configure Client-cert-based Auth in web.xml

Posted on November 5, 2012. Filed under: java/j2EE |


After working through the previous post configure Basic/Form-based Auth in web.xml <login-config>, configure client-cert based Auth is very simple, we need to modify the server.xml to include .truststoreFile.

— server.xml —

<!– Define SSL Connector on port 8843 –>

<Connector port=”8443″ SSLEnabled=”true”

maxThreads=”150″ scheme=”https” secure=”true” acceptCount=”100″ enableLookups=”false”

clientAuth=”false” sslProtocol=”TLS”

keystoreFile=”/Users/homenetwork/.keystore” keystorePass=”password”

truststoreFile=”/Users/homenetwork/.truststore” truststorePass=”password”/>

<Realm className=”org.apache.catalina.realm.MemoryRealm” />

We also need to modify the <login-config> to use CLIENT-CERT.

— web.xml —

<web-app version=”3.0″

xmlns=”http://java.sun.com/xml/ns/javaee&#8221;

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;

xsi:schemaLocation=”http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd”&gt;

<security-constraint>

<web-resource-collection>

<web-resource-name>test-app</web-resource-name>

<url-pattern>/hello</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>appadmin</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config>

    <auth-method>CLIENT-CERT</auth-method>

</login-config>

</web-app>

— tomcat-users.xml —

<?xml version=”1.0″ encoding=”UTF-8″?>

<tomcat-users>

<role rolename=”appadmin”/>

<user username=”testapp” password=”test” roles=”appadmin”/>

<user username=”CN=testapp, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU” password=”null” roles=”appadmin”/>

</tomcat-users>

The hard part is to

  1. Create a Certificate Authority (CA)
  2. Import the CA to Tomcat’s truststore
  3. Generate a client certificate
  4. Sign the client certificate with CA
  5. Convert the signed client certificate from PEM to pkcs12 format
  6. Import the pkcs12 format client certificate to web browser
  7. visit https://localhost:8443/test-app/hello with browser, when asking for client cert, provide the imported one.

The following is the shell commands used to create the CA and client certificate. The setup is done on Mac OS X with openssl and java keytool, it should be very similar on other linux boxes.

Client Cert Demo>echo “generate CA cert with openssl” >/dev/null
Client Cert Demo>mkdir sslCA
Client Cert Demo>chmod 700 sslCA
Client Cert Demo>cd sslCA/
Client Cert Demo>mkdir certs private newcerts
Client Cert Demo>echo ‘create serial file which will be used to name the new certificates and index.txt’>/dev/null
Client Cert Demo>echo 1000 > serial
Client Cert Demo>touch index.txt
Client Cert Demo>echo ‘create Certificate of Authority’ > /dev/null
Client Cert Demo>openssl req -new -x509 -days 365 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem
Generating a 1024 bit RSA private key
………………………….++++++
……………………………………….++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:kl2217CA
Email Address []:demo@email.com
Client Cert Demo>ls -lrt private/cakey.pem
-rw-r–r– 1 homenetwork staff 963 Nov 4 21:47 private/cakey.pem
Client Cert Demo>ls -lrt cacert.pem
-rw-r–r– 1 homenetwork staff 1200 Nov 4 21:47 cacert.pem
Client Cert Demo>
Client Cert Demo>echo ‘import public certificate of CA into the keystore that Tomcat used to store trusted certificates’ >/dev/n
nsmb0 null
Client Cert Demo>echo ‘import public certificate of CA into the keystore that Tomcat used to store trusted certificates’ >/dev/null
Client Cert Demo>keytool -import -alias demoCA -keystore ~/.truststore -trustcacerts -file cacert.pem
Enter keystore password:
Re-enter new password:
Owner: EMAILADDRESS=demo@email.com, CN=kl2217CA, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Issuer: EMAILADDRESS=demo@email.com, CN=kl2217CA, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Serial number: e020b2d38ac6fc82
Valid from: Sun Nov 04 21:47:52 EST 2012 until: Mon Nov 04 21:47:52 EST 2013
Certificate fingerprints:
MD5: E0:96:2B:CB:AB:CD:3E:75:75:E7:6E:E5:50:89:17:B2
SHA1: 6B:51:A5:9C:93:10:45:FC:FB:AC:85:7F:A4:C6:48:F6:B3:38:83:6A
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A 11 85 13 BF BD 94 D2 F7 E3 D8 F8 0F 7B 3A D2 J………….:.
0010: B5 8F 91 1C ….
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A 11 85 13 BF BD 94 D2 F7 E3 D8 F8 0F 7B 3A D2 J………….:.
0010: B5 8F 91 1C ….
]

[EMAILADDRESS=demo@email.com, CN=kl2217CA, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU]
SerialNumber: [ e020b2d3 8ac6fc82]
]

Trust this certificate? [no]: yes
Certificate was added to keystore
Client Cert Demo>ls -lrt ~/.truststore
-rw-r–r– 1 homenetwork staff 908 Nov 4 21:56 /Users/homenetwork/.truststore
Client Cert Demo>echo “create a client certificate” >/dev/null
Client Cert Demo>openssl genrsa -out demoClient.key -des3 1024
Generating RSA private key, 1024 bit long modulus
………………..++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for demoClient.key:
Verifying – Enter pass phrase for demoClient.key:
Client Cert Demo>ls -lrt demoClient.key
-rw-r–r– 1 homenetwork staff 951 Nov 4 22:01 demoClient.key
Client Cert Demo>echo ‘create a Certificate Signing Request (CSR) from client Certificate, which will later be signed by CA’ >/dev/null
Client Cert Demo>openssl req -new -key demoClient.key -out demoClient.csr
Enter pass phrase for demoClient.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:testapp
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Client Cert Demo>ls -lrt demoClient.csr
-rw-r–r– 1 homenetwork staff 627 Nov 4 22:06 demoClient.csr
Client Cert Demo>echo ‘sign the CSR file just generated with Certificate Authority’>/dev/null
Client Cert Demo>openssl ca -days 365 -in demoClient.csr -out demoClient.pem
Using configuration from /System/Library/OpenSSL/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
6587:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:356:fopen(‘./demoCA/private/cakey.pem’,’r’)
6587:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:358:
unable to load CA private key
Client Cert Demo>vi /System/Library/OpenSSL/openssl.cnf
Client Cert Demo>echo ‘by default, the openssl looking for files under directory demoCA, need to fix this’>/dev/null
Client Cert Demo>ls
cacert.pem certs demoClient.csr demoClient.key index.txt newcerts private serial
Client Cert Demo>mkdir demoCA
Client Cert Demo>mv cacert.pem certs index.txt newcerts private serial demoCA
Client Cert Demo>ls
demoCA demoClient.csr demoClient.key
Client Cert Demo>openssl ca -days 365 -in demoClient.csr -out demoClient.pem
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 5 04:09:04 2012 GMT
Not After : Nov 5 04:09:04 2013 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = testapp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:3A:41:95:DE:FE:E0:0B:4D:CA:F3:1D:3D:19:4B:5E:2E:6E:25:06
X509v3 Authority Key Identifier:
keyid:4A:11:85:13:BF:BD:94:D2:F7:E3:D8:F8:0F:7B:3A:D2:B5:8F:91:1C

Certificate is to be certified until Nov 5 04:09:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Client Cert Demo>ls -lrt demoClient.pem
-rw-r–r– 1 homenetwork staff 3138 Nov 4 23:09 demoClient.pem
Client Cert Demo>diff demoClient.pem demoCA/newcerts/1000.pem
Client Cert Demo>echo ‘convert the signed client Certificate from Privay Enhanced Mail (PEM) format to Public Key Cryptography Standard #12 (pkcs12) format’>/dev/null
Client Cert Demo>openssl pkcs12 -export -in demoClient.pem -inkey demoClient.key -out demoClient.pkcs12 -name “Demo Client”
Enter pass phrase for demoClient.key:
Enter Export Password:
Verifying – Enter Export Password:
Client Cert Demo>ls -lrt demoClient.pkcs12
-rw-r–r– 1 homenetwork staff 1804 Nov 4 23:16 demoClient.pkcs12
Client Cert Demo>echo “now import the demoClient.pkcs12 to browser.”>/dev/null

Client Cert Demo>echo “most likely you will see INFO: Error trying to obtain a certificate from the client javax.net.ssl.SSLHandshakeException: null cert chain”>/dev/null
Client Cert Demo>echo “This is because you need to modify the server.xml <connector>” >/dev/null
Client Cert Demo>echo “After you fixed server.xml, if you see 401 error, that means you forget to add distinguished name (DN) to your realm”> /dev/null
Client Cert Demo>

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: