0 Replies Latest reply on Jan 30, 2017 11:44 AM by Fakaruddin Ali

    Regarding Mutual Authentication in Jboss 7.1.1

    Fakaruddin Ali Newbie

      I have configured two  way SSL in standalone.xml as below

      <connector name="https"
      protocol="HTTP/1.1" scheme="https"
      socket-binding="https" secure="true">

                    
      <ssl name="cm2-tls" key-alias="CM2_1845"  protocol="TLSv1,TLSv1.2"  password="***"
      certificate-key-file="${jboss.server.config.dir}/ServerKeyStore.jks"
      ca-certificate-file="${jboss.server.config.dir}/trustStore.jks session-timeout="1800"/>

        </connector>

      Here  ServerKeyStore.jks
      is the container of public key and private key . I have imported self signed certificate
      to ServerKeyStore.jks

      The trustStore.jks contains the public key of Client .

      I have deployed a  webServiceTest.war inside the Jboss(https://remotemachine:8443

       

       

      I have written following standalone java client using apache http client 4.5.2 and Java 7

       

      Public class RestClient {

      public static void main(String[] args) throws Exception {

       
        getCm2ApiResponseForPost("/webServiceTest/endPOintUrl",
          "TestJson");
      }

      public static CloseableHttpClient createHttpsClientwithssL() throws Exception {

        CloseableHttpClient httpClient = null;
        final String KEY_STORE_PATH = "C:\\Personal\\ClientKeyStore.jks";
        final String KEY_STORE_PASSWORD = "***";
        final String TRUST_STORE_PATH = "C:\\Personal\\serverTrustStore.jks";
       
        final String TRUST_STORE_PASSWORD = "***";

        PoolingHttpClientConnectionManager pool = new PoolingHttpClientConnectionManager();
        pool.setMaxTotal(200);
        pool.setDefaultMaxPerRoute(20);
          KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream keystoreInput = new FileInputStream(KEY_STORE_PATH);
        keystore.load(keystoreInput, KEY_STORE_PASSWORD.toCharArray());
        System.out.println("Keystore has " + keystore.size() + " keys");

        // load the truststore, leave it null to rely on cacerts distributed
        // with the JVM
        KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream truststoreInput = new FileInputStream(TRUST_STORE_PATH);
        truststore.load(truststoreInput, TRUST_STORE_PASSWORD.toCharArray());
        SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(truststore, new TrustSelfSignedStrategy())
          .loadKeyMaterial(keystore, KEY_STORE_PASSWORD.toCharArray()).build();

        System.err.println(sslContext.getProtocol());
        httpClient = HttpClients.custom().setConnectionManager(pool).setSSLContext(sslContext).build();

        //httpClient = HttpClients.custom().setConnectionManager(pool).build();
        return httpClient;
      }

      public static JSONArray getCm2ApiResponseForPost(String cm2Endpoint, String requestJson) throws Exception
        {
      JSONArray jsonArray = null;
      HttpEntity entity = null;
      HttpResponse response = null;
      StringEntity stringEntity;
      InputStream inStream = null;
      String jsonResponseString = null;
      HttpPost post = null;
      CloseableHttpClient client = null;
      try {
        stringEntity = new StringEntity(requestJson);
        client = createHttpsClientwithssL();
        stringEntity.setContentType("application/json");
        String cm2EndpointUrl = "https://remotemachine:8443" + cm2Endpoint;
        if (cm2EndpointUrl != null) {
         post = new HttpPost(cm2EndpointUrl);
        }
        if (post != null) {
         post.setEntity(stringEntity);
         response = client.execute(post);
        }
        if (response != null) {
         entity = response.getEntity();
        }
        if (jsonResponseString != null) {
         jsonArray = (JSONArray) parser.parse(jsonResponseString);
        }

      } catch (SSLHandshakeException e) {
       
        e.printStackTrace();
      }
      catch (Exception e) {
        e.printStackTrace();
      }

      return jsonArray;
      }
      }

      Everything is working fine. I am able to get response from https://remotemachine:8443".

       

      But If I have enabled verify client true in Jboss standalone.xml

       

      <connector name="https"
      protocol="HTTP/1.1" scheme="https"
      socket-binding="https" secure="true">

                    
      <ssl name="cm2-tls" key-alias="CM2_1845"
      password="***" certificate-key-file="${jboss.server.config.dir}/ServerKeyStore.jks"
      ca-certificate-file="${jboss.server.config.dir}/trustStore.jks"  session-timeout="1800" verify-client="true"

      />

       

      Getting the following exception:

      1. javax.net.ssl.SSLHandshakeException: Received fatal alert:
        bad_certificate

             at
      sun.security.ssl.Alerts.getSSLException(
      Alerts.java:192)

             at
      sun.security.ssl.Alerts.getSSLException(
      Alerts.java:154)

             at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)

             at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)

             at
      sun.security.ssl.SSLSocketImpl.performInitialHandshake(
      SSLSocketImpl.java:1312)

             at
      sun.security.ssl.SSLSocketImpl.startHandshake(
      SSLSocketImpl.java:1339)

             at
      sun.security.ssl.SSLSocketImpl.startHandshake(
      SSLSocketImpl.java:1323)

             at
      org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(
      SSLConnectionSocketFactory.java:394)

             at
      org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(
      SSLConnectionSocketFactory.java:353)

             at
      org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(
      DefaultHttpClientConnectionOperator.java:141)

             at
      org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(
      PoolingHttpClientConnectionManager.java:353)

             at
      org.apache.http.impl.execchain.MainClientExec.establishRoute(
      MainClientExec.java:380)

             at
      org.apache.http.impl.execchain.MainClientExec.execute(
      MainClientExec.java:236)

             at
      org.apache.http.impl.execchain.ProtocolExec.execute(
      ProtocolExec.java:184)

             at
      org.apache.http.impl.execchain.RetryExec.execute(
      RetryExec.java:88)

             at
      org.apache.http.impl.execchain.RedirectExec.execute(
      RedirectExec.java:110)

             at
      org.apache.http.impl.client.InternalHttpClient.doExecute(
      InternalHttpClient.java:184)

             at
      org.apache.http.impl.client.CloseableHttpClient.execute(
      CloseableHttpClient.java:82)

             at
      org.apache.http.impl.client.CloseableHttpClient.execute(
      CloseableHttpClient.java:107)

             at
      httpClient.RestClient.getCm2ApiResponseForPost(
      RestClient.java:113)

             at
      httpClient.RestClient.main(
      RestClient.java:30)

       

      Please help me to resolve the problem.

      I need to enable verify client in standalone.xml for Mutual authentication.