-
Bug
-
Resolution: Done
-
Major
-
25.0.0.Beta1
-
None
-
Follow 4.3.2. Enable Two-way SSL/TLS in WildFly for Applications to configure 2way TLS in WildFly:
- Prepare client keystore and certificate:
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.p12 -deststoretype PKCS12 -srcalias client -deststorepass secret -destkeypass secret - Start WildFly server ./bin/standalone.sh and connect to the CLI in a new terminal ./bin/jboss-cli.sh -c
- Prepare server keystore and server truststore:
/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/repro/server.keystore.jks,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayKS:generate-key-pair(alias=localhost,algorithm=RSA,key-size=2048,validity=365,credential-reference={clear-text=secret},distinguished-name="CN=localhost") /subsystem=elytron/key-store=twoWayKS:store() /subsystem=elytron/key-store=twoWayKS:export-certificate(alias=localhost,path=/tmp/repro/server.cer,pem=true) /subsystem=elytron/key-store=twoWayTS:add(path=/tmp/repro/server.truststore.jks,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:import-certificate(alias=client,path=/tmp/repro/client.cer,credential-reference={clear-text=secret},trust-cacerts=true,validate=false) # validate is set to false because client certificate is not signed by any authority and as such is not trusted by default /subsystem=elytron/key-store=twoWayTS:store() - Use prepared server keystore and server truststore in relevant key managers:
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS) - Create a server-ssl-context and use it in Undertow subsystem:
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) reload
- Import client certificate to your client (e.g. browser)
- Deploy attached application sessionCounter.war
on WildFly server and try to access https://localhost:8443/sessionCounter/SessionAccessCounter url. You'll be requested to enter credentials.
Follow 4.3.2. Enable Two-way SSL/TLS in WildFly for Applications to configure 2way TLS in WildFly: Prepare client keystore and certificate: keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.p12 -deststoretype PKCS12 -srcalias client -deststorepass secret -destkeypass secret Start WildFly server ./bin/standalone.sh and connect to the CLI in a new terminal ./bin/jboss-cli.sh -c Prepare server keystore and server truststore: /subsystem=elytron/key-store=twoWayKS:add(path=/tmp/repro/server.keystore.jks,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayKS:generate-key-pair(alias=localhost,algorithm=RSA,key-size=2048,validity=365,credential-reference={clear-text=secret},distinguished-name= "CN=localhost" ) /subsystem=elytron/key-store=twoWayKS:store() /subsystem=elytron/key-store=twoWayKS:export-certificate(alias=localhost,path=/tmp/repro/server.cer,pem= true ) /subsystem=elytron/key-store=twoWayTS:add(path=/tmp/repro/server.truststore.jks,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS: import -certificate(alias=client,path=/tmp/repro/client.cer,credential-reference={clear-text=secret},trust-cacerts= true ,validate= false ) # validate is set to false because client certificate is not signed by any authority and as such is not trusted by default /subsystem=elytron/key-store=twoWayTS:store() Use prepared server keystore and server truststore in relevant key managers: /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS) Create a server-ssl-context and use it in Undertow subsystem: /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) reload Import client certificate to your client (e.g. browser) Deploy attached application sessionCounter.war on WildFly server and try to access https://localhost:8443/sessionCounter/SessionAccessCounter url. You'll be requested to enter credentials. - Prepare client keystore and certificate:
It looks like there is a web based authentication enforced by default in current configuration of WildFly when I configure the 2way TLS authentication.
Maybe I'm missing something or understand things wrongly but here is what I do and what are my expectations:
1/ Take WildFly 25.0.0.Beta1 server and deploy an app there.
2/ Configure 2way TLS authentication (both server and client exchanges TLS certificates so both ends know that they are among the trustworth parties). Keep the default application-security-domain in Undertow as is.
3/ I can successfully connect to my app via HTTPS providing correct client certificate - no actual (extra?) authentication is required since I didn't specify anything more anywhere.
Actual server behavior:
After the 2way TLS authentication configuration is performed, then with the default application-security-domain configured in Undertow subsystem:
[standalone@localhost:9990 /] ls /subsystem=undertow/application-security-domain=other setting enable-jaspi=true integrated-jaspi=true referencing-deployments=["sessionCounter.war"] enable-jacc=false http-authentication-factory=undefined override-deployment-config=false security-domain=ApplicationDomain
I get 401 HTTP response from the server with www-authenticate header.
As I understand it, I'm requested by server to perform some authentication now. When I simply undefine the Undertow's application-security-domain element, everything starts to work as expected (2way TLS auth still in place in this case).
Same happens also, when I disable the need-client-auth in my server-ssl-context element. But this effectively disables the 2way TLS authentication I want. And also per description of this element, there should not be any connection with an actual application authentication:
"need-client-auth" => {
"type" => BOOLEAN,
"description" => "To require a client certificate on SSL handshake. Connection without trusted client certificate (see trust-manager) will be rejected.",
So, there is either something I'm missing here or there is some unwanted correlation between the `need-client-auth` attribute, which should affect only TLS configuration (per my understanding), and an actual application level authentication?
Documentation 4.3.2. Enable Two-way SSL/TLS in WildFly for Applications in https://docs.wildfly.org/24/WildFly_Elytron_Security.html#configure-ssltls didn't provide much help. But truth is that this is still for WildFly 24 release where the legacy security was still present and the default application-security-domain in Undertow was undefined.
- is caused by
-
-
- Resolved
-