2 Replies Latest reply on Jan 20, 2011 1:03 PM by Peter Johnson

    Enable Security

    Alan Prado Newbie

      Hello JBossCommunity,

       

      I'm using jboss-as-distribution-6.0.0.20100429-M3 + WS (axis 1.4)

      I have to provide a secure way to transmit data from client to server. I've read that SSL with mutual authentication is a good way to provide it. But, if any body has a better sugestion on how to do it, let me know.

      I'm trying to configure mutual authentication with BaseCertLoginModule

      over SSL, but I'm getting the following errors:

       

       

      **************************************************************************************

      error at server side

      17:19:26,812 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] Handshake failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

                at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:523) [:1.6]

                at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:355) [:1.6]

                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789) [:1.6]

                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120) [:1.6]

                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147) [:1.6]

                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131) [:1.6]

                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:186)

                at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:1143)

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)

                at java.lang.Thread.run(Thread.java:619) [:1.6.0_20]

       

       

      error at client side

      java.net.SocketException: Software caused connection abort: socket write error

      **************************************************************************************

       

      Here follows my configuration files

       

      script to generate the keys

      **************************************************************************************

      set SERVER_DN="CN=server, OU=X, O=Y, L=Z, S=XY, C=YZ"

      set CLIENT_DN="CN=client, OU=X, O=Y, L=Z, S=XY, C=YZ"

      set KSDEFAULTS=-storepass changeit -storetype JKS

      set KEYINFO=-keyalg RSA

      keytool -genkey -dname %SERVER_DN% %KSDEFAULTS% -keystore server.ks %KEYINFO% -keypass changeit

      keytool -export -file temp$.cer %KSDEFAULTS% -keystore server.ks

      keytool -import -file temp$.cer %KSDEFAULTS% -keystore client.ts -alias serverkey -noprompt

      keytool -genkey -dname %CLIENT_DN% %KSDEFAULTS% -keystore client.ks %KEYINFO% -keypass changeit

      keytool -export -file temp$.cer %KSDEFAULTS% -keystore client.ks

      keytool -import -file temp$.cer %KSDEFAULTS% -keystore server.ts -alias clientkey -noprompt

      **************************************************************************************

       

       

      file:${jboss.server.home.dir}/conf/server.ks

      **************************************************************************************

      Keystore type: JKS

      Keystore provider: SUN

       

       

      Your keystore contains 1 entry

       

       

      Alias name: mykey

      Creation date: 17/01/2011

      Entry type: PrivateKeyEntry

      Certificate chain length: 1

      Certificate[1]:

      Owner: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Issuer: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Serial number: 4d34949e

      Valid from: Mon Jan 17 17:12:30 BRST 2011 until: Sun Apr 17 16:12:30 BRT 2011

      Certificate fingerprints:

               MD5:  5A:56:DD:D8:5B:9E:94:55:77:7E:70:D3:AE:E5:0B:C5

               SHA1: 14:B3:95:33:E7:D2:F3:BB:94:DA:E9:1C:38:8A:9F:03:1B:35:4E:8C

               Signature algorithm name: SHA1withRSA

               Version: 3

       

       

       

       

      **************************************************************************************

       

       

      file/${jboss.server.home.dir}/conf/server.ts

      **************************************************************************************

      Keystore type: JKS

      Keystore provider: SUN

       

       

      Your keystore contains 1 entry

       

       

      Alias name: clientkey

      Creation date: 17/01/2011

      Entry type: trustedCertEntry

       

       

      Owner: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Issuer: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Serial number: 4d34949f

      Valid from: Mon Jan 17 17:12:31 BRST 2011 until: Sun Apr 17 16:12:31 BRT 2011

      Certificate fingerprints:

               MD5:  B2:C1:C8:9A:BB:84:F0:79:03:68:91:89:20:EC:85:CF

               SHA1: C5:BC:7A:7D:E6:0E:5E:D4:1F:D9:BC:56:D3:91:20:A3:25:09:B2:2A

               Signature algorithm name: SHA1withRSA

               Version: 3

       

       

       

       

      **************************************************************************************

       

       

      file:c:/client.ks

      **************************************************************************************

      Keystore type: JKS

      Keystore provider: SUN

       

       

      Your keystore contains 1 entry

       

       

      Alias name: mykey

      Creation date: 17/01/2011

      Entry type: PrivateKeyEntry

      Certificate chain length: 1

      Certificate[1]:

      Owner: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Issuer: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Serial number: 4d3469a5

      Valid from: Mon Jan 17 14:09:09 BRST 2011 until: Sun Apr 17 13:09:09 BRT 2011

      Certificate fingerprints:

               MD5:  91:57:82:07:38:34:C5:1F:AB:5C:0D:51:65:DB:5B:B0

               SHA1: 7D:12:14:E1:75:78:E3:79:1B:62:B6:A3:17:A9:FA:11:51:A7:69:06

               Signature algorithm name: SHA1withRSA

               Version: 3

       

       

       

       

      **************************************************************************************

       

       

      file:c:/client.ts

      **************************************************************************************

      Keystore type: JKS

      Keystore provider: SUN

       

       

      Your keystore contains 1 entry

       

       

      Alias name: serverkey

      Creation date: 17/01/2011

      Entry type: trustedCertEntry

       

       

      Owner: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Issuer: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ

      Serial number: 4d3469a4

      Valid from: Mon Jan 17 14:09:08 BRST 2011 until: Sun Apr 17 13:09:08 BRT 2011

      Certificate fingerprints:

               MD5:  99:9F:51:27:BA:40:C1:91:14:B6:1B:36:EB:39:4F:57

               SHA1: 7A:98:0E:B5:99:2A:4A:41:6D:CC:D3:90:4D:AB:3A:93:81:87:AE:B8

               Signature algorithm name: SHA1withRSA

               Version: 3

      **************************************************************************************

       

       

      file:${jboss.server.home.dir}/deploy/interligation-service.xml

      **************************************************************************************

      <server>

                <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain">

                          <constructor><arg type="java.lang.String" value="interligation-domain"/></constructor>

                          <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/server.ts</attribute>

                          <attribute name="KeyStorePass">changeit</attribute>

                          <depends>jboss.security:service=JaasSecurityManager</depends>

                </mbean>

      </server>

      **************************************************************************************

       

       

      file:${jboss.server.home.dir}/deploy/jbossweb.sar/server.xml

      **************************************************************************************

      <Server>

      ...

        <Service name="jboss.web">

        ...

                <Connector protocol="HTTP/1.1" port="10101" address="${jboss.bind.address}"

                   maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="2"

                   maxSpareThreads="75" enableLookups="false" redirectPort="8443"

                   acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"

                   compression="on" compressionMinSize="1" noCompressionUserAgents="gozilla, traviata"

                   compressableMimeType="text/html,text/xml"/>

                <Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443"

                   address="${jboss.bind.address}" scheme="https" secure="true"

                   clientAuth="false"

                 keystoreFile="${jboss.server.home.dir}/conf/server.ks" keystorePass="changeit"

                 truststoreFile="${jboss.server.home.dir}/conf/server.ts"

                 sslProtocol="TLS"/>

        ...

        </Service name="jboss.web">

      ...

      </Server>

       

       

      **************************************************************************************

       

       

      file:${jboss.server.home.dir}/conf/login-config.xml

      **************************************************************************************

      <policy>

      ...

        <application-policy name="interligation-domain">

          <authentication>

              <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">

                  <module-option name="password-stacking">useFirstPass</module-option>

                  <module-option name="securityDomain">java:/jaas/interligation-domain</module-option>

              </login-module>

              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

                  <module-option name="password-stacking">useFirstPass</module-option>

                  <module-option name="usersProperties">props/interligation-users.properties</module-option>

                  <module-option name="rolesProperties">props/interligation-roles.properties</module-option>

              </login-module>

          </authentication>

        </application-policy>

      ...

      </policy>

      **************************************************************************************

       

       

      file:${jboss.server.home.dir}/conf/props/interligation-users.properties

      **************************************************************************************

      CN\=server,\ OU\=X,\ O\=Y,\ L\=Z,\ ST\=XY,\ C\=YZ=JBossAdmin

      admin=JBossAdmin

      **************************************************************************************

       

       

      file:${jboss.server.home.dir}/conf/props/interligation-roles.properties

      **************************************************************************************

      admin=JBossAdmin,HttpInvoker

      **************************************************************************************

       

       

      file:$webapp/WebContent/web.xml

      **************************************************************************************

      <web-app>

        ...

        <security-constraint>

           <web-resource-collection>

              <web-resource-name>HtmlAdaptor</web-resource-name>

              <description>An example security config that only allows users with

                      the role JBossAdmin to access the HTML JMX console web

                      application </description>

              <url-pattern>/*</url-pattern>

           </web-resource-collection>

           <auth-constraint>

              <role-name>JBossAdmin</role-name>

           </auth-constraint>

           <user-data-constraint>

                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                   </user-data-constraint>

        </security-constraint>

        <login-config>

           <auth-method>BASIC</auth-method>

           <realm-name>JBoss JMX Console</realm-name>

        </login-config>

        <security-role>

           <role-name>JBossAdmin</role-name>

        </security-role>

        ...

      </web-app>

      **************************************************************************************

       

       

      file:$webapp/WebContent/jboss-web.xml

      **************************************************************************************

      <jboss-web>

      ...

        <security-domain>java:/jaas/interligation-domain</security-domain>

      ...

      </jboss-web>

      **************************************************************************************

       

       

      file:$clientapp/client-config.wsdd

      **************************************************************************************

      <deployment

          name="commonsHTTPConfig"

          xmlns="http://xml.apache.org/axis/wsdd/"

          xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

      ...

         <globalConfiguration>

         ...

                  <handler type="java:org.apache.axis.handlers.JAXRPCHandler">

                            <parameter name="keyStore" value="c:/client.ks"/>

                            <parameter name="keyStoreType" value="JKS"/>

                            <parameter name="keyStorePassword" value="changeit"/>

                            <parameter name="trustStore" value="c:/client.ts"/>

                            <parameter name="trustStoreType" value="JKS"/>

                  </handler>

         ...

         </globalConfiguration>

      </deployment>

      **************************************************************************************

      Thanks for your attention,

      Alan

        • 1. Re: Enable Security
          Alan Prado Newbie

          Hello again!!!
          I was passing wrong port to server, than connector was redirecting to http instead of https.

          But now I'm getting this following error:


          server side:

          15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545289296 sessioncount 0

          15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0

          15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545289296 sessioncount 0

          15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0

          15:41:39,765 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /datacenter/services/InterligationServiceController

          15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[HtmlAdaptor]' against POST /services/InterligationServiceController --> true

          15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[HtmlAdaptor]' against POST /services/InterligationServiceController --> true

          15:41:39,765 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling hasUserDataPermission()

          15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase]   Redirecting to https://127.0.0.1:8443/datacenter/services/InterligationServiceController

          15:41:39,781 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed hasUserDataPermission() test

          15:41:49,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545309296 sessioncount 0

          15:41:49,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0

          15:41:49,812 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_3] - TORecoveryModule - first pass

          15:41:49,968 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.firstpass] Local XARecoveryModule - first pass

          15:41:59,968 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_6] - TORecoveryModule - second pass

          15:41:59,968 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.secondpass] Local XARecoveryModule - second pass

           

          client-side:

          (302)Moved Temporarily

           

          Thanks for advice,
          Alan

          • 2. Enable Security
            Peter Johnson Master

            Please stop yelling!