This post describes how mutual authentication, specifically client authentication, can be implemented with Glassfish. A CA is created using OpenSSL and a root certificate for the CA is created and trusted by Glassfish. Client certificates are then created and signed by the CA such that multiple client certificates may be created and trusted transitively.
Steps:
1, Create the client certificate, register the CA cert as trusted.As registering a new trusted client certifice into the truststore requires a Glassfish restart, we register a trusted Certificate Authority (CA) certificate instead, once and for all. Then each new client can get its certificate from the trusted CA, and become "transitively" trusted. To be exact, it is normaly the client who creates a public-private keypair, then submits the public part in the form of a Certificate Signing Request to the Certificate Authority, who then creates the certificate by signing it with its own private key. This certifies that tha CA trusts the certificate holder to be who he claims to be. Confusing at first, but rather straight forward once you get the hang of Public Key Infrastructure.
2, Establish a CA (assuming you don't have one already): source: http://www.madboa.com/geek/openssl/
openssl req \ -x509 -nodes -days 365 \ -newkey rsa:1024 -keyout cakey.pem -out cacert.pem
Edit openssl.cnf, create directories and files referenced there: mkdir demoCA echo '100001' > ./demoCA/serial mkdir ./demoCA/newcerts mkdir demoCA/private cp cacert.pem demoCA/ cp cakey.pem demoCA/private/
Enable signing foreign keys in openssl.cnf:
policy = policy_anything
3, Sign the certificate of the client key:
Create client key pair and certification request. This is normaly done by the client. The information provided here becomes part of the certificate, and will be included in the audit logs as "user principal":
openssl genrsa -out somekey.pem 2048 openssl req -new -key somekey.pem -out somekey.csr
sign (done by the CA): openssl ca -config openssl.cnf -in somekey.csr -out somekey.crt
4, package key and cert for browser consumption: openssl pkcs12 -export -out somekey.pfx -in somekey.crt -inkey somekey.pem -name "Some Cert"
5, Add own CA cert to truststore:
keytool -import -v -keystore /opt/glassfish/domains/domain1/config/cacerts.jks -storepass changeit -alias localCA -file cacert.pem
6, Restart Glassfish. Importing somekey.pfx into a browser should enable it to access your web service again at this point.
--
With thanks to:
Gabor Szokoli
Sirius Cybernetics Corporation Complaints division
No comments:
Post a Comment