Version 3

    Mutual Authentication on JBoss 7.2.0.Final


    These are steps that will get you to the point where JBoss 7.2.0.Final is set up with mutual authentication.

    OpenSSL Steps to Generate Server Certificate and Client Certificate Files

    1. Create the key pair for the CA:

    openssl genrsa -out ca.key 1024

    2. Create the root certificate:

    openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

    3. Generate a keypair for the server:

    mkdir -p demoCA/newcerts

    touch demoCA/index.txt

    echo '01' > demoCA/serial

    openssl genrsa -out localhost.key 2048


    4. Create the CSR for the web server:

    openssl req -new -key localhost.key -out localhost.csr


    5. Sign it

    openssl ca -keyfile ca.key -cert ca.crt -out localhost.crt -policy policy_anything -infiles localhost.csr


    6. On the client, create the key pair for the client:

    openssl genrsa -out client.key 2048


    7. On the client, create a CSR:


    openssl req -new -key client.key -out client.csr


    8. On the server, our CA will sign the request:


    openssl ca -keyfile ca.key -cert ca.crt -out client.crt -policy policy_anything -infiles client.csr


    9. Verify you have 2 new pem files in demoCA/newcerts


    10. Create PKCS#12 file (that combines certificate with private key) for server:


    openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name aliasname


    11. Create PKCS#12 file (that combines certificate with private key) for client:

    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name aliasname

    Java Keystore Steps

    1. Run the keytool to create the keystore JKS file with the server PKCS#12 file we created in step 10:

    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore localhost.p12 -srcstoretype PKCS12 -alias aliasname

    2. Run the keytool to create the trust store file.


    keytool -import -keystore cacerts.jks -storepass changeit -alias aliasname -file ca.crt

    JBoss 7.2.0.Final Steps

    (Steps assume you are using standalone setup. Modify steps for domain if applicable)

    1. Copy both JKS keystore files from the previous steps into $JBOSS_HOME/standalone/conf
    2. Edit $JBOSS_HOME/standalone/standalone.xml


         In subsystem urn:jboss:domain:web:1.4, add:

    <connector name="https" protocol="HTTP/1.1" scheme="https"

                               socket-binding="https" secure="true">

                               <ssl name="https" key-alias="aliasname" password="changeit"



                                      verify-client="true" />



    Test it


    1. Restart JBoss service.
    2. Try https://localhost:8443/ - you should get no access because you have not yet installed certificate.
    3. Install the client.p12 file you generated earlier into your browser.
    4. Repeat test, it should now work.