Last active
May 9, 2021 22:32
-
-
Save jnwelzel/5339093 to your computer and use it in GitHub Desktop.
Client authentication through SSL certificate in JBoss AS 7.1.1.Final. This configuration will make sure that only clients whose certificates are trusted by the server may have access to the application (standalone.xml line 272)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PASSWORD | |
changethis | |
SERVER KEYSTORE - used by the server to establish a secure connection (HTTPS) | |
c:\eclipse\jdk1.7.0_05\jre\bin\keytool.exe -genkey -keyalg RSA -alias localhost -keystore localhost.jks -validity 365 -keysize 2048 | |
CLIENT KEYSTORE - used to generate ".cer" file that wil be used in the server's trustore and in the browser to identify the client with the server | |
c:\eclipse\jdk1.7.0_05\jre\bin\keytool.exe -genkey -keyalg RSA -alias jonwelzel -keystore jonwelzel.jks -validity 365 -keysize 2048 | |
PFX FROM JKS - the pfx will be used in the browser for example | |
c:\eclipse\jdk1.7.0_05\jre\bin\keytool.exe -importkeystore -srckeystore jonwelzel.jks -srcstoretype JKS -destkeystore jonwelzel.pfx -deststoretype PKCS12 | |
ADD CLIENT'S CERT TO SERVER'S TRUSTSTORE - this will make sure that the client will be able to access the application only if he uses this certificate (the truststore password and the server keystore password must be the same) | |
c:\eclipse\jdk1.7.0_05\jre\bin\keytool.exe -import -v -trustcacerts -alias client-alias -file jonwelzel.cer -keystore cacerts.jks -keypass changeit -storepass changeit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version='1.0' encoding='UTF-8'?> | |
<server xmlns="urn:jboss:domain:1.2"> | |
<extensions> | |
<extension module="org.jboss.as.clustering.infinispan"/> | |
<extension module="org.jboss.as.configadmin"/> | |
<extension module="org.jboss.as.connector"/> | |
<extension module="org.jboss.as.deployment-scanner"/> | |
<extension module="org.jboss.as.ee"/> | |
<extension module="org.jboss.as.ejb3"/> | |
<extension module="org.jboss.as.jaxrs"/> | |
<extension module="org.jboss.as.jdr"/> | |
<extension module="org.jboss.as.jmx"/> | |
<extension module="org.jboss.as.jpa"/> | |
<extension module="org.jboss.as.logging"/> | |
<extension module="org.jboss.as.mail"/> | |
<extension module="org.jboss.as.naming"/> | |
<extension module="org.jboss.as.osgi"/> | |
<extension module="org.jboss.as.pojo"/> | |
<extension module="org.jboss.as.remoting"/> | |
<extension module="org.jboss.as.sar"/> | |
<extension module="org.jboss.as.security"/> | |
<extension module="org.jboss.as.threads"/> | |
<extension module="org.jboss.as.transactions"/> | |
<extension module="org.jboss.as.web"/> | |
<extension module="org.jboss.as.webservices"/> | |
<extension module="org.jboss.as.weld"/> | |
</extensions> | |
<management> | |
<security-realms> | |
<security-realm name="ManagementRealm"> | |
<authentication> | |
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> | |
</authentication> | |
</security-realm> | |
<security-realm name="ApplicationRealm"> | |
<authentication> | |
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/> | |
</authentication> | |
</security-realm> | |
</security-realms> | |
<management-interfaces> | |
<native-interface security-realm="ManagementRealm"> | |
<socket-binding native="management-native"/> | |
</native-interface> | |
<http-interface security-realm="ManagementRealm"> | |
<socket-binding http="management-http"/> | |
</http-interface> | |
</management-interfaces> | |
</management> | |
<profile> | |
<subsystem xmlns="urn:jboss:domain:logging:1.1"> | |
<console-handler name="CONSOLE"> | |
<level name="INFO"/> | |
<formatter> | |
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/> | |
</formatter> | |
</console-handler> | |
<periodic-rotating-file-handler name="FILE"> | |
<formatter> | |
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/> | |
</formatter> | |
<file relative-to="jboss.server.log.dir" path="server.log"/> | |
<suffix value=".yyyy-MM-dd"/> | |
<append value="true"/> | |
</periodic-rotating-file-handler> | |
<logger category="com.arjuna"> | |
<level name="WARN"/> | |
</logger> | |
<logger category="org.apache.tomcat.util.modeler"> | |
<level name="WARN"/> | |
</logger> | |
<logger category="sun.rmi"> | |
<level name="WARN"/> | |
</logger> | |
<logger category="jacorb"> | |
<level name="WARN"/> | |
</logger> | |
<logger category="jacorb.config"> | |
<level name="ERROR"/> | |
</logger> | |
<root-logger> | |
<level name="INFO"/> | |
<handlers> | |
<handler name="CONSOLE"/> | |
<handler name="FILE"/> | |
</handlers> | |
</root-logger> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:configadmin:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:datasources:1.0"> | |
<datasources> | |
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true"> | |
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url> | |
<driver>h2</driver> | |
<security> | |
<user-name>sa</user-name> | |
<password>sa</password> | |
</security> | |
</datasource> | |
<drivers> | |
<driver name="h2" module="com.h2database.h2"> | |
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> | |
</driver> | |
</drivers> | |
</datasources> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1"> | |
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:ee:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:ejb3:1.2"> | |
<session-bean> | |
<stateless> | |
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/> | |
</stateless> | |
<stateful default-access-timeout="5000" cache-ref="simple"/> | |
<singleton default-access-timeout="5000"/> | |
</session-bean> | |
<pools> | |
<bean-instance-pools> | |
<strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/> | |
<strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/> | |
</bean-instance-pools> | |
</pools> | |
<caches> | |
<cache name="simple" aliases="NoPassivationCache"/> | |
<cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/> | |
</caches> | |
<passivation-stores> | |
<file-passivation-store name="file"/> | |
</passivation-stores> | |
<async thread-pool-name="default"/> | |
<timer-service thread-pool-name="default"> | |
<data-store path="timer-service-data" relative-to="jboss.server.data.dir"/> | |
</timer-service> | |
<remote connector-ref="remoting-connector" thread-pool-name="default"/> | |
<thread-pools> | |
<thread-pool name="default"> | |
<max-threads count="10"/> | |
<keepalive-time time="100" unit="milliseconds"/> | |
</thread-pool> | |
</thread-pools> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="hibernate"> | |
<cache-container name="hibernate" default-cache="local-query"> | |
<local-cache name="entity"> | |
<transaction mode="NON_XA"/> | |
<eviction strategy="LRU" max-entries="10000"/> | |
<expiration max-idle="100000"/> | |
</local-cache> | |
<local-cache name="local-query"> | |
<transaction mode="NONE"/> | |
<eviction strategy="LRU" max-entries="10000"/> | |
<expiration max-idle="100000"/> | |
</local-cache> | |
<local-cache name="timestamps"> | |
<transaction mode="NONE"/> | |
<eviction strategy="NONE"/> | |
</local-cache> | |
</cache-container> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:jca:1.1"> | |
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/> | |
<bean-validation enabled="true"/> | |
<default-workmanager> | |
<short-running-threads> | |
<core-threads count="50"/> | |
<queue-length count="50"/> | |
<max-threads count="50"/> | |
<keepalive-time time="10" unit="seconds"/> | |
</short-running-threads> | |
<long-running-threads> | |
<core-threads count="50"/> | |
<queue-length count="50"/> | |
<max-threads count="50"/> | |
<keepalive-time time="10" unit="seconds"/> | |
</long-running-threads> | |
</default-workmanager> | |
<cached-connection-manager/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:jdr:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:jmx:1.1"> | |
<show-model value="true"/> | |
<remoting-connector/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:jpa:1.0"> | |
<jpa default-datasource=""/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:mail:1.0"> | |
<mail-session jndi-name="java:jboss/mail/Default"> | |
<smtp-server outbound-socket-binding-ref="mail-smtp"/> | |
</mail-session> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:naming:1.1"/> | |
<subsystem xmlns="urn:jboss:domain:osgi:1.2" activation="lazy"> | |
<properties> | |
<property name="org.osgi.framework.startlevel.beginning"> | |
1 | |
</property> | |
</properties> | |
<capabilities> | |
<capability name="javax.servlet.api:v25"/> | |
<capability name="javax.transaction.api"/> | |
<capability name="org.apache.felix.log" startlevel="1"/> | |
<capability name="org.jboss.osgi.logging" startlevel="1"/> | |
<capability name="org.apache.felix.configadmin" startlevel="1"/> | |
<capability name="org.jboss.as.osgi.configadmin" startlevel="1"/> | |
</capabilities> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:pojo:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:remoting:1.1"> | |
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:sar:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:security:1.1"> | |
<security-domains> | |
<security-domain name="other" cache-type="default"> | |
<authentication> | |
<login-module code="Remoting" flag="optional"> | |
<module-option name="password-stacking" value="useFirstPass"/> | |
</login-module> | |
<login-module code="RealmUsersRoles" flag="required"> | |
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> | |
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> | |
<module-option name="realm" value="ApplicationRealm"/> | |
<module-option name="password-stacking" value="useFirstPass"/> | |
</login-module> | |
</authentication> | |
</security-domain> | |
<security-domain name="jboss-web-policy" cache-type="default"> | |
<authorization> | |
<policy-module code="Delegating" flag="required"/> | |
</authorization> | |
</security-domain> | |
<security-domain name="jboss-ejb-policy" cache-type="default"> | |
<authorization> | |
<policy-module code="Delegating" flag="required"/> | |
</authorization> | |
</security-domain> | |
<security-domain name="RequireCertificateDomain"> | |
<authentication> | |
<login-module code="CertificateRoles" flag="required"> | |
<module-option name="securityDomain" value="RequireCertificateDomain"/> | |
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/> | |
<module-option name="usersProperties" value="file:/home/jboss-as-7.1.1.Final/standalone/configuration/my-users.properties"/> | |
<module-option name="rolesProperties" value="file:/home/jboss-as-7.1.1.Final/standalone/configuration/my-roles.properties"/> | |
</login-module> | |
</authentication> | |
<jsse keystore-password="changeit" keystore-url="file:localhost.jks" truststore-password="changeit" truststore-url="file:truststore.jks"/> | |
</security-domain> | |
</security-domains> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:threads:1.1"/> | |
<subsystem xmlns="urn:jboss:domain:transactions:1.1"> | |
<core-environment> | |
<process-id> | |
<uuid/> | |
</process-id> | |
</core-environment> | |
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/> | |
<coordinator-environment default-timeout="300"/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> | |
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> | |
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https"> | |
<ssl name="ssl" key-alias="localhost" password="changethis" certificate-key-file="../standalone/configuration/localhost.jks" verify-client="true" ca-certificate-file="../standalone/configuration/cacerts.jks" truststore-type="JKS"/> | |
</connector> | |
<virtual-server name="default-host" enable-welcome-root="true"> | |
<alias name="localhost"/> | |
<alias name="example.com"/> | |
</virtual-server> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:webservices:1.1"> | |
<modify-wsdl-address>true</modify-wsdl-address> | |
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host> | |
<endpoint-config name="Standard-Endpoint-Config"/> | |
<endpoint-config name="Recording-Endpoint-Config"> | |
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM"> | |
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/> | |
</pre-handler-chain> | |
</endpoint-config> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:weld:1.0"/> | |
</profile> | |
<interfaces> | |
<interface name="management"> | |
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/> | |
</interface> | |
<interface name="public"> | |
<inet-address value="${jboss.bind.address:127.0.0.1}"/> | |
</interface> | |
<interface name="unsecure"> | |
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/> | |
</interface> | |
</interfaces> | |
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> | |
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/> | |
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> | |
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/> | |
<socket-binding name="ajp" port="8009"/> | |
<socket-binding name="http" port="8080"/> | |
<socket-binding name="https" port="8443"/> | |
<socket-binding name="osgi-http" interface="management" port="8090"/> | |
<socket-binding name="remoting" port="4447"/> | |
<socket-binding name="txn-recovery-environment" port="4712"/> | |
<socket-binding name="txn-status-manager" port="4713"/> | |
<outbound-socket-binding name="mail-smtp"> | |
<remote-destination host="localhost" port="25"/> | |
</outbound-socket-binding> | |
</socket-binding-group> | |
</server> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
lorenmcguire: You are correct in your assumption. I recommend reviewing the documentation on this topic for jboss. The use of "ca-certificate-file" in the configuration element tells jboss to use that file path as the "truststore" when checking certificates. Without this configuration artifact, the generic JDK/JRE installed truststore would be utilized. (i.e. /etc/.../cacerts.jks). Also, do you have the ca-chain cert in your truststore? (I know this is nearly a year old, but I figured I would post it anyway.)