JBoss mutual certificate authentication fails on SSL Handshake - ssl

I followed all the steps in this blogpost http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/ except for the fact that I'm using JBoss7.0.2 and not the 6.x version.
The goal is to ask any clients to provide a client certificate and achieve mutual authentication between the client and the server.
I have created a certification authority (CA) to sign the client and server certificates.
I have imported the server certificate into the keystore and added an HTTPS connector to the standalone.xml configuration file to serve HTTPS requests on the 8443 port.
I have imported the CA root certificate into the Certificate Manager under Authorities in client's Firefox.
Everything works fine and when I request https://localhost:8443 I get a page with a valid server certificate.
The problem is, when I import the client certificate into the Certificate Manager in Firefox and set the server configuration to verify client certificates (verify-client="true" in standalone.xml) I get a browser error:
Secure Connection Failed:
An error occurred during a connection to localhost:8443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
while the jboss log on the server states:
11:01:31,142 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] (http-localhost-127.0.0.1-8443-1) Handshake failed: java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:191) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:1144) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]
Do you have any idea how to resolve this problem?
My setup:
Localhost server:
sovo#sovo-pc:~$ cat /etc/issue
Ubuntu 10.10
JBoss 7.0.2 Final standalone.xml (relevant parts):
<management>
<security-realms>
<security-realm name="PropertiesMgmtSecurityRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface interface="management" port="9999"/>
<http-interface interface="management" port="9990"/>
</management-interfaces>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Disabled" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
<ssl name="ssl" key-alias="sercer" password="changeit" certificate-key-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/cacerts.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:1.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
<inet-address value="${jboss.bind.address:localhost}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jmx-connector-registry" port="1090" interface="management"/>
<socket-binding name="jmx-connector-server" port="1091" interface="management"/>
<socket-binding name="jndi" port="1099"/>
<socket-binding name="osgi-http" port="8090" interface="management"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
</socket-binding-group>
Java version:
sovo#sovo-pc:~$ java -version
java version "1.6.0_30"
Java(TM) SE Runtime Environment (build 1.6.0_30-b12)
Java HotSpot(TM) Server VM (build 20.5-b03, mixed mode)
sovo#sovo-pc:~$ javac -version
javac 1.6.0_30
I'll be happy to provide other relevant information if needed.

You might want to give a try by adding cipher suite you your ssl connector:
<ssl name="ssl" key-alias="sercer" password="changeit" certificate-key-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/cacerts.jks" cipher-suite="AES+RSA"/>

Related

How to verify wildfly web server is using added keystore file for https connection?

I have created a self-signed certificate(public_certificate.crt), private key file(private_key.pem). and these are stored in keystore file keystore.jks.
I have configured the same keystore.jks file in the standalone.xml file of widlfly 10 in two section as:
Section 1:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" />
</ssl>
</server-identities>
</security-realm>
Section 2:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
I have restarted the server, now when i am accessing the wildfly url(https://localhost:8443) it is coming as "Not Secure" in the browser url section of chrome.
I am having two question related to it:
With or Without configuring the standalone.xml file with our keystore, chrome is mentioning "Not Secure" in browser URL section. it might be because i am using self-signed certificate. but my question is, how will i know that my self-signed certificate is being used by Wildfly.
Is there any way to avoid "Not Secure" warning and it should be coming as "Lock" symbol in the browser for self-signed certificate.

WildFly 10 How to configure slave hosts to connect to domain using HTTPS

Small question about WildFly 10 domain mode and HTTPS.
My host-master.xml parameters:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="..." relative-to="jboss.domain.config.dir" keystore-password="..." alias="..." key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket interface="management" secure-port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
My host-slave.xml parameters:
<security-realms>
<security-realm name="SlaveRealm">
<server-identities>
<secret value="..." />
</server-identities>
<domain-controller>
<remote protocol="remote" host="..." port="9999" username='slave' security-realm="SlaveRealm"/>
</domain-controller>
Domain server starts without any errors and Management conole is available by HTTPS.
But the slave node will not start and I receive an error message:
2017-02-23 17:35:05,149 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://...:9999 -- java.lang.IllegalStateException: WFLYHC0110: Unable to connect due to SSL failure.
2017-02-23 17:35:05,149 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0147: No domain controller discovery options remain.
2017-02-23 17:35:05,150 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0002: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain controller discovery option(s) but unable to connect
2017-02-23 17:35:05,150 FATAL [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0178: Aborting with exit code 99
I've tried to add "<server-identities><ssl><keystore..." part to "SlaveRealm" in host-slave.xml but recieve the same error.
How to configure domain and host-slave properly and simple? Thank you.
In the host.xml you have to specify <interfaces>. You can also pass interfaces values as command line argument while starting wildfly.
Master's host.xml
<interfaces>
<interface name="management">
<inet-address value="${wildfly.bind.address.management:##master.host.name##}"/>
</interface>
<interface name="public">
<inet-address value="${wildfly.bind.address:##master.host.name##}"/>
</interface>
<interface name="unsecure">
<!-- Used for IIOP sockets in the standard configuration.
To secure JacORB you need to setup SSL -->
<inet-address value="${wildfly.bind.address.unsecure:##master.host.name##}"/>
</interface>
</interfaces>
Slave host.xml
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<secret value="##slave.encrypted.password##" />
</server-identities>
....
....
....
<domain-controller>
<!--<local/>-->
<!-- Alternative remote domain controller configuration with a host and port -->
<remote protocol="remote" host="##master.host.name##" port="9999" username="##slave.account.name##" security-realm="ManagementRealm"/>
</domain-controller>
<interfaces>
<interface name="management">
<inet-address value="${wildfly.bind.address.management:##slave.host.name##}"/>
</interface>
<interface name="public">
<inet-address value="${wildfly.bind.address:##slave.host.name##}"/>
</interface>
<interface name="unsecure">
<!-- Used for IIOP sockets in the standard configuration.
To secure JacORB you need to setup SSL -->
<inet-address value="${wildfly.bind.address.unsecure:##slave.host.name##}"/>
</interface>
</interfaces>
This configuration works for our Dev/QA/Production environments.

Accessing Multiple web applications on Jboss7 or Wildfly

I know we can deploy multiple web applications on JBoss 7 or Wildfly. But how can we access different web application with a different port? Where do we set that port for a web application?
For example,
application1 is accessible on x.x.x.x:8080
application2 is accessible on x.x.x.x:30000
application3 is accessible on x.x.x.x:35000
In your standalone you have to set up a different server and host for each application.
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="server1">
<http-listener name="default" socket-binding="http-server1"/>
<host name="webapp1" default-web-module="webapp1.war" alias="webapp1.com">
</host>
</server>
<server name="server2">
<http-listener name="default" socket-binding="http-server2"/>
<host name="webapp2" default-web-module="webapp2.war" alias="webapp2.com">
</host>
</server>
<!-- Other Settings -->
</subsystem>
For the socketbinding:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http-server1" port="${jboss.http.port:8080}"/>
<socket-binding name="http-server2" port="${jboss.http.port:8081}"/>
<!-- Other ports -->
</socket-binding-group>
And then finally, you can have your .war files in the deployments directory but for configurations like this I sometimes find it easier to set the runtime names explicitly:
<deployments>
<deployment name="webapp1" runtime-name="webapp1.war">
<fs-archive path="/path/to/webapp1.war" />
</deployment>
<deployment name="webapp2" runtime-name="webapp2.war">
<fs-archive path="/path/to/webapp2.war" />
</deployment>
</deployments>

Wildfly many domains with many ssl certificate

I've got test server and I would like to run many applications on that instance, but there's a problem with SSL certificates. If I'm using single certificate, everything is ok, but if when I add another, there is a problem.
This is my ssl realm configuration :
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="cert_one.jks" relative-to="jboss.server.config.dir" keystore-password="1234" key-password="1234"/>
<keystore path="cert_two.jks" relative-to="jboss.server.config.dir" keystore-password="1234" key-password="1234"/>
</ssl>
</server-identities>
</security-realm>
And this is my undertow server configuration:
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener name="defaultHttps" socket-binding="https" security-realm="ssl-realm" max-post-size="31457280"/>
<host name="one_app" alias="firstapp.com">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
<host name="two_app" alias="secondapp.com">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
As you can see I have two different certificate keystores, one for firstapp.com and another for secondapp.com.
But only certificate for secondapp.com is working. If I delete one of those keystores everything is OK. How to configure two or more certificates for different domains in Wildfly configuration?

How to force jboss as 7 to serve https using TLS 1.0?

How do I force JBoss AS 7 to serve HTTPS content over TLS 1.0?
I am providing a Java application that uses Spring Security 3 to clients. It is hosted on JBoss AS 7. It can only be reached over a VPN, so I'm not too concerned with encryption at the application or transport layer. (Perhaps I should be?) When my users try to connect, browsers refuse the connection unless the user explicitly enables TLS 1.1 and TLS 1.2. Since my users aren't interested in these nuances, I would like to force JBoss to revert back to TLS 1.0.
How do I force JBoss AS 7 to serve HTTPS content over TLS 1.0?
My web domain setup is as follows:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl password="myPassword" certificate-key-file="myKeyFile.jks" protocol="TLSv1" verify-client="false" certificate-file="myCertFile"/>
</connector>
My socket binding group is set up as follows:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
....
</socket-binding-group>
Thanks in advance.
See https://docs.jboss.org/jbossweb/7.0.x/config/ssl.html
You can force TLS by making use of the protocol attribute.
The version of the SSL protocol to use. If not specified, Supported values: SSLv2, SSLv3, TLSv1, SSLv2+SSLv3 and ALL. the default is "ALL".