0 Replies Latest reply on Dec 7, 2015 5:38 PM by mailjainrahul

    Secure LDAP authentication of WEB application over SSL

    mailjainrahul

      Hi,

       

      We are trying to convert our WEB application deployed over Wildfly 8.2 to use the LDAP with SSL for authentication. We are using the LDAP security domain to authenticate our application to LDAP.

      We migrated our LDAP to accept the SSL authentication and below is the code I modified in wildfly to use the SSL authentication and is working fine in standalone mode. But when running the wildfly in DC mode, i need to manually copy the certificated to all the slave wildfly servers which is a mannual and cumbersome process.


      Domain.xml


       

      <?xml version='1.0' encoding='UTF-8'?>

       

      <domain xmlns="urn:jboss:domain:2.2">

       

          <extensions>

      .


          </extensions>

       

          <system-properties>

              <property name="javax.net.ssl.trustStore" value="/opt/wildfly/domain/configuration/.ldaps.truststore"/>

              <property name="javax.net.ssl.trustStorePassword" value="xxxxxxx"/>

          </system-properties>

       

          <management>

      ...


       

                  <subsystem xmlns="urn:jboss:domain:security:1.2">

                      <security-domains>

                          <security-domain name="ldap" cache-type="default">

                              <authentication>

                                  <login-module code="Ldap" flag="required">

                                      <module-option name="java.naming.provider.url" value="ldaps://<ip>:636"/>

                                      <module-option name="java.naming.security.protocol" value="ssl"/>

                                      <module-option name="principalDNPrefix" value="uid="/>

                                      <module-option name="principalDNSuffix" value=",ou=users,dc=test,dc=com"/>

                                      <module-option name="rolesCtxDN" value="ou=groups,dc=test,dc=com"/>

                                      <module-option name="uidAttributeID" value="uniqueMember"/>

                                      <module-option name="matchOnUserDN" value="true"/>

                                      <module-option name="roleAttributeID" value="cn"/>

                                      <module-option name="roleAttributeIsDN" value="false"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

                  </subsystem>


      In the above code i need to manually copy the .ldaps.truststore file to all the slave servers.


      Can i use JSSE module of security domain to load the certificates on all the slave servers. If not please suggest me any way so that i don't have to copy the certificates to all the slave WF manually. As per security the certificate should be stored with the DC and if any application running on the slave WF server need to get authenticate with LDAP, It should get its certificate from DC. Please advice.


      Thanks,

      Rahul