Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-15411

Application authentication is requested when configure 2way TLS auth by default

XMLWordPrintable

    • Hide

      Follow 4.3.2. Enable Two-way SSL/TLS in WildFly for Applications to configure 2way TLS in WildFly:

      1. Prepare client keystore and certificate:
        keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret
        keytool -exportcert  -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer
        keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.p12 -deststoretype PKCS12 -srcalias client -deststorepass secret -destkeypass secret
        
      2. Start WildFly server ./bin/standalone.sh and connect to the CLI in a new terminal ./bin/jboss-cli.sh -c
      3. Prepare server keystore and server truststore:
        /subsystem=elytron/key-store=twoWayKS:add(path=/tmp/repro/server.keystore.jks,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-store=twoWayKS:generate-key-pair(alias=localhost,algorithm=RSA,key-size=2048,validity=365,credential-reference={clear-text=secret},distinguished-name="CN=localhost")
        /subsystem=elytron/key-store=twoWayKS:store()
        /subsystem=elytron/key-store=twoWayKS:export-certificate(alias=localhost,path=/tmp/repro/server.cer,pem=true)
        /subsystem=elytron/key-store=twoWayTS:add(path=/tmp/repro/server.truststore.jks,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-store=twoWayTS:import-certificate(alias=client,path=/tmp/repro/client.cer,credential-reference={clear-text=secret},trust-cacerts=true,validate=false) # validate is set to false because client certificate is not signed by any authority and as such is not trusted by default
        /subsystem=elytron/key-store=twoWayTS:store()
        
      4. Use prepared server keystore and server truststore in relevant key managers:
        /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={clear-text=secret})
        /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS)
        
      5. Create a server-ssl-context and use it in Undertow subsystem:
        /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
        /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC)
        reload
        
      6. Import client certificate to your client (e.g. browser)
      7. Deploy attached application sessionCounter.war on WildFly server and try to access https://localhost:8443/sessionCounter/SessionAccessCounter url. You'll be requested to enter credentials.
      Show
      Follow 4.3.2. Enable Two-way SSL/TLS in WildFly for Applications to configure 2way TLS in WildFly: Prepare client keystore and certificate: keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.p12 -deststoretype PKCS12 -srcalias client -deststorepass secret -destkeypass secret Start WildFly server ./bin/standalone.sh and connect to the CLI in a new terminal ./bin/jboss-cli.sh -c Prepare server keystore and server truststore: /subsystem=elytron/key-store=twoWayKS:add(path=/tmp/repro/server.keystore.jks,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayKS:generate-key-pair(alias=localhost,algorithm=RSA,key-size=2048,validity=365,credential-reference={clear-text=secret},distinguished-name= "CN=localhost" ) /subsystem=elytron/key-store=twoWayKS:store() /subsystem=elytron/key-store=twoWayKS:export-certificate(alias=localhost,path=/tmp/repro/server.cer,pem= true ) /subsystem=elytron/key-store=twoWayTS:add(path=/tmp/repro/server.truststore.jks,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS: import -certificate(alias=client,path=/tmp/repro/client.cer,credential-reference={clear-text=secret},trust-cacerts= true ,validate= false ) # validate is set to false because client certificate is not signed by any authority and as such is not trusted by default /subsystem=elytron/key-store=twoWayTS:store() Use prepared server keystore and server truststore in relevant key managers: /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS) Create a server-ssl-context and use it in Undertow subsystem: /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) reload Import client certificate to your client (e.g. browser) Deploy attached application sessionCounter.war on WildFly server and try to access https://localhost:8443/sessionCounter/SessionAccessCounter url. You'll be requested to enter credentials.

      It looks like there is a web based authentication enforced by default in current configuration of WildFly when I configure the 2way TLS authentication.

      Maybe I'm missing something or understand things wrongly but here is what I do and what are my expectations:

      1/ Take WildFly 25.0.0.Beta1 server and deploy an app there.
      2/ Configure 2way TLS authentication (both server and client exchanges TLS certificates so both ends know that they are among the trustworth parties). Keep the default application-security-domain in Undertow as is.
      3/ I can successfully connect to my app via HTTPS providing correct client certificate - no actual (extra?) authentication is required since I didn't specify anything more anywhere.

      Actual server behavior:

      After the 2way TLS authentication configuration is performed, then with the default application-security-domain configured in Undertow subsystem:

      [standalone@localhost:9990 /] ls /subsystem=undertow/application-security-domain=other
      setting                                         enable-jaspi=true                               integrated-jaspi=true                           referencing-deployments=["sessionCounter.war"]  
      enable-jacc=false                               http-authentication-factory=undefined           override-deployment-config=false                security-domain=ApplicationDomain
      

      I get 401 HTTP response from the server with www-authenticate header.

      As I understand it, I'm requested by server to perform some authentication now. When I simply undefine the Undertow's application-security-domain element, everything starts to work as expected (2way TLS auth still in place in this case).

      Same happens also, when I disable the need-client-auth in my server-ssl-context element. But this effectively disables the 2way TLS authentication I want. And also per description of this element, there should not be any connection with an actual application authentication:

                  "need-client-auth" => {
                      "type" => BOOLEAN,
                      "description" => "To require a client certificate on SSL handshake. Connection without trusted client certificate (see trust-manager) will be rejected.",
      

      So, there is either something I'm missing here or there is some unwanted correlation between the `need-client-auth` attribute, which should affect only TLS configuration (per my understanding), and an actual application level authentication?

      Documentation 4.3.2. Enable Two-way SSL/TLS in WildFly for Applications in https://docs.wildfly.org/24/WildFly_Elytron_Security.html#configure-ssltls didn't provide much help. But truth is that this is still for WildFly 24 release where the legacy security was still present and the default application-security-domain in Undertow was undefined.

        1. SessionAccessCounterServlet.java
          2 kB
          Jan Stourac
        2. sessionCounter.war
          3 kB
          Jan Stourac

              dvilkola@redhat.com Diana Krepinska (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: