1 Reply Latest reply on Nov 1, 2016 5:25 PM by Bo Xi

    Wildfly - Remote EJB client-cert authentication

    Bo Xi Newbie

      Hi all,

       

      I'm using the latest 10.1 wildfly server for development. I'm able to lookup EJBs from a remote client application by using the PLAIN mechanism (username and password) and secured by SSL.

      Is it possible to use client certificate for authentication instead of using username and password, like the way we do in browser by choosing a soft certification or by a CAC reader?

       

      Client side configuration:

      Properties prop = new Properties();

      prop.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

       

      // EJB Client Global Properties

      prop.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", true);

      prop.put("org.jboss.ejb.client.scoped.context", "true");

       

      // EJB Client Connection Properties

      prop.put("remote.connections", "default");

      prop.put("remote.connection.default.host", "host");

      prop.put("remote.connection.default.port", "port");

      prop.put("remote.connection.default.protocol", "https-remoting");

      prop.put("remote.connection.default.username", "userName");

      prop.put("remote.connection.default.password", "password");

      prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", true);

      prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_PROTOCOL", "TLSv1.2");

      prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");

      prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

      prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

       

      final EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(prop);

      final ConfigBasedEJBClientContextSelector selector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration);

      EJBClientContext.setSelector(selector);

      Context context = (Context) new InitialContext(prop).lookup("ejb:");

      context.lookup(...);

      // do something

       

      The server is configured with SSL.

      <security-realm name="HttpsRealm">

              <server-identities>

                  <ssl>

                          <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="***" alias="SSL" key-password="***"/>

                  </ssl>

              </server-identities>

              <authentication>

                  <truststore path="server.trustore" relative-to="jboss.server.config.dir" keystore-password="***"/>

                  <local default-user="$local" skip-group-loading="true"/>

                  <jaas name="login-domain"/>

              </authentication>

      </security-realm>

        • 1. Re: Wildfly - Remote EJB client-cert authentication
          Bo Xi Newbie

          I also configured the https-listener as follows:

          <https-listener name="default-https" socket-binding="https" max-post-size="32212254720" security-realm="HttpsRealm" enabled-protocols="TLSv1.2" verify-client="REQUESTED"/>

           

          After turning on the ssl debug, I found that the server does send the CertificateRequest before the ServerHelloDone.

           

          But it's expecting the KeyManager to provide the client certificate. Does it mean I need to implement the KeyManager and pass it along by setting the following property?

          remote.connection.default.connect.options.org.xnio.Options.SSL_JSSE_KEY_MANAGER_CLASSES