2 Replies Latest reply on Mar 16, 2018 8:22 AM by armahdi

    Certificate-based mutual authentication

    knr
    knr Sep 12, 2014 4:22 AM

      Hi,

      I'm facing difficulties to configure the Jboss Server 8.1 and the web-application to accept certificate authentication.

       

      According to https://docs.jboss.org/author/display/WFLY8/Authentication+Modules I should configure a security-domain login module in the standalone.xml as follow:


      <security-domain name="RequireCertificateDomain">

          <authentication>

              <login-module code="Certificate" flag="required">

                  <module-option name="securityDomain" value="RequireCertificateDomain"/>

                  <module-option name="verifier" value="org.jboss.security.auth.certs.X509CertificateVerifier"/>

              </login-module>

          </authentication>

      </security-domain>

       

      P.S: tried as well org.jboss.security.auth.certs.AnyCertVerifier

       

      In order to verify the client's credententials (mutual authentication) I configured the truststore under the <security-realm...

       

       

      <security-realm name="UndertowRealm">

          <server-identities>

              <ssl>

                  <keystore path="${project.basedir}/target/filtered-wildfly/my.keystore" keystore-password="xxx" alias="alias_name" key-password="xyy"/>

              </ssl>

          </server-identities>

          <authentication>

                  <truststore path="${project.basedir}/target/filtered-wildfly/my.keystore" keystore-password="zha"/>

          </authentication>

      </security-realm>

       

       

      under webapp I added a file called jboss-web.xml

       

      <jboss-web>

          <security-domain>RequireCertificateDomain</security-domain>

      </jboss-web>

       

      and the <login-config> inside web.xml has been changed to

       

       

      <login-config>

          <auth-method>CLIENT-CERT</auth-method>

      </login-config>

       

       

      However I'm getting various errors, among them ...

       

       

      PBOX000248: Failed to create X509CertificateVerifier: java.lang.InstantiationException: org.jboss.security.auth.certs.X509CertificateVerifier

        at java.lang.Class.newInstance(Class.java:359) [rt.jar:1.7.0_60]

        at org.jboss.security.auth.spi.BaseCertLoginModule.initialize(BaseCertLoginModule.java:148) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc

       

      : Failed to validate certificate: SecurityDomain, Keystore or certificate is null

       

      Any experience in configuring certificate-based mutual authentication on JBoss WildFly

       

       

      Thx for the support

        • 1. Re: Certificate-based mutual authentication
          gspadotto
          gspadotto Jan 21, 2016 4:46 AM (in response to knr)

          Hi,

          a bit late for your needs but - just for the record and in case someone else

          might face the same issue - org.jboss.security.auth.certs.X509CertificateVerifier is an interface

          so you cannot instantiate it.

           

          Try specifying org.jboss.security.auth.certs.AnyCertVerifier

           

          Cheers.

          1 of 1 people found this helpful
            • Actions
          • 2. Re: Certificate-based mutual authentication
            armahdi
            armahdi Mar 16, 2018 8:22 AM (in response to gspadotto)

            I had the same issue as the OP and when i added the AnyCertVerfier then my certs were validated. Just having issues in the roles and all

            PBOX00354: Setting security roles ThreadLocal: null

             

            But that is related to where i need to specify my roles.properties

              • Actions