1 Reply Latest reply on Mar 16, 2018 10:15 PM by Syed Mahdi

    mutual Authentication PBOX00052: Supplied credential did not match existing credential for alias

    Syed Mahdi Apprentice

      Wildfly10 , Spring boot Application.

      I have created a server.keystore and then a client.keyStore with a client.crt which i used to client.truststore

      the server.keystore with alias devmyserverkey

      /myserver_opt/jdk1.8.0_latest/jre/bin/keytool -genkey -alias devmyserverkey -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore myserver.keystore -validity 730 -storepass samepassword -dname "CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country" -keypass samepassword 

      the client.keystore with alias devclientkey

      /myserver_opt/jdk1.8.0_latest/jre/bin/keytool  -genkey -keystore client.keystore -storepass samepassword  -keyalg RSA -keysize 2048 -storetype pkcs12  -alias devclientkey -dname "CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country" 

      then the client crt with alias devclientkey

      /myserver_opt/jdk1.8.0_latest/jre/bin/keytool -exportcert -keystore client.keystore  -storetype pkcs12 -storepass samepassword  -keypass samepassword  -file client.crt -alias devclientkey 

      then the client truststore

      /myserver_opt/jdk1.8.0_latest/jre/bin/keytool -import -file client.crt -keystore client.truststore 

      then the pkc12 keystore

       /myserver_opt/jdk1.8.0_latest/jre/bin/keytool -importkeystore -srckeystore client.keystore -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass samepassword 

      the client.truststore and server.keystore are in the configuration directory on my widlfly instance and when i try to access my application I get the following:

      2018-03-16 08:23:18,177 TRACE [org.jboss.security] (default task-28) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@3e1567dc, cache entry: null 2018-03-16 08:23:18,177 TRACE [org.jboss.security] (default task-28) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@3e1567dc 2018-03-16 08:23:18,178 TRACE [org.jboss.security] (default task-28) PBOX00221: Begin getAppConfigurationEntry(mygenwebservicessecurity), size: 6 2018-03-16 08:23:18,179 TRACE [org.jboss.security] (default task-28) PBOX00224: End getAppConfigurationEntry(mygenwebservicessecurity), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.BaseCertLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=securityDomain, value=mygenwebservicessecurity

      2018-03-16 08:23:18,181 TRACE [org.jboss.security] (default task-28) PBOX00236: Begin initialize method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00245: Found security domain: org.jboss.security.JBossJSSESecurityDomain 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00239: End initialize method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00240: Begin login method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00240: Begin login method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00252: Begin getAliasAndCert method 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00253: Found certificate, serial number: 13e04227, subject DN: CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00255: End getAliasAndCert method 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00256: Begin validateCredential method 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28)
        PBOX00056: Supplied credential: 13e04227
        CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country

        PBOX00057: Existing credential: PBOX00058: No match for alias CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country, existing aliases: [mykey]

       

      2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00260: End validateCredential method, result: false 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00244: Begin abort method, overall result: false 2018-03-16 08:23:18,201 DEBUG [org.jboss.security] (default task-28) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00052: Supplied credential did not match existing credential for alias CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country
        at org.jboss.security.auth.spi.BaseCertLoginModule.login(BaseCertLoginModule.java:231)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)

       

        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

      I do not see any difference between the two. the only difference i see is the alias mykey. that si a default alias. but where is this coming from as I have supplied the alias myself for both.

      This is what i added in the standalone.xml

      <security-realm name="SSLRealm">
        <server-identities>
        <ssl>
        <keystore path="myserver.keystore" relative-to="jboss.server.config.dir" keystore-password="samepassword" alias="devmyserverkey" key-password="samepassword"/>
        </ssl>
        </server-identities>
        <authentication>
        <truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="samepassword"/>
        <local default-user="$local" skip-group-loading="true"/>
        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
        </security-realm>
        </security-realms>

        <subsystem xmlns="urn:jboss:domain:remoting:3.0">
        <endpoint/>
        <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        <http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="SSLRealm"/>
        </subsystem>

        <subsystem xmlns="urn:jboss:domain:security:1.2">
        <security-domains>

        <security-domain name="mygenwebservicessecurity" cache-type="default">
        <authentication>

        <login-module code="Certificate" flag="required">
        <module-option name="securityDomain" value="mygenwebservicessecurity"/>
        <!--module-option name="rolesProperties" value="file:${jboss.server.config.dir}/user_roles.properties"/>
        <module-option name="defaultRolesProperties" value="file:${jboss.server.config.dir}/default_roles.properties"/-->
        </login-module>
        </authentication>
        <jsse keystore-password="samepassword" keystore-url="file:/myserver_opt/wildfly10_javatest/mlws/configuration/myserver.keystore" truststore-password="samepassword" truststore-url="file:/myserver_opt/wildfly10_javatest/mlws/configuration/client.truststore" client-auth="true"/>
        </security-domain>
        </security-domains>
        </subsystem>


        <subsystem xmlns="urn:jboss:domain:undertow:3.0">
        <buffer-cache name="default"/>
        <server name="default-server">
        <http-listener name="defaultHTTP" socket-binding="http" redirect-socket="https"/>
        <https-listener name="default" enabled-protocols="TLSv1.2" verify-client="REQUIRED" security-realm="SSLRealm" socket-binding="https"/>
        <host name="default-host" alias="localhost">
        <location name="/" handler="welcome-content"/>
        <access-log predicate="not equals[%a, %A]" suffix=".log" prefix="access" pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot; %D %T"/>
        <filter-ref name="server-header"/>
        <filter-ref name="x-powered-by-header"/>
        </host>
        </server>

      After adding the above in my standalone.xml, when i try to access my application through http it comes also as Forbidden. but the above exception is the one that comes with https and doesn't make sense.

       

      I  also tried with removing all alias references and made all the certs again and checked with

      keytool -list - v -keystore ( truststore/pC12Store/Server.keystore/client.keystore) 

      they all have the same alias mykey

      i even looked into the code for the class throwing the error it seems that the alias coming down to this class is not 'mykey' but the DN definition/Subject

       

      I was following quickstart/helloworld-client-ssl at 10.x · wildfly/quickstart · GitHub  to setup the mutual authentication in Wildfly.

        • 1. Re: mutual Authentication PBOX00052: Supplied credential did not match existing credential for alias
          Syed Mahdi Apprentice

          I solved the issue by adding

           

          <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

          this made the certs validate perfectly.

           

          Now i am getting an issue where after the validate ends with true then it states:

          2018-03-17 00:00:35,678 TRACE [org.jboss.security] (default task-11) PBOX00201: End isValid, result = true

          2018-03-17 00:00:35,718 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null

          2018-03-17 00:00:40,238 TRACE [org.jboss.security] (default task-13) PBOX00354: Setting security roles ThreadLocal: null

           

          So i looked into the SecurityRolesAssociation.java in picket box which was the only place this is fired and it was not able to load Security Roles. I supplied the roles.properties and it did not work cos rolesProperties option is not available in that. So i changed my security domain as :

           

          <login-module code="CertificateRoles" flag="required">

          this took the roles.properties.

           

          It  did solve the issue but the message still comes again after it has given me the results back from my backend :/ So not sure. At least my app is working.

           

          Ahh success is so surreal.