The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Java Buzz Forum
Java client authentication for JBoss EAP over SSL

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Ross Mahony

Posts: 58
Nickname: rossma
Registered: Apr, 2010

Ross Mahony is a Java developer interested in collaboration, development and new ideas
Java client authentication for JBoss EAP over SSL Posted: Jan 28, 2016 7:37 AM
Reply to this message Reply

This post originated from an RSS feed registered with Java Buzz by Ross Mahony.
Original Post: Java client authentication for JBoss EAP over SSL
Feed Title: Monster Sandwich - Java, Spring, Hibernate, JPA, JEE, Scala
Feed URL: http://monstersandwich.blogspot.com/feeds/posts/default?alt=rss
Feed Description: A practical site with discussions on a wide range of Java topics where I have tried to include best practices. I try to include practical working examples that anyone can download, install and run. I would love to open discussion to other developers to collaborate with and to learn. 		Latest Java Buzz Posts
Latest Java Buzz Posts by Ross Mahony
Latest Posts From Monster Sandwich - Java, Spring, Hibernate, JPA, JEE, Scala

Advertisement
In order for a Java client to authenticate with JBoss EAP over SSL the following steps will need to be performed:


  • Create keystores for the server and client 
  • Configure a HTTPS connector in JBoss EAP 
  • Include the SSL configuration in your client application

Create keystores for the server and client 

The following steps describe how to create keystores for the server and the client and how to import these keystores into the truststores. In order for this exercise the keys generated are self-signed.

In order to complete the below you will need Java installed and the Java bin directory added to your systems Path variable.

Server keystore


Create the server's keystore 


  • Open a terminal / command prompt
  • Run the following command:
 
 keytool -genkeypair -alias jbossweb -keyalg RSA -keysize 1024 -keystore jbossweb.keystore -validity 3650 -keypass jbosswebpass -storepass jbosswebpass
  • -genkeypair (previously named genkey)
    • Generates a key pair
  • -alias
    • alias name of the entry to process
  • -keyalg                
    • key algorithm name
  • -keysize              
    • key bit size
  • -keystore            
    • keystore name
  • -keypass                  
    • key password
  • -storepass                
    • keystore password

Export the server's public key


  • Run the following command:
 
 keytool -exportcert -alias jbossweb -keystore jbossweb.keystore -file jbossweb.cer -keypass jbosswebpass -storepass jbosswebpass
  • -exportcert (previously named export) 
    • Exports certificate
  • -alias
    • alias name of the entry to process
  • -keystore            
    • keystore name
  • -file                  
    • output file name
  • -keypass                  
    • key password
  • -storepass                
    • keystore password

Client keystore


Create the client's keystore private/public key


  • Run the following command:
 
 keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -keystore client.keystore -keypass clientpass -storepass clientpass -validity 3650
  • -genkeypair (previously named genkey)
    • Generates a key pair
  • -alias
    • alias name of the entry to process
  • -keyalg                
    • key algorithm name
  • -keysize              
    • key bit size
  • -keystore            
    • keystore name
  • -keypass                  
    • key password
  • -storepass                
    • keystore password
  • -validity
    • validity number of days

Export the client's public key


  • Run the following command:
 
 keytool -exportcert -alias client -file client.cer -keystore client.keystore  -keypass clientpass -storepass clientpass
  • -exportcert (previously named export) 
    • Exports certificate
  • -alias
    • alias name of the entry to process
  • -file                  
    • output file name
  • -keystore            
    • keystore name
  • -keypass                  
    • key password
  • -storepass                
    • keystore password

Server truststore


  • Add the client's public key to the truststore of the server

 
 keytool -importcert -trustcacerts -alias client -file client.cer -keystore jbossweb.keystore -keypass jbosswebpass -storepass jbosswebpass
  • importcert (previously named import)
    • Imports a certificate or a certificate chain
  • -trustcacerts                   
    • trust certificates from cacerts
  • -alias
    • alias name of the entry to process
  • -file                  
    • input file name
  • -keystore
    • keystore name
  • -keypass
    • key password
  • -storepass
    • keystore password

Client truststore


  • Add the server's public key to the truststore of the client
 
 keytool -importcert -trustcacerts -alias jbossweb -file jbossweb.cer -keystore client.keystore -keypass clientpass -storepass clientpass
  • importcert (previously named import)
    • Imports a certificate or a certificate chain
  • -trustcacerts                   
    • trust certificates from cacerts
  • -alias
    • alias name of the entry to process
  • -file                  
    • input file name
  • -keystore
    • keystore name
  • -keypass
    • key password
  • -storepass
    • keystore password

More information on how to use the keytool command can be found here.

Configure a HTTPS connector in JBoss EAP 6


  • Open the JBoss EAP configuration file for your server, for example if you are using default standalone configuration then open the standalone.xml within the JBOSS_HOME/bin directory. 
  • Add a HTTPS connector to the org.jboss.as.web subsystem. You can add it after the HTTP connector that should already be there, example:
 
 <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
   <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
   <connector name="HTTPS" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="https"
       key-alias="jbossweb"
       password="jbosswebpass"
       certificate-key-file="${jboss.server.config.dir}/server.keystore"
       verify-client="true"
       ca-certificate-file="${jboss.server.config.dir}/server.keystore"/>
   </connector>

   <virtual-server name="default-host" enable-welcome-root="true">
     <alias name="localhost"/>
     <alias name="example.com"/>
   </virtual-server>
 </subsystem>
  • In the above example the keystore (certificate-key-file) is also used as the truststore ( ca-certificate-file).
  • The verify-client attribute is equivalent to Tomcats clientAuth attribute. 
  • When using keytool to create keystores, JBoss will compare the value you enter in the name against the hostname and will complain if it does not match You can set the following JVM argument to have JBoss ignore the hostname:
  • -Dorg.jboss.security.ignoreHttpsHost=true

Include the SSL configuration in your client application

  • Within your standalone client application the following properties will need to be set to point to the client's keystore/truststore. 
  • Adding these system properties will set the keystore/truststore for the whole JVM.
 
 System.setProperty("javax.net.ssl.keyStore", "/path/to/client.keystore");
 System.setProperty("javax.net.ssl.keyStorePassword", "clientpass");
 System.setProperty("javax.net.ssl.trustStore", "/path/to/client.keystore");
 System.setProperty("javax.net.ssl.trustStorePassword", "clientpass");
  • Once those properties are set you should be able to make the necessary HTTPS call (an example would be a webservice request over SSL).



Read: Java client authentication for JBoss EAP over SSL

Topic: Integrating JQGrid with Spring MVC and Gson Previous Topic   Next Topic Topic: GitLab rev zeroes in on speed, search, and GitHub
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use