3 Replies Latest reply on Dec 7, 2004 11:56 AM by rme

    SSLPeerUnverifiedException "Error getting client certs" jbos

    rme Newbie

      Basically, can not get jboss https to work.
      It is not a browser issue since it can get https pages
      from a vast number of website - its a jboss config issue.

      Using JBoss-3.2.5

      In
      jboss/server/default/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml





      Note: 1) if one does not set the "SSLImplementation"
      then it assumse one is using the "puretsl" implementation and if
      one does not have it around, then one gets a class not found issue, and
      2) the attribute name MUST be "SSLImplementation", it can not be, for
      example, "sslImplementation" because jboss does not match setter/getter
      methods by first lower-casing both strings ... no, jboss only lower-cases
      the first character of the attribute name in the xml file....

      Near the top of the log, the Digester reads all of the attributes:

      2004-12-06 16:45:42,036 DEBUG [BeanUtils] jboss.web:service=WebServer
      EmbeddedCatalina4.1.x -
      BeanUtils.populate(org.apache.coyote.tomcat4.CoyoteServerSocketFactory@48f675,
      {protocol=TLS, keystorePass=tc-ssl, clientAuth=false,
      SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation,
      keystoreFile=/usr/local/ED/app/jboss/server/cs/conf/server.keystore,
      className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory})
      From the log I get:

      2004-12-06 16:46:15,850 INFO [Engine] - CoyoteConnector Coyote can't register
      jmx for protocol
      2004-12-06 16:46:15,867 INFO [Http11Protocol] - Starting Coyote HTTP/1.1 on
      port 50080
      2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soLinger: -1
      2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
      2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
      2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
      2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute jkHome:
      /usr/local/ED/app/jboss/server/default
      2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute port: 50443
      2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute maxThreads: 20
      2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute minSpareThreads: 5
      2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute maxSpareThreads: 5
      2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute backlog: 10
      2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
      2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soLinger: -1
      2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
      2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute timeout: 300000
      2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
      2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute
      maxKeepAliveRequests: 100
      2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute
      tomcatAuthentication: true
      2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute compression: off
      2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute address: /0.0.0.0
      2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute secure: true
      2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute algorithm: null
      2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute keystore:
      /usr/local/ED/app/jboss/server/default/conf/server.keystore
      2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute randomfile:
      /home/myhome/random.pem
      2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute rootfile:
      /home/myhome/root.pem
      2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute keystoreType: JKS
      2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute protocol: TLS
      2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute sslImplementation:
      org.apache.tomcat.util.net.jsse.JSSEImplementation
      2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - Truststore = null
      2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - TrustPass = tc-ssl
      2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - trustType = JKS

      Note that the keystore was picked up from the jboss-service.xml
      file.
      Also, note that the "clientAuth" was not picked up!!!!!!!

      I assume that this is printed by code in the class
      org/apache/coyote/tomcat4/CoyoteConnector.java:
      IntrospectionUtils.setProperty(protocolHandler, "jkHome",
      System.getProperty("catalina.base"));

      // Set attributes
      IntrospectionUtils.setProperty(protocolHandler, "port", "" + port);
      IntrospectionUtils.setProperty(protocolHandler, "maxThreads",
      "" + maxProcessors);
      IntrospectionUtils.setProperty(protocolHandler, "minSpareThreads",
      "" + minProcessors);
      IntrospectionUtils.setProperty(protocolHandler, "maxSpareThreads",
      "" + maxSpareProcessors);
      IntrospectionUtils.setProperty(protocolHandler, "backlog",
      "" + acceptCount);
      IntrospectionUtils.setProperty(protocolHandler, "tcpNoDelay",
      "" + tcpNoDelay);
      IntrospectionUtils.setProperty(protocolHandler, "soLinger",
      "" + connectionLinger);
      IntrospectionUtils.setProperty(protocolHandler, "soTimeout",
      "" + connectionTimeout);
      IntrospectionUtils.setProperty(protocolHandler, "timeout",
      "" + connectionUploadTimeout);
      IntrospectionUtils.setProperty(protocolHandler, "serverSoTimeout",
      "" + serverSocketTimeout);
      IntrospectionUtils.setProperty(protocolHandler, "disableUploadTimeout",
      "" + disableUploadTimeout);
      IntrospectionUtils.setProperty(protocolHandler, "maxKeepAliveRequests",
      "" + maxKeepAliveRequests);
      IntrospectionUtils.setProperty(protocolHandler, "tomcatAuthentication",
      "" + tomcatAuthentication);
      IntrospectionUtils.setProperty(protocolHandler, "compression",
      compression);
      if (address != null) {
      IntrospectionUtils.setProperty(protocolHandler, "address",
      address);
      }

      // Configure secure socket factory
      if (factory instanceof CoyoteServerSocketFactory) {
      IntrospectionUtils.setProperty(protocolHandler, "secure",
      "" + true);
      CoyoteServerSocketFactory ssf =
      (CoyoteServerSocketFactory) factory;
      IntrospectionUtils.setProperty(protocolHandler, "algorithm",
      ssf.getAlgorithm());
      IntrospectionUtils.setProperty(protocolHandler, "clientauth",
      ssf.getClientAuth());
      IntrospectionUtils.setProperty(protocolHandler, "keystore",
      ssf.getKeystoreFile());
      IntrospectionUtils.setProperty(protocolHandler, "randomfile",
      ssf.getRandomFile());
      IntrospectionUtils.setProperty(protocolHandler, "rootfile",
      ssf.getRootFile());

      IntrospectionUtils.setProperty(protocolHandler, "keypass",
      ssf.getKeystorePass());
      IntrospectionUtils.setProperty(protocolHandler, "keytype",
      ssf.getKeystoreType());
      IntrospectionUtils.setProperty(protocolHandler, "protocol",
      ssf.getProtocol());
      IntrospectionUtils.setProperty(protocolHandler,
      "sSLImplementation",
      ssf.getSSLImplementation());
      } else {
      IntrospectionUtils.setProperty(protocolHandler, "secure",
      "" + false);
      }


      Again, note that the "clientauth" value is not printed.

      Finally, when the brower is pointed at:

      https://myhost:50443/jmx-console

      the following appears in the log:

      2004-12-06 16:46:58,298 DEBUG [JSSE14Support] - Error getting client certs
      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      at
      com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(DashoA12275)
      at
      org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:151)
      at
      org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:166)
      at
      org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1007)
      at org.apache.coyote.Response.action(Response.java:226)
      at
      org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
      at
      org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
      at
      org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
      at
      org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:711)
      at
      org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
      at
      org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:687)
      at java.lang.Thread.run(Thread.java:534)
      2004-12-06 16:46:58,325 INFO [Engine] - StandardHost[localhost]: MAPPING
      configuration error for request URI
      2004-12-06 16:46:58,326 INFO [Engine] - StandardHost[localhost]: MAPPING
      configuration error for request URI

      If you do not have logging set to DEBUG, all you get is the "MAPPING"
      INFO log ...


      So, the Http11Processor in its "action" method is has been passed
      the value "ActionCode.ACTION_REQ_SSL_CERTIFICATE".

      Please, whats going on?
      How does one tell jboss to look at the "clientAuth=false" attribute?

      Thanks



      One would think that accessing JBoss via https would be easier to configure.