1 Reply Latest reply on Oct 17, 2013 11:08 AM by carlos.camargo

    Configuring outbound client cert SSL for Secure Web Service Call

    avinashr

      I am trying to call a secure web service from an application hosted on JBoss and need to install/configure the certificate provided to me by the web service owner. No matter what configuration I have tried, the certificate does not get passed in the request to the web service. I am trying this on application server AS 7.1.1. Please help.

       

      I put the server-identities section into my ApplicationRealm and specified the keystore where the certificate was imported. Not sure what else needs to be done. Do I need to specify an outbound socket binding? Do I need to configure subsystem xmlns="urn:jboss:domain:web:1.1"? Are HTTP connectors only for incoming requests?

       

      Below is my standalone.xml:

       

      <?xml version='1.0' encoding='UTF-8'?>
      <server xmlns="urn:jboss:domain:1.2">
          <extensions>
              <extension module="org.jboss.as.clustering.infinispan"/>
              <extension module="org.jboss.as.configadmin"/>
              <extension module="org.jboss.as.connector"/>
              <extension module="org.jboss.as.deployment-scanner"/>
              <extension module="org.jboss.as.ee"/>
              <extension module="org.jboss.as.ejb3"/>
              <extension module="org.jboss.as.jaxrs"/>
              <extension module="org.jboss.as.jdr"/>
              <extension module="org.jboss.as.jmx"/>
              <extension module="org.jboss.as.jpa"/>
              <extension module="org.jboss.as.logging"/>
              <extension module="org.jboss.as.mail"/>
              <extension module="org.jboss.as.naming"/>
              <extension module="org.jboss.as.osgi"/>
              <extension module="org.jboss.as.pojo"/>
              <extension module="org.jboss.as.remoting"/>
              <extension module="org.jboss.as.sar"/>
              <extension module="org.jboss.as.security"/>
              <extension module="org.jboss.as.threads"/>
              <extension module="org.jboss.as.transactions"/>
              <extension module="org.jboss.as.web"/>
              <extension module="org.jboss.as.webservices"/>
              <extension module="org.jboss.as.weld"/>
              <extension module="org.jboss.as.messaging"/>
          </extensions>
      
          <system-properties>
              <property name="org.apache.tomcat.util.http.Parameters.MAX_COUNT" value="5000"/>
          </system-properties>
      
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                  </security-realm>
                  <security-realm name="ApplicationRealm">
                      <server-identities>
                          <ssl>
                              <keystore path="jboss.keystore" relative-to="jboss.server.config.dir" password="cmService"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                  </security-realm>
              </security-realms>
              <management-interfaces>
                  <native-interface security-realm="ManagementRealm">
                      <socket-binding native="management-native"/>
                  </native-interface>
                  <http-interface security-realm="ManagementRealm">
                      <socket-binding http="management-http"/>
                  </http-interface>
              </management-interfaces>
          </management>
      
          <profile>
              <subsystem xmlns="urn:jboss:domain:logging:1.1">
                  <console-handler name="CONSOLE">
                      <level name="INFO"/>
                      <formatter>
                          <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                      </formatter>
                  </console-handler>
                  <periodic-rotating-file-handler name="FILE">
                      <formatter>
                          <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                      </formatter>
                      <file relative-to="jboss.server.log.dir" path="server.log"/>
                      <suffix value=".yyyy-MM-dd"/>
                      <append value="true"/>
                  </periodic-rotating-file-handler>
                  <logger category="com.arjuna">
                      <level name="WARN"/>
                  </logger>
                  <logger category="org.apache.tomcat.util.modeler">
                      <level name="WARN"/>
                  </logger>
                  <logger category="sun.rmi">
                      <level name="WARN"/>
                  </logger>
                  <logger category="jacorb">
                      <level name="WARN"/>
                  </logger>
                  <logger category="jacorb.config">
                      <level name="ERROR"/>
                  </logger>
                  <logger category="org.jboss.as.server.deployment">
                      <level name="ERROR"/>
                  </logger>
                  <root-logger>
                      <level name="INFO"/>
                      <handlers>
                          <handler name="CONSOLE"/>
                          <handler name="FILE"/>
                      </handlers>
                  </root-logger>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:configadmin:1.0"/>
              <subsystem xmlns="urn:jboss:domain:datasources:1.0">
                  <datasources>
                      <drivers>
                          <driver name="com.mysql.jdbc" module="com.mysql.jdbc">
                              <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
                          </driver>
                          <driver name="oracle.jdbc" module="oracle.jdbc">
                              <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
                          </driver>
                          <driver name="com.microsoft.sqlserver.jdbc" module="com.microsoft.sqlserver.jdbc">
                              <xa-datasource-class>com.microsoft.sqlserver.jdbc.SQLServerXADataSource</xa-datasource-class>
                          </driver>
                          <driver name="com.ibm.db2.jcc" module="com.ibm.db2.jcc"/>
                      </drivers>
                  </datasources>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
                  <deployment-scanner name="appian" path="${appian.home.ear}" scan-interval="5000" auto-deploy-zipped="false" auto-deploy-exploded="false" auto-deploy-xml="false" deployment-timeout="1800"/>
                  <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:ee:1.0"/>
              <subsystem xmlns="urn:jboss:domain:ejb3:1.2">
                  <mdb>
                      <resource-adapter-ref resource-adapter-name="hornetq-ra"/>
                      <bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
                  </mdb>
                  <pools>
                      <bean-instance-pools>
                          <strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
                          <strict-max-pool name="UnattendedRequestPool" max-pool-size="30" instance-acquisition-timeout="15" instance-acquisition-timeout-unit="MINUTES"/>
                      </bean-instance-pools>
                  </pools>
                  <async thread-pool-name="default"/>
                  <timer-service thread-pool-name="default">
                      <data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>
                  </timer-service>
                  <remote connector-ref="remoting-connector" thread-pool-name="default"/>
                  <thread-pools>
                      <thread-pool name="default">
                          <max-threads count="10"/>
                          <keepalive-time time="100" unit="milliseconds"/>
                      </thread-pool>
                  </thread-pools>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="hibernate">
                  <cache-container name="hibernate" default-cache="local-query">
                      <local-cache name="entity">
                          <transaction mode="NON_XA"/>
                          <eviction strategy="LRU" max-entries="10000"/>
                          <expiration max-idle="100000"/>
                      </local-cache>
                      <local-cache name="local-query">
                          <transaction mode="NONE"/>
                          <eviction strategy="LRU" max-entries="10000"/>
                          <expiration max-idle="100000"/>
                      </local-cache>
                      <local-cache name="timestamps">
                          <transaction mode="NONE"/>
                          <eviction strategy="NONE"/>
                      </local-cache>
                  </cache-container>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
              <subsystem xmlns="urn:jboss:domain:jca:1.1">
                  <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
                  <bean-validation enabled="true"/>
                  <default-workmanager>
                      <short-running-threads>
                          <core-threads count="50"/>
                          <queue-length count="1024"/>
                          <max-threads count="100"/>
                          <keepalive-time time="60" unit="seconds"/>
                      </short-running-threads>
                  </default-workmanager>
                  <cached-connection-manager/>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:jdr:1.0"/>
              <subsystem xmlns="urn:jboss:domain:jmx:1.1">
                  <show-model value="true"/>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:jpa:1.0">
                  <jpa default-datasource=""/>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:mail:1.0">
                  <mail-session jndi-name="java:jboss/mail/Default">
                      <smtp-server outbound-socket-binding-ref="mail-smtp"/>
                  </mail-session>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:messaging:1.1">
                  <hornetq-server>
                      <clustered>false</clustered>
                      <persistence-enabled>true</persistence-enabled>
                      <security-domain>messaging</security-domain>
                      <cluster-user>guest</cluster-user>
                      <cluster-password>guest1</cluster-password>
                      <journal-type>NIO</journal-type>
                      <journal-file-size>102400</journal-file-size>
                      <journal-min-files>2</journal-min-files>
      
                      <connectors>
                          <netty-connector name="netty" socket-binding="messaging"/>
                          <netty-connector name="netty-throughput" socket-binding="messaging-throughput">
                              <param key="batch-delay" value="50"/>
                          </netty-connector>
                          <in-vm-connector name="in-vm" server-id="0"/>
                      </connectors>
      
                      <acceptors>
                          <netty-acceptor name="netty" socket-binding="messaging"/>
                          <netty-acceptor name="netty-throughput" socket-binding="messaging-throughput">
                              <param key="batch-delay" value="50"/>
                              <param key="direct-deliver" value="false"/>
                          </netty-acceptor>
                          <in-vm-acceptor name="in-vm" server-id="0"/>
                      </acceptors>
      
                      <broadcast-groups>
                          <broadcast-group name="appian-broadcast-group">
                              <group-address>233.252.134.134</group-address>
                              <group-port>9876</group-port>
                              <broadcast-period>5000</broadcast-period>
                              <connector-ref>
                                  netty
                              </connector-ref>
                          </broadcast-group>
                      </broadcast-groups>
      
                      <discovery-groups>
                          <discovery-group name="appian-discovery-group">
                              <group-address>233.252.134.134</group-address>
                              <group-port>9876</group-port>
                              <refresh-timeout>10000</refresh-timeout>
                          </discovery-group>
                      </discovery-groups>
      
                      <cluster-connections>
                          <cluster-connection name="appian-cluster">
                              <address>jms</address>
                              <connector-ref>netty</connector-ref>
                              <discovery-group-ref discovery-group-name="appian-discovery-group"/>
                          </cluster-connection>
                      </cluster-connections>
      
                      <security-settings>
                          <security-setting match="#">
                              <permission type="send" roles="guest"/>
                              <permission type="consume" roles="guest"/>
                          </security-setting>
                      </security-settings>
      
                      <address-settings>
                          <address-setting match="#">
                              <dead-letter-address>jms.queue.DLQ</dead-letter-address>
                              <expiry-address>jms.queue.ExpiryQueue</expiry-address>
                              <redelivery-delay>0</redelivery-delay>
                              <max-size-bytes>10485760</max-size-bytes>
                              <address-full-policy>BLOCK</address-full-policy>
                              <message-counter-history-day-limit>10</message-counter-history-day-limit>
                          </address-setting>
                      </address-settings>
      
                      <jms-connection-factories>
                          <connection-factory name="ClusteredConnectionFactory">
                              <connectors>
                                  <connector-ref connector-name="netty"/>
                              </connectors>
                              <entries>
                                  <entry name="java:/ClusteredConnectionFactory"/>
                              </entries>
                          </connection-factory>
                          <connection-factory name="jms/AppianProcessIntegrationConnectionFactory">
                              <connectors>
                                  <connector-ref connector-name="netty"/>
                              </connectors>
                              <entries>
                                  <entry name="jms/AppianProcessIntegrationConnectionFactory"/>
                                  <entry name="java:jboss/exported/jms/AppianProcessIntegrationConnectionFactory"/>
                              </entries>
                          </connection-factory>
                          <pooled-connection-factory name="hornetq-ra">
                              <transaction mode="xa"/>
                              <connectors>
                                  <connector-ref connector-name="in-vm"/>
                              </connectors>
                              <entries>
                                  <entry name="java:/JmsXA"/>
                              </entries>
                          </pooled-connection-factory>
                      </jms-connection-factories>
      
                      <jms-destinations>
                          <jms-queue name="jms/AppianProcessIntegrationQueue">
                              <entry name="jms/AppianProcessIntegrationQueue"/>
                              <entry name="java:jboss/exported/jms/AppianProcessIntegrationQueue"/>
                          </jms-queue>
                          <jms-topic name="jms/AppianTransientTopic">
                              <entry name="java:/jms/AppianTransientTopic"/>
                          </jms-topic>
                      </jms-destinations>
                  </hornetq-server>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:naming:1.1"/>
              <subsystem xmlns="urn:jboss:domain:osgi:1.2" activation="lazy">
                  <properties>
                      <property name="org.osgi.framework.startlevel.beginning">
                          1
                      </property>
                  </properties>
                  <capabilities>
                      <capability name="javax.servlet.api:v25"/>
                      <capability name="javax.transaction.api"/>
                      <capability name="org.apache.felix.log" startlevel="1"/>
                      <capability name="org.jboss.osgi.logging" startlevel="1"/>
                      <capability name="org.apache.felix.configadmin" startlevel="1"/>
                      <capability name="org.jboss.as.osgi.configadmin" startlevel="1"/>
                  </capabilities>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:pojo:1.0"/>
              <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                  <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>
              <subsystem xmlns="urn:jboss:domain:sar:1.0"/>
              <subsystem xmlns="urn:jboss:domain:security:1.1">
                  <security-domains>
                      <security-domain name="messaging" cache-type="default">
                          <authentication>
                              <login-module code="RealmUsersRoles" flag="required">
                                  <module-option name="unauthenticatedIdentity" value="guest"/>
                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmUsersRoles" flag="required">
                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                  <module-option name="realm" value="ApplicationRealm"/>
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="ds-name-AppianPrimaryDS" cache-type="default">
                          <authentication>
                              <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                                  <module-option name="username" value="appian_meta"/>
                                  <module-option name="password" value="-7e265ed04220c20fd4e04e29f5589f0e"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="ds-name-AppianBusinessDS" cache-type="default">
                          <authentication>
                              <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                                  <module-option name="username" value="appian"/>
                                  <module-option name="password" value="-5ad4b9b9fcb000675e09a31f95885cc4"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="ds-name-FIN_TAX_TAXSTREAM" cache-type="default">
                          <authentication>
                              <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                                  <module-option name="username" value="tsro"/>
                                  <module-option name="password" value="2776c499833c846edf8592078de921bc"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="ds-name-FIN_TAX" cache-type="default">
                          <authentication>
                              <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                                  <module-option name="username" value="FIN_TAX"/>
                                  <module-option name="password" value="2b99e560e30716e4df8592078de921bc"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="ds-name-FIN_GFDM" cache-type="default">
                          <authentication>
                              <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                                  <module-option name="username" value="gfdm_app"/>
                                  <module-option name="password" value="1494287536f148921f0b0525519389a9"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                  </security-domains>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
              <subsystem xmlns="urn:jboss:domain:transactions:1.1">
                  <core-environment>
                      <process-id>
                          <uuid/>
                      </process-id>
                  </core-environment>
                  <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
                  <coordinator-environment default-timeout="300"/>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                  <connector name="ajp" protocol="AJP/1.3" scheme="ajp" socket-binding="ajp"/>
                  <virtual-server name="default-host" enable-welcome-root="true">
                      <alias name="localhost"/>
                      <alias name="example.com"/>
                  </virtual-server>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:webservices:1.1">
                  <modify-wsdl-address>true</modify-wsdl-address>
                  <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
                  <endpoint-config name="Standard-Endpoint-Config"/>
                  <endpoint-config name="Recording-Endpoint-Config">
                      <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
                          <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
                      </pre-handler-chain>
                  </endpoint-config>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:weld:1.0"/>
          </profile>
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
              </interface>
              <interface name="public">
                  <inet-address value="${jboss.bind.address:0.0.0.0}"/>
              </interface>
              <interface name="unsecure">
                  <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
              </interface>
          </interfaces>
      
          <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
              <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
              <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
              <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
              <socket-binding name="ajp" port="8009"/>
              <socket-binding name="http" port="8080"/>
              <socket-binding name="https" port="8443"/>
              <socket-binding name="messaging" port="5445"/>
              <socket-binding name="messaging-throughput" port="5455"/>
              <socket-binding name="osgi-http" interface="management" port="8090"/>
              <socket-binding name="remoting" port="4447"/>
              <socket-binding name="txn-recovery-environment" port="4712"/>
              <socket-binding name="txn-status-manager" port="4713"/>
              <outbound-socket-binding name="mail-smtp">
                  <remote-destination host="localhost" port="25"/>
              </outbound-socket-binding>
          </socket-binding-group>
      
      </server>