TLS and Client Cert Authentication
leenam Jan 10, 2019 11:33 AMOur application is a Java webservice which was deployed on JBoss Enterprise Application Platform - Version 6.2.0.GA on our existing servers.
On the new AWS servers we deployed our application on WildFly 14.0.1.Final.
We are trying to
- Enforce SSL/TLS mutual authentication.
- Configure certificate login module, which authenticates clients based on certificates and authorizes roles using a property file which maintains the roles
We are able to access WSDL and see the server certificate. But when we try to call our webservice, we are getting errors like
- There was an error connecting to https://abc.com/Service
- Cannot establish connection to https://abc.com/Service because it cannot be trusted
- Sometimes we are getting 403 Forbidden error.
Please find the cli scripts below.
Could you please guide me in configuring CLIENT_CERT authentication module.
****************** CLI commands
# Start batching commands
batch
# Set logging to Debug Level
/subsystem=logging/root-logger=ROOT:write-attribute(name="level", value="DEBUG")
# Add WSDL attributes to webservices subsystem
./subsystem=webservices/:write-attribute(name=modify-wsdl-address,value=true)
./subsystem=webservices/:write-attribute(name=wsdl-host,value=abc.amazonaws.com)
./subsystem=webservices/:write-attribute(name=wsdl-secure-port,value=443)
# Add the keystores, key manager, trust manager and ssl context configuration in the elytron subsystem
./subsystem=elytron/key-store=asSecurityTrustStore:add(path=ASCertAuth.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})
./subsystem=elytron/key-store=asKeyStore:add(path=as-dev.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})
./subsystem=elytron/key-store=asTrustStore:add(path=cacert.jks,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=changeit})
./subsystem=elytron/key-manager=asKeyManager:add(algorithm=SunX509,key-store=asKeyStore,credential-reference={clear-text=changeit})
./subsystem=elytron/trust-manager=asTrustManager:add(key-store=asTrustStore)
./subsystem=elytron/server-ssl-context=asSSLContext:add(key-manager=asKeyManager,trust-manager=asTrustManager,protocols=[TLSv1.2],need-client-auth=true)
# Remove the reference to the legacy security realm and update the https-listener to use the ssl-context configured above
./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=asSSLContext)
#./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=socket-binding,value=https)
# Add a keystore realm that relies on the truststore to authenticate requests
./subsystem=elytron/key-store-realm=asTrustStoreRealm:add(key-store=asSecurityTrustStore)
#./subsystem=elytron/filesystem-realm=asRolesRealm:add(path=/opt/wildfly/standalone/configuration/ASCertAuth-users.properties)
#./subsystem=elytron/properties-realm=asPropertiesRealm:add(users-properties={relative-to=jboss.server.config.dir, path=as-users.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=jboss.server.config.dir, path=as-roles.properties})
./subsystem=elytron/security-domain=as-cert-sec-domain:add(realms=[{realm=asTrustStoreRealm}], default-realm=asTrustStoreRealm, permission-mapper=default-permission-mapper)
./subsystem=elytron/constant-realm-mapper=asTrustStoreRealm:add(realm-name=asTrustStoreRealm)
./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)
./subsystem=elytron/http-authentication-factory=client-cert-digest:add(http-server-mechanism-factory=global, security-domain=as-cert-sec-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=asTrustStoreRealm, pre-realm-principal-transformer=x500-decoder}, {mechanism-name=DIGEST, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=elytron, security-domain=as-cert-sec-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=asTrustStoreRealm, pre-realm-principal-transformer=x500-decoder}, {mechanism-name=DIGEST, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
./subsystem=elytron/server-ssl-context=localhost:add(key-manager=asKeyManager, trust-manager=asTrustManager, security-domain=as-cert-sec-domain, authentication-optional=false, need-client-auth=true)
# Run the batch commands
run-batch
# Reload the server configuration
reload