The context of my question is:
Configuring security to access EJB through WS -- WFLYEJB0364 Connection rejected
I configured Wildfly for SSL secured EJBs with Elytron following the tutorials:
How to configure SSL/HTTPS on WildFly:
http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial-for-configuring-ssl-https-on-wildfly
and
SSL secured EJBs with Elytron
http://www.mastertheboss.com/jboss-server/jboss-security/ssl-secured-ejb-with-elytron
in order to perform mutual SSL authentication, but with no success. How can I configure EJBs access through WS with mutual SSL authentication?
Related
I've been attempting to get mutual authentication working between Keycloak and OpenLDAP. I've configured the truststore on Keycloak under security realms, which works. I can view the certificate on requests. I've also configured OpenLDAP's truststore/keystore and set it to demand a client certificate. When using ldapsearch I can provide Keycloak's cert which allows me to connect. I've also verified that Keycloak accepts OpenLDAP's cert by changing OpenLDAP to not demand a client certificate, which allows Keycloak to connect (albeit after fixing the truststore). At this point, it appears everything is fine except Keycloak doesn't present it's certificate while acting as a client, and I get the following error in OpenLDAP.
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in error
TLS: can't accept: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate.
Unfortunately I cannot share details about the configuration or environment beyond the above due to project constraints.
I have SQUID as https froward proxy in my network. One of my application sends a SAOP request out of the network. The SOAP webservice needs client certificate for auth. I have configured the keystore and truststore for my application. Application is working fine directly without SQUID proxy.
It also works fine with SQUID tunneling (i.e. ssl_bump splice ).
But We do not want to use splice. We need SQUID to decrypt SSL traffic and also authenticate and pass the authentication certificate (client certificate) to webservice server.
What are the possible configurations for SQUID for this case ?
For information: SQUID proxy is working fine with HTTP and HTTPS traffic where client certificate for auth is not required. Example "https://www.google.com"
I'm using Spring Security for X.509 preauthentication.
To make sure the client sends its certificate per HTTP request, is it necessary to:
Modify pom.xml to set <wantClientAuth> and <needClientAuth> to true
Set Apache's SSLVerifyClient to require reference
Based on reading, the web server must tell the client-side to sends its certificate in order for the client to actually send it. I'm confused if Spring Security AND Apache configuration is required to achieve this.
Spring Security configuration has nothing to do with whether the client sends a certificate or not. That's decided at the SSL protocol level and hence by the negotiation between the client and the server. Your question is a bit unclear in that it refers to a maven pom and an Apache configuration without explaining how your system is set up. Are you running the maven Jetty plugin with an Apache server in front?
Spring Security's X.509 authentication won't work if the SSL connection doesn't terminate at the servlet container. So if you have HTTPS between the client and Apache, and a non-SSL connection from Apache to the servlet container, then the client certificate won't normally be available.
If you are using an AJP connector, then you can configure Apache to pass the certificate on to the back end using the ExportCertData option. If you aren't, you can still take the exported certificate and pass it as a request header (you'll find examples of this elsewhere on SO). You would also need to customize the Spring Security X.509 code to extract the certificate from the header, rather than the standard java property name which it uses by default.
I'm trying to set up a WCF-service with SSL on Azure.
Can someone please explain a bit about the differences of using certificates is these cases?
Certificate for https-binding in IIS
ServiceCertificate in Web.Config
ClientCertificate in Web.Config
Certificate in ServiceDefinition.csdef
Certificate in ServiceConfiguration.Local.cscfg
Certificate in ServiceConfiguration.Cloud.cscfg
More I should know about?
I want to publish several service-endpoints within the same role, some with SSL and some without. Do I need binding-certificates at all or is it service-certificates I should use?
Start by reading WCF Transport Security with Certificate Authentication and Configuring SSL for an application in Windows Azure
Certificate for https-binding in IIS - exactly what it says, the cert is used by IIS to create a secure binding on a site/service, typically on port 443
ServiceCertificate in Web.Config - WCF service-side binding cert used for WCF Transport Security with Certificate Authentication - private key cert used to authenticate client request signed with the corresponding public key
ClientCertificate in Web.Config - WCF client-side binding cert used for WCF Transport Security with Certificate Authentication - public key cert used to sign a request for authentication to a service using Transport Security with the corresponding private key
Certificate in ServiceDefinition.csdef - default certificate used to create a secure endpoint in Azure worker & web roles. NOTE: This is the certificate Azure installs in IIS to bind to the service endpoint (see #1)
Certificate in ServiceConfiguration.Local.cscfg - same as 4, just used in a "Local" build/deployment configuration
Certificate in ServiceConfiguration.Cloud.cscfg - same as 4, just used in a "Cloud" build/deployment configuration
I have created a test environment. I have one ldap client, ldap listener (as a ldap proxy) and a ldap server. Ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy decodes the ldap requests and forwards them to the ldap server on port 389. And the proxy forwards the reply of the ldap server to ldap client successfully.
I created SSL certificate on ldap server. And this time I tested that ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy forwarded requests to the ldap server on port 636. And the proxy forwards the reply of the ldap server to ldap client successfully.
But there is a problem when I try to use SSL on both sides. I mean
ldap client (port 636) -> ldap proxy (port 636) -> ldap server (port
636)
My client throws an exception
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
I am using unboundid ldap sdk and LdapDebugger example as a ldap proxy. How can I configure ldaplistener to accept SSL encrypted requests(port 636)?
thanks in advance...
If you're using the ldap-debugger tool provided with the LDAP SDK, it currently only supports SSL for communicating with the backend server, but not when communicating with a client. That is, the "--useSSL" option applies only for communication between the LDAP debugger and the backend directory server, and not between the client and the LDAP debugger. However, because this is potentially a very useful feature, I have just committed a set of changes that add this capability, so if you check out and build the latest version of the LDAP SDK, you will find that the ldap-debugger tool has a new "--listenUsingSSL" argument that controls this.
Note that regardless of whether you're using the ldap-debugger tool or you have created your own listener via Java code, you need to ensure that you have a Java keystore that contains the SSL certificate that will be presented to clients. If the LDAP server you're using is Java-based (e.g., the in-memory directory server provided with the LDAP SDK), then you probably already have this. Otherwise, you'll need to create one. If you're just doing this for testing purposes, a self-signed certificate should be just fine (as long as the client trusts it, or is configured to blindly trust all certificates).