1 Reply Latest reply on Jun 7, 2004 12:10 PM by Scott Stark

    SSL Configuration to support CLIENT-CERT

    Fabrizio Boco Newbie

      Hi,

      I am trying to set up the SSL protocol and the CLIEN-CERT authentication, using the jboss-3.2.3 packaged with Tomcat.

      This was my procedure:

      1)I created the server cert:

      keytool -genkey -alias taserver -keyalg RSA -keystore server.keystore

      2)I created the client cert

      keytool -genkey -alias client -keyalg RSA -keystore client.keystore

      3)I changed my jboss-service.xml:

      <Connector className = org.apache.coyote.tomcat4.CoyoteConnector" address="${jboss.bind.address}" port = "8443" scheme = https" secure = "true">
      <Factory className = org.apache.coyote.tomcat4.CoyoteServerSocketFactory" keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="pwd"
      protocol = "TLS"/>


      4)I prepared a very simple application and web.xml contains:

      .....
      <user-data-constraint>
      no description
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>

      .....

      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>ssl</realm-name>
      </login-config>

      my jboss-web.xml contains:

      <jboss-web>
      <security-domain>java:/jaas/testSSL</security-domain>
      </jboss-web>

      my jboss.xml contains:


      <security-domain>java:/jaas/testSSL</security-domain>


      7) I changed my login-config.xml as follows:

      <application-policy name="testSSL">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name = "dsJndiName">java:/Documents</module-option>
      <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name = "rolesQuery">select Role,RoleGroup from Roles where principalID=?</module-option>
      </login-module>

      </application-policy>

      8)I changed run.conf adding

      -Djavax.net.ssl.trustStore=/usr/local/jboss-3.2.3/server/default/conf/client.keystore -Djavax.net.ssl.trustStorePassword=pwd


      I use the mozilla browser (1.4.2) in which I have my home-banking certificate and I set the option
      that the browser should ask me the certificate to use.

      When I call my application, the browser show me the server certificate but it doesn't ask me for the certificate to use and the following error appear on the jboss console:


      16:37:37,685 INFO [JSSE14Support] SSL Error getting client Certs
      javax.net.ssl.SSLHandshakeException: null cert chain
      at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
      at java.io.InputStream.read(InputStream.java:89)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:163)
      at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1010)
      at org.apache.coyote.Request.action(Request.java:393)
      at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:793)
      at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:137)
      at org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:220)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.jboss.web.tomcat.tc4.statistics.ContainerStatsValve.invoke(ContainerStatsValve.java:76)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
      at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
      at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:65)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:577)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
      at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:781)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:549)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
      at java.lang.Thread.run(Thread.java:534)


      I have tried to find a solution using the forum but, nothing seams to solve the problem.

      Can anyone tell me the right configuration procedure ?

      How can I import the certificate created with keytool into mozilla ?


      Thank you in advance.

      Regards

      Fabrizio.