geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.1 > Certificate Properties File Realm
Date Mon, 01 Nov 2010 05:46:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxDOC21&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Certificate+Properties+File+Realm">Certificate
Properties File Realm</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~maojia508">maojia</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h1. Adding a properties
file security realm <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>After you configured the HTTPS listener with client authentication, you can add
a certificate properties file security realm to authenticate web applications. Create the
properties file security realm with the steps described in **. Configure the deployment descriptor
and deployment plan of the your web application to use the properties file security realm
created for client authentication. <br> <br>You can install a client certificate
into the web browser to authenticate against Web servers. The client certificate should be
based on the information provided in the  group and user properties files.  <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC21/Adminstering+security+realms"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC21/Adminstering+security+realms">Adminstering
security realms</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC21/Configuring+security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC21/Configuring+security">Configuring security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;<a href="/confluence/display/GMOxDOC21/Certification+Authority">Certification
Authority</a></td><td class='ScrollbarNextIcon'><a href="/confluence/display/GMOxDOC21/Certification+Authority"><img
border='0' align='middle' src='/confluence/images/icons/forwd_16.gif' width='16' height='16'></a></td></tr></table></div>

<p>This realm type allows you to configure Web applications to authenticate users against
it. To get to that point, you will need to first configure Geronimo to use a custom SSL port
listener and to get to that point you will need to configure SSL keys and keystore. The following
sections describe step-by-step how to configure each of these modules.</p>

<ul>
	<li><a href="#CertificatePropertiesFileRealm-Createkeystoreandcertificate">Create
keystore and certificate</a></li>
	<li><a href="#CertificatePropertiesFileRealm-CreateaCertificateSigningRequest%28CSR%29andimportCAreply">Create
a Certificate Signing Request &#40;CSR&#41; and import CA reply</a></li>
	<li><a href="#CertificatePropertiesFileRealm-Importtrustedcertificates">Import
trusted certificates</a></li>
	<li><a href="#CertificatePropertiesFileRealm-AddanHTTPSlistenerwithclientauthentication">Add
an HTTPS listener with client authentication</a></li>
	<li><a href="#CertificatePropertiesFileRealm-Installcertificateonclient">Install
certificate on client</a></li>
	<li><a href="#CertificatePropertiesFileRealm-Addingapropertiesfilesecurityrealm">Adding
a properties file security realm</a></li>
</ul>


<h1><a name="CertificatePropertiesFileRealm-Createkeystoreandcertificate"></a>Create
keystore and certificate</h1>
<p>For this configuration we will create a new keystore, a new private key, a CSR and
will import the CA reply</p>

<p>We already mentioned in the <a href="/confluence/display/GMOxDOC21/Administering+certificates"
title="Administering certificates">Administering certificates</a> section how to
create a keystore and a private key, in this section we will complete the picture by generating
a CSR and importing the CA's reply.</p>

<p>The keystores in Geronimo are stored in the <b>&lt;geronimo_home&gt;\var\security\keystores</b>
directory, the default keystore already provided with the installation is <b>geronimo-default</b>.
For this exercise we will create a new keystore.</p>

<p>From the Geronimo Administration Console click on <b>Keystores</b> to
access the <b>Keystore Configuration</b> portlet.</p>

<p>Click on <b>New Keystore</b>, specify a new keystore name and password
and then click on <b>Create Keystore</b>. For this example we used <tt>My_Keystore</tt>
and <tt>password</tt> respectively.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleKeystoreConfig.png?version=1&amp;modificationDate=1203616360000"
style="border: 0px solid black" /></span></p>

<p>Click on the keystore file you just created, and create a private key by clicking
on the appropriate link.</p>

<p>Fill in with the appropriate data and click on <b>Review Key Data</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consolePrivateKeyAdd.png?version=1&amp;modificationDate=1203616426000"
style="border: 0px solid black" /></span></p>

<p>Once you verified the values are correct click on <b>Generate Key</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleKeystoreContents.png?version=1&amp;modificationDate=1203616447000"
style="border: 0px solid black" /></span></p>

<p>Right after you created a new private key, this key is automatically locked. That
means that you can only view it or delete it, to create a Certificate Signing Request (CSR)
you will have to unlock the key. To do that click on <b>Return to keystore list</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleKeystoreContentsLocked.png?version=1&amp;modificationDate=1203616467000"
style="border: 0px solid black" /></span></p>

<p>Click on the <span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/keystoreLockOn.png?version=1&amp;modificationDate=1203616402000"
style="border: 0px solid black" /></span> to unlock the private key. You will be
prompted with the password for the keystore and for the private key.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleKeystoreUnlock.png?version=1&amp;modificationDate=1203616488000"
style="border: 0px solid black" /></span></p>

<p>Click on <b>Unlock Keystore</b>.</p>

<h1><a name="CertificatePropertiesFileRealm-CreateaCertificateSigningRequest%28CSR%29andimportCAreply"></a>Create
a Certificate Signing Request (CSR) and import CA reply</h1>
<p>Now that you have the private key unlocked you may now continue to create a CSR.
From the <b>Keystore Configuration</b> portlet click on the keystore file you
created to display the current content.  In this example we only have one private key. Click
on either <b>view</b> or the alias links for the current private key to display
the details and additional actions.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleCertInfo.png?version=1&amp;modificationDate=1203616360000"
style="border: 0px solid black" /></span></p>

<p>Click on <b>Generate CSR</b>, the certificate request should be displayed
as illustrated in the following figure.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleCertCSR.png?version=1&amp;modificationDate=1203616360000"
style="border: 0px solid black" /></span></p>

<p>This is a <b>PKCS10</b> certification request, you should copy this text
and paste it into a flat txt file so it can be sent to a CA.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>csr.txt</b></div><div class="preformattedContent panelContent">
<pre>-----BEGIN CERTIFICATE REQUEST-----
MIIBqDCCARECAQAwajESMBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbz
EPMA0GA1UEChMGQXBhY2hlMRAwDgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0
ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzm
EjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0dRskM8oNg+3kZeKuOplwq5KGEUnp+xbf
q7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2RfbTc2AplcldCPofUVuMUbDLPsmE1
YQQr+OcHtcNspZL5tdAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAZFuPz0gzKqMZNA0bYLm0
aPFLbR9a19NA0EbgJL2SYzoKnuKyplG2JzMVQ6myaez0J8t+iWtuthz70kBihRzU2vqOWp
B4oqh+zbPwn4f87l4l8PjJh3SkiDIYdMcL5U1rxwFNAaIEpfjft/uJLY/Bv7DZQG7UPsGz
+SPdn+DbdBo=
-----END CERTIFICATE REQUEST-----
</pre>
</div></div>

<p>You can now click <b>Back</b> to return to the private key details portlet.</p>

<p>For this example we used a custom, home made CA so we could sign our own certificates
for this test without altering the standard procedure. Assuming that you sent you CSR to a
CA, the CA should respond back with another similar file containing the CA signed certificate.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>csr_ca_reply.txt</b></div><div class="preformattedContent
panelContent">
<pre>-----BEGIN CERTIFICATE-----
MIICQjCCAa2gAwIBAgIBAjALBgkqhkiG9w0BAQQwaDEWMBQGA1UEAxMNR2Vyb25pbW8ncyBDQTER
MA8GA1UECxMIR2Vyb25pbW8xDzANBgNVBAoTBkFwYWNoZTENMAsGA1UEBxMEQ2l0eTEOMAwGA1UE
CBMFU3RhdGUxCzAJBgNVBAYTAlVTMB4XDTA4MDIyMDA2MDAwMFoXDTA5MDIyMTA2MDAwMFowajES
MBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbzEPMA0GA1UEChMGQXBhY2hlMRAw
DgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzmEjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0
dRskM8oNg+3kZeKuOplwq5KGEUnp+xbfq7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2Rfb
Tc2AplcldCPofUVuMUbDLPsmE1YQQr+OcHtcNspZL5tdAgMBAAEwCwYJKoZIhvcNAQEEA4GBAB9s
1QuMD+dNe6H6XcizZSxNPOh1EocjGp05Z4VOpgFnB4gVRqJqyxiuNqCBPvEo30IuHNJZOm6jFhGs
YWKGlzL1zw0yXWAVRnI7Cs8C7Ibeoo+I4yBA93w3XyGiBlSb03yHOiCN06bf7BhCN6Z45NMhBGbP
pCpnP+uM9VI2gn9H
-----END CERTIFICATE-----
</pre>
</div></div>

<p>From the private key details portlet click on <b>Import CA reply</b>.
Remove any pre-filled text in the certificate reply window and paste the text from the CA
reply file and click on <b>Save</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleCertReply.png?version=1&amp;modificationDate=1203616360000"
style="border: 0px solid black" /></span></p>

<p>After saving the CA reply you should now notice that the certificate now shows a
different <b>Issuer</b>. Click on <b>Back to keystore</b> and then
on <b>Return to keystore list</b>.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/consoleCertIssuer.png?version=1&amp;modificationDate=1203616360000"
style="border: 0px solid black" /></span></p>

<h1><a name="CertificatePropertiesFileRealm-Importtrustedcertificates"></a>Import
trusted certificates</h1>
<p>In order to enable client authentication you will need to import the CA who signed
your CSR as a trusted certificate, this process has to be only once. The CA should provide
along with the signed CSR a separate certificate for the CA itself. For this example we are
using our own CA so we generated the following CA certificate.</p>

<div class="preformatted panel" style="border-style: solid;border-width: 1px;"><div
class="preformattedHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>My_Own_CA_Certificate.txt</b></div><div class="preformattedContent
panelContent">
<pre>-----BEGIN CERTIFICATE-----
MIICJTCCAZCgAwIBAgICK2cwCwYJKoZIhvcNAQEEMFoxDTALBgNVBAMTBFRlc3QxDzANBgNVBAsT
BkFwYWNoZTERMA8GA1UEChMIR2Vyb25pbW8xCzAJBgNVBAcTAkxMMQswCQYDVQQIEwJTVDELMAkG
A1UEBhMCTEswHhcNMDcwMjAyMTgwMDAwWhcNMDgwMjAyMTgwMDAwWjBaMQ0wCwYDVQQDEwRUZXN0
MQ8wDQYDVQQLEwZBcGFjaGUxETAPBgNVBAoTCEdlcm9uaW1vMQswCQYDVQQHEwJMTDELMAkGA1UE
CBMCU1QxCzAJBgNVBAYTAkxLMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUZl1e1eTKLoh0
15vfYqqvhk6Iviva7BWQxZ6mOV9Ye2mii37Btmxajnngz0jKfiwHKqWRQBp6CUzbd9gfZrz2go9g
TwsUBWQwSf6iVypKX1q0Y4WhtTwLcEx78Lx5XN1YCqk34pn4by26SJiHdugs7/ClOiIlcpCt9QVa
Q9BH7wIDAQABMAsGCSqGSIb3DQEBBAOBgQAnmoT/dLvJa7jGstvZJLrsWtMwWQNVJ1ZQmbrDGq9u
oFnkAH1mGHIDbaz2avy/wotHJUIysGBlDP0btk5GVskl45EG/feWHLgCVmqwf3NkdRdLl+CznBBJ
KCC5tINbcI6GqXsbO8hhjIrOGweNyV1653WEvZiQVuMYaHTnGNx+RA==
-----END CERTIFICATE-----
</pre>
</div></div>

<p>While in the Keystore Configuration portlet click on the keystore file you created
and then click on <b>Add Trust Certificate</b>. Delete any pre-filled content
from <b>Trusted Certificate</b> window and paste the content from the CA certificate
and add an alias to this certificate.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/keystore_10.gif?version=1&amp;modificationDate=1203616607000"
style="border: 0px solid black" /></span></p>

<p>Click on <b>Review Certificate</b> and then click on <b>Import
Certificate</b>. You should now see the trusted certificate you just imported.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/keystore_11.gif?version=1&amp;modificationDate=1203616607000"
style="border: 0px solid black" /></span></p>

<h1><a name="CertificatePropertiesFileRealm-AddanHTTPSlistenerwithclientauthentication"></a>Add
an HTTPS listener with client authentication</h1>
<p>Apache Geronimo comes with a predefined HTTPS listener on port 8443 but this listener
is not configured for client authentication. In this example we will add a new HTTPS listener
and configure it to request client authentication using the certificates we created and imported
in the previous steps.</p>

<p>Note that in this example we are using the Tomcat distribution of Geronimo, although
the process is the same some names and links may vary slightly if you are using the Jetty
distribution.</p>

<p>From the Geronimo Administration Console click on <b>Web Server</b> to
access the Network Listener portlet.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/network_listener_1.gif?version=1&amp;modificationDate=1203616607000"
style="border: 0px solid black" /></span></p>

<p>From the Network Listener portlet click on <b>Add new HTTPS listener for Tomcat</b></p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/77425/network_listener_2.gif?version=1&amp;modificationDate=1203616607000"
style="border: 0px solid black" /></span></p>

<p>Fill in the fields with the appropriate data and click <b>Save</b>. For
this example we only specified the keystore and not a trustore. When specifying the keystore
file path you should add something similar to <b>var/security/keystores/&lt;your_keystore&gt;</b>,
this path is relative to Geronimo's installation home directory.</p>

<p>Select the <b>Client Auth Required</b> check box, this tells the HTTPS
listener to only establish an encrypted connection with a client that provides a valid client
certificate. The client certificates are verified against the CA certificates stored in any
of these locations (in order):</p>

<ol>
	<li>The trust store configured above</li>
	<li>A keystore file specified by the javax.net.ssl.trustStore system property</li>
	<li>java-home/lib/security/jssecacerts</li>
	<li>java-home/lib/security/cacerts</li>
</ol>


<p>Once you saved this HTTPS network listener configuration it will get started automatically
as you can see in the status displayed. If you try to access this port with your browser it
should fail because at this point you have not configured your client with a valid certificate.</p>

<h1><a name="CertificatePropertiesFileRealm-Addingapropertiesfilesecurityrealm"></a>Adding
a properties file security realm</h1>

<p>After you configured the HTTPS listener with client authentication, you can add a
certificate properties file security realm to authenticate web applications. Create the properties
file security realm with the steps described in **. Configure the deployment descriptor and
deployment plan of the your web application to use the properties file security realm created
for client authentication.</p>

<p>You can install a client certificate into the web browser to authenticate against
Web servers. The client certificate should be based on the information provided in the  group
and user properties files. </p>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Certificate+Properties+File+Realm">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=77425&revisedVersion=3&originalVersion=2">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Certificate+Properties+File+Realm?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message