undertow on https socket-binding - does it match

          * 403 typically means role is missing - that could suggest your authentication passed but role is missing

          • 2. Re: TLS and Client Cert Authentication
            leenam Newbie

            Hi Martin,

             

            Thanks so much for your response.

            When I try to deploy our application, below error is thrown

             

             

            {

              "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.as-cert-sec-domain"],

              "WFLYCTL0180: Services with missing/unavailable dependencies" => [

                "jboss.ws.endpoint.\"AS-WS.war\".\"com.ge.corporate.as.v3.CertificateService\" is missing [jboss.security.security-domain.as-cert-sec-domain]",

                "jboss.ws.endpoint.\"AS-WS.war\".\"com.ge.corporate.as.v2.CertificateService\" is missing [jboss.security.security-domain.as-cert-sec-domain]"

              ]

            }

             

             

            Jboss-web.xml contains security domain “as-cert-sec-domain”

             

            Please find the configure-ssl.cli.

            How do we configure security domain for a SOAP web service and avoid the error above?

             

            ******************

            # Start batching commands

            batch

             

            # Set logging to Debug Level

            /subsystem=logging/root-logger=ROOT:write-attribute(name="level", value="DEBUG")

             

            # Add WSDL attributes to webservices subsystem

            ./subsystem=webservices/:write-attribute(name=modify-wsdl-address,value=true)

            ./subsystem=webservices/:write-attribute(name=wsdl-host,value=abc.com)

            ./subsystem=webservices/:write-attribute(name=wsdl-secure-port,value=443)

             

            # Add the keystores, key manager, trust manager and ssl context configuration in the elytron subsystem

            ./subsystem=elytron/key-store=asClientsTrustStore:add(path=asDevClientsTruststore.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})

            ./subsystem=elytron/key-store=asKeyStore:add(path=ccas-dev.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})

            ./subsystem=elytron/key-store=asTrustStore:add(path=cacert.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})

            ./subsystem=elytron/key-manager=asKeyManager:add(algorithm=SunX509,key-store=asKeyStore,credential-reference={clear-text=changeit})

            ./subsystem=elytron/trust-manager=asTrustManager:add(key-store=asTrustStore)

            ./subsystem=elytron/server-ssl-context=asSSLContext:add(key-manager=asKeyManager,trust-manager=asTrustManager,need-client-auth=true)

             

            # Change the undertow subsystem configuration to use the ssl context configured above for https

            ./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)

            ./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=asSSLContext)

            ./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=socket-binding,value=https)

             

            # Add a keystore realm that relies on the truststore to authenticate requests

            ./subsystem=elytron/key-store-realm=asTrustStoreRealm:add(key-store=asClientsTrustStore)

             

            # Add a principal decoder to select the CN attribute from the certificate presented by the client

            #./subsystem=elytron/x500-attribute-principal-decoder=asDecoder:add(attribute-name=CN)

            ./subsystem=elytron/x500-attribute-principal-decoder=asDecoder:add(oid="2.5.4.3",maximum-segments=1)

            ./subsystem=elytron/constant-role-mapper=constantClientCertRole:add(roles=[request,search])

            ./subsystem=elytron/security-domain=asTrustSecurityDomain:add(realms=[{realm=asTrustStoreRealm}],default-realm=asTrustStoreRealm,permission-mapper=default-permission-mapper,principal-decoder=asDecoder,role-mapper=constantClientCertRole)

             

            ./subsystem=elytron/http-authentication-factory=as-http-authentication:add(http-server-mechanism-factory=global,security-domain=asTrustSecurityDomain,mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=asCertSecurityDomain}]}])

             

            ./subsystem=undertow/application-security-domain=asCertSecurityDomain:add(http-authentication-factory=as-http-authentication)

            ./subsystem=undertow/application-security-domain=as-cert-sec-domain:add(http-authentication-factory=as-http-authentication)

            ./subsystem=ejb3/application-security-domain=as-cert-sec-domain:add(security-domain=asTrustSecurityDomain)

             

             

            # Update Server SSL context

            ./subsystem=elytron/server-ssl-context=asSSLContext:write-attribute(name=security-domain,value=asTrustSecurityDomain)

             

            # Run the batch commands

            run-batch

             

            # Reload the server configuration

            reload

            • 3. Re: TLS and Client Cert Authentication
              Martin Choma Master

              Something (com.ge.corporate.as.v3.CertificateService) is still referencing legacy security domain as-cert-sec-domain.

               

              It shouldnt be Undertow nor EJB, as they have configured application-security-domain=as-cert-sec-domain

              • 4. Re: TLS and Client Cert Authentication
                leenam Newbie

                Martin,

                 

                CertificateService is a SOAP webservice for which as-cert-sec-domain should be configured.

                How do we configure security domain for a web service?

                 

                Thanks for all your help.