8 Replies Latest reply on Jun 21, 2005 9:50 AM by rpa_rio

    Exctract username from client certificate without import the

    rpa_rio Novice

      How AnyVerifier works? I need to store the username in CN field of my cert?

        • 1. Re: Exctract username from client certificate without import
          rpa_rio Novice

          I followed all steps in http://www.jboss.org/wiki/Wiki.jsp?page=SSLSetup.

          Here's the JBoss messages:

          2005-06-18 11:08:36,572 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] securityDomain=java:/jaas/NexusAcesso
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] found domain: org.jboss.security.plugins.JaasSecurityDomain
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: initialize(Subject, CallbackHandler, Map, Map)
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: login()
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: getAliasAndCert()
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: getAliasAndCert()
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: validateCredentail(String, X509Certificate)
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule]
          Supplied Credential: 42b42915
          CN=ClientCert, O=nexus, OU=nexus

          Existing Credential: No match for alias: CN=ClientCert, O=nexus, OU=nexus, we have aliases [servercert]
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] The supplied certificate DID NOT match the certificate in the keystore.
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: validateCredentail(String, X509Certificate)
          2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=ClientCert, O=nexus, OU=nexus
          2005-06-18 11:08:36,581 INFO [STDOUT] Padded plaintext before ENCRYPTION: len = 1408


          I'm using BaseCertLoginModule and AnyVerifier with DataBaseLoginModule.

          • 2. Re: Exctract username from client certificate without import
            rpa_rio Novice

            Maybe i need to write my own LoginModule or i'm wrong? I only need to verify and extract the username to authenticate in JBoss...

            • 3. Re: Exctract username from client certificate without import
              rpa_rio Novice

              I checked this too: http://www.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith,
              but i have a lot of users with diferent passwords and in the client certificate i'll only have the username (or i can have password too?). How can i set the password to login sucessfully.
              Please, excuse-me, i'm newbie in JAAS with SSL client-certficate.

              • 4. Re: Exctract username from client certificate without import
                rpa_rio Novice

                Actually tomcat show this error in the browser: 'Cannot authenticate with the provided credentials'.

                • 6. Re: Exctract username from client certificate without import
                  rpa_rio Novice

                  This is my login-config.xml

                  <policy>
                   <application-policy name="NexusAcesso">
                   <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
                   <module-option name="password-stacking">useFirstPass</module-option>
                   <module-option name="securityDomain">java:/jaas/NexusAcesso</module-option>
                   <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
                   </login-module>
                   <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                   <module-option name="dsJndiName">java:/NexusDS</module-option>
                   <module-option name="principalsQuery">SELECT senha FROM usuario WHERE usuario = ?</module-option>
                   <module-option name="rolesQuery">SELECT papel, 'Roles' FROM papelusuario WHERE usuario = ?</module-option>
                   <module-option name="unauthenticatedIdentity">convidado</module-option>
                   </login-module>
                   </application-policy>
                  </policy>
                  


                  I tried with and without AnyCertVerifier but no sucess.

                  • 7. Re: Exctract username from client certificate without import
                    rpa_rio Novice

                    I updated to jboss 4.0.2 and the message in the second post dissapeared, but the message in fifth post still appears. I'm using the AnyCertVerifier but i still need to import the client certificate in truststore.

                    • 8. Re: Exctract username from client certificate without import
                      rpa_rio Novice

                      Fixed, the correct is DatabaseCertLoginModule instead of BaseCertLoginModule + DatabaseServerLoginModule...