[JBoss-user] [Security & JAAS/JBoss] - SSL Configuration to support CLIENT-CERT

FabBoco Wed, 02 Jun 2004 08:04:02 -0700

Hi,

I am trying to set up the SSL protocol and the CLIEN-CERT authentication, using the 
jboss-3.2.3 packaged with Tomcat.


This was my procedure:

1)I created the server cert:

keytool -genkey -alias taserver -keyalg RSA -keystore server.keystore

2)I created the client cert

keytool -genkey -alias client -keyalg RSA -keystore client.keystore

3)I changed my jboss-service.xml:

<Connector className = org.apache.coyote.tomcat4.CoyoteConnector" 
address="${jboss.bind.address}" port = "8443" scheme = https" secure = "true">
        <Factory className = org.apache.coyote.tomcat4.CoyoteServerSocketFactory"      
             keystoreFile="${jboss.server.home.dir}/conf/server.keystore"              
     keystorePass="pwd" 
protocol = "TLS"/>


4)I prepared a very simple application and web.xml contains:

.....
    <user-data-constraint>
      no description
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

.....

  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>ssl</realm-name>
  </login-config>

my jboss-web.xml contains:

<jboss-web>
  <security-domain>java:/jaas/testSSL</security-domain>
</jboss-web>

my jboss.xml contains:


    <security-domain>java:/jaas/testSSL</security-domain>


7) I changed my login-config.xml as follows:

<application-policy name="testSSL">
  
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" 
flag="required">
      <module-option name = "dsJndiName">java:/Documents</module-option>
      <module-option name = "principalsQuery">select Password from Principals where 
PrincipalID=?</module-option>
        <module-option name = "rolesQuery">select Role,RoleGroup from Roles where 
principalID=?</module-option>
    </login-module>
  
</application-policy>

8)I changed run.conf adding

-Djavax.net.ssl.trustStore=/usr/local/jboss-3.2.3/server/default/conf/client.keystore 
-Djavax.net.ssl.trustStorePassword=pwd


I use the mozilla browser (1.4.2) in which I have my home-banking certificate and I 
set the option
that the browser should ask me the certificate to use.

When I call my application, the browser show me the server certificate but it doesn't 
ask me for the certificate to use and the following error appear on the jboss console:


16:37:37,685 INFO  [JSSE14Support] SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
        at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
        at java.io.InputStream.read(InputStream.java:89)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
        at 
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:163)
        at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1010)
        at org.apache.coyote.Request.action(Request.java:393)
        at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:793)
        at 
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:137)
        at 
org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:220)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at 
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at 
org.jboss.web.tomcat.tc4.statistics.ContainerStatsValve.invoke(ContainerStatsValve.java:76)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at 
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at 
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:65)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:577)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:781)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:549)
        at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
        at java.lang.Thread.run(Thread.java:534)


I have tried to find a solution using the forum but, nothing seams to solve the 
problem.

Can anyone tell me the right configuration procedure ? 

How can I import the certificate created with keytool into mozilla ?


Thank you in advance.

Regards

Fabrizio.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3837262#3837262

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3837262



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - SSL Configuration to support CLIENT-CERT

Reply via email to