2 Replies Latest reply on Oct 25, 2012 4:36 PM by hlkandrew

    JBoss7.1.1Final  JAAS CertificateRoles

    hlkandrew Newbie

      Hi all,

       

      I had read from here on setting up the Jboss+SSL+JAAS but I have yet to make a complete transaction from EJBClient (with client certificate) to the server. I'm not sure where I should continue...should I extend the CertificateRoles's LoginModule to capture the cert? I can't find a way for CertificateRole modules to capture the cert and pass the principal to the server?

      The SSL connection between the client and the server works fine.

       

      The error I got in the client

       

       

      13/08/2012 6:06:34 PM org.jboss.ejb.client.EJBClient <clinit>

      INFO: JBoss EJB Client version 1.0.5.Final

      13/08/2012 6:06:34 PM org.xnio.Xnio <clinit>

      INFO: XNIO Version 3.0.3.GA

      13/08/2012 6:06:34 PM org.xnio.nio.NioXnio <clinit>

      INFO: XNIO NIO Implementation Version 3.0.3.GA

      13/08/2012 6:06:34 PM org.jboss.remoting3.EndpointImpl <clinit>

      INFO: JBoss Remoting version 3.2.3.GA

      13/08/2012 6:06:38 PM org.jboss.remoting3.remote.RemoteConnection handleException

      ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      13/08/2012 6:06:38 PM org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector setupEJBReceivers

      WARN: Could not register a EJB receiver for connection to remote://localhost:4447

      java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)

          at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:121)

          at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.<init>(ConfigBasedEJBClientContextSelector.java:78)

          at org.jboss.ejb.client.EJBClientContext.<clinit>(EJBClientContext.java:77)

          at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:120)

          at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:104)

          at $Proxy0.getNextCommand(Unknown Source)

          at net.healthlink.keymgr.command.client.RemoteEJBClient.queryBy(RemoteEJBClient.java:80)

          at net.healthlink.keymgr.command.client.RemoteEJBClient.run(RemoteEJBClient.java:98)

          at net.healthlink.keymgr.command.client.ClientHandler.main(ClientHandler.java:48)

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:315)

          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

          at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

          at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:180)

          at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.nio.NioHandle.run(NioHandle.java:90)

          at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

          at ...asynchronous invocation...(Unknown Source)

          at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

          at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)

          at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)

          at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)

          at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:119)

          ... 8 more

      13/08/2012 6:06:41 PM org.jboss.remoting3.remote.RemoteConnection handleException

      ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      java.lang.IllegalStateException: No EJBReceiver available for node name hlk-andrewl

          at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiver(EJBClientContext.java:613)

          at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiverContext(EJBClientContext.java:648)

          at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:48)

          at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181)

          at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:136)

          at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:121)

          at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:104)

          at $Proxy0.getNextCommand(Unknown Source)

          at net.healthlink.keymgr.command.client.RemoteEJBClient.queryBy(RemoteEJBClient.java:80)

          at net.healthlink.keymgr.command.client.RemoteEJBClient.run(RemoteEJBClient.java:98)

          at net.healthlink.keymgr.command.client.ClientHandler.main(ClientHandler.java:48)

      trx rollback..trx status:0

      13/08/2012 6:06:45 PM org.jboss.remoting3.remote.RemoteConnection handleException

      ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      java.lang.IllegalStateException: No EJBReceiver available for node name hlk-andrewl

          at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiver(EJBClientContext.java:613)

          at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiverContext(EJBClientContext.java:648)

          at org.jboss.ejb.client.EJBClientUserTransactionContext$UserTransactionImpl.rollback(EJBClientUserTransactionContext.java:155)

          at net.healthlink.keymgr.command.client.RemoteEJBClient.run(RemoteEJBClient.java:145)

          at net.healthlink.keymgr.command.client.ClientHandler.main(ClientHandler.java:48)

      trx rollback failed:No EJBReceiver available for node name hlk-andrewl

       

       

      I have setup the client as followed;

       

      endpoint.name=client-endpoint

      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true

      remote.connections=command

       

      remote.connection.command.host=localhost

      remote.connection.command.port = 4447

      remote.connection.command.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

      remote.connection.command.connect.options.org.xnio.Options.SSL_STARTTLS=true

      remote.connection.command.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

      remote.connection.command.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

      remote.connection.command.username=appuser

      remote.connection.command.password=apppassword

       

      and the client runs with client's keystore and truststore.

       

       

       

       

      The standalone.xml

       

      <security-domain name="my-security-domain" cache-type="default">

                          <authentication>

                              <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                              <login-module code="CertificateRoles" flag="required">

                                  <module-option name="securityDomain" value="my-security-domain"/>

                                  <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                                  <module-option name="rolesProperties" value="file:/E:/Programs/jboss-as-7.1.1.Final/standalone/configuration/cert-roles.properties"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                          </authentication>

                          <jsse keystore-password="1" keystore-url="file:/E:/Programs/jboss-as-7.1.1.Final/standalone/configuration/server.jks" truststore-password="1" truststore-url="file:/E:/Programs/jboss-as-7.1.1.Final/standalone/configuration/server.truststore"/>

                      </security-domain>

       

      The cert-roles.properties contains the DN of the user

      ST\=Auckland,\ O\=HLK,\ OU\=Dev,\ CN\=000001=approle

       

      where the approle is declared in the EJB's method

      @RolesAllowed(value = {"approle"})

      public Command findName(String id)

       

       

      Are there some settings I miss out? Hope someone out there knows the answer!

       

      Thanks

      Andrew