HomeDocumentation > User's guide > Administration > Administrative Tasks > Configuring security > Certificate Properties File Realm
Apache Geronimo v2.1
Certificate Properties File Realm
Edit Page   Browse Space   Add Page   Add News
{scrollbar}

This realm type allows you to configure Web applications to authenticate users against it. To get to that point, you will need to first configure Geronimo to use a custom SSL port listener and to get to that point you will need to configure SSL keys and keystore. The following sections describe step-by-step how to configure each of these modules.

Create keystore and certificate

For this configuration we will create a new keystore, a new private key, a CSR and will import the CA reply

We already mentioned in the Administering Certificates section how to create a keystore and a private key, in this section we will complete the picture by generating a CSR and importing the CA's reply.

The keystores in Geronimo are stored in the <geronimo_home>\var\security\keystores directory, the default keystore already provided with the installation is geronimo-default. For this exercise we will create a new keystore.

From the Geronimo Administration Console click on Keystores to access the Keystore Configuration portlet.

Click on New Keystore, specify a new keystore name and password and then click on Create Keystore. For this example we used My_Keystore and password respectively.

Click on the keystore file you just created, and create a private key by clicking on the appropriate link.

Fill in with the appropriate data and click on Review Key Data.

Once you verified the values are correct click on Generate Key.

Right after you created a new private key, this key is automatically locked. That means that you can only view it or delete it, to create a Certificate Signing Request (CSR) you will have to unlock the key. To do that click on Return to keystore list.

Click on the to unlock the private key. You will be prompted with the password for the keystore and for the private key.

Click on Unlock Keystore.

Create a Certificate Signing Request (CSR) and import CA reply

Now that you have the private key unlocked you may now continue to create a CSR. From the Keystore Configuration portlet click on the keystore file you created to display the current content. In this example we only have one private key. Click on either view or the alias links for the current private key to display the details and additional actions.

Click on Generate CSR, the certificate request should be displayed as illustrated in the following figure.

This is a PKCS10 certification request, you should copy this text and paste it into a flat txt file so it can be sent to a CA.

solidcsr.txt -----BEGIN CERTIFICATE REQUEST----- MIIBqDCCARECAQAwajESMBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbz EPMA0GA1UEChMGQXBhY2hlMRAwDgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0 ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzm EjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0dRskM8oNg+3kZeKuOplwq5KGEUnp+xbf q7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2RfbTc2AplcldCPofUVuMUbDLPsmE1 YQQr+OcHtcNspZL5tdAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAZFuPz0gzKqMZNA0bYLm0 aPFLbR9a19NA0EbgJL2SYzoKnuKyplG2JzMVQ6myaez0J8t+iWtuthz70kBihRzU2vqOWp B4oqh+zbPwn4f87l4l8PjJh3SkiDIYdMcL5U1rxwFNAaIEpfjft/uJLY/Bv7DZQG7UPsGz +SPdn+DbdBo= -----END CERTIFICATE REQUEST-----

You can now click Back to return to the private key details portlet.

For this example we used a custom, home made CA so we could sign our own certificates for this test without altering the standard procedure. Assuming that you sent you CSR to a CA, the CA should respond back with another similar file containing the CA signed certificate.

solidcsr_ca_reply.txt -----BEGIN CERTIFICATE----- MIICQjCCAa2gAwIBAgIBAjALBgkqhkiG9w0BAQQwaDEWMBQGA1UEAxMNR2Vyb25pbW8ncyBDQTER MA8GA1UECxMIR2Vyb25pbW8xDzANBgNVBAoTBkFwYWNoZTENMAsGA1UEBxMEQ2l0eTEOMAwGA1UE CBMFU3RhdGUxCzAJBgNVBAYTAlVTMB4XDTA4MDIyMDA2MDAwMFoXDTA5MDIyMTA2MDAwMFowajES MBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbzEPMA0GA1UEChMGQXBhY2hlMRAw DgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzmEjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0 dRskM8oNg+3kZeKuOplwq5KGEUnp+xbfq7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2Rfb Tc2AplcldCPofUVuMUbDLPsmE1YQQr+OcHtcNspZL5tdAgMBAAEwCwYJKoZIhvcNAQEEA4GBAB9s 1QuMD+dNe6H6XcizZSxNPOh1EocjGp05Z4VOpgFnB4gVRqJqyxiuNqCBPvEo30IuHNJZOm6jFhGs YWKGlzL1zw0yXWAVRnI7Cs8C7Ibeoo+I4yBA93w3XyGiBlSb03yHOiCN06bf7BhCN6Z45NMhBGbP pCpnP+uM9VI2gn9H -----END CERTIFICATE-----

From the private key details portlet click on Import CA reply. Remove any pre-filled text in the certificate reply window and paste the text from the CA reply file and click on Save.

After saving the CA reply you should now notice that the certificate now shows a different Issuer. Click on Back to keystore and then on Return to keystore list.

Import trusted certificates

In order to enable client authentication you will need to import the CA who signed your CSR as a trusted certificate, this process has to be only once. The CA should provide along with the signed CSR a separate certificate for the CA itself. For this example we are using our own CA so we generated the following CA certificate.

solidMy_Own_CA_Certificate.txt -----BEGIN CERTIFICATE----- MIICJTCCAZCgAwIBAgICK2cwCwYJKoZIhvcNAQEEMFoxDTALBgNVBAMTBFRlc3QxDzANBgNVBAsT BkFwYWNoZTERMA8GA1UEChMIR2Vyb25pbW8xCzAJBgNVBAcTAkxMMQswCQYDVQQIEwJTVDELMAkG A1UEBhMCTEswHhcNMDcwMjAyMTgwMDAwWhcNMDgwMjAyMTgwMDAwWjBaMQ0wCwYDVQQDEwRUZXN0 MQ8wDQYDVQQLEwZBcGFjaGUxETAPBgNVBAoTCEdlcm9uaW1vMQswCQYDVQQHEwJMTDELMAkGA1UE CBMCU1QxCzAJBgNVBAYTAkxLMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUZl1e1eTKLoh0 15vfYqqvhk6Iviva7BWQxZ6mOV9Ye2mii37Btmxajnngz0jKfiwHKqWRQBp6CUzbd9gfZrz2go9g TwsUBWQwSf6iVypKX1q0Y4WhtTwLcEx78Lx5XN1YCqk34pn4by26SJiHdugs7/ClOiIlcpCt9QVa Q9BH7wIDAQABMAsGCSqGSIb3DQEBBAOBgQAnmoT/dLvJa7jGstvZJLrsWtMwWQNVJ1ZQmbrDGq9u oFnkAH1mGHIDbaz2avy/wotHJUIysGBlDP0btk5GVskl45EG/feWHLgCVmqwf3NkdRdLl+CznBBJ KCC5tINbcI6GqXsbO8hhjIrOGweNyV1653WEvZiQVuMYaHTnGNx+RA== -----END CERTIFICATE-----

While in the Keystore Configuration portlet click on the keystore file you created and then click on Add Trust Certificate. Delete any pre-filled content from Trusted Certificate window and paste the content from the CA certificate and add an alias to this certificate.

Click on Review Certificate and then click on Import Certificate. You should now see the trusted certificate you just imported.

To use a client certificate to authenticate against web server, you should first install the CA certificate and the client certificate into your web browser. Install a CA certificate to designate this CA as trusted and thus, grant access to any web sites certified by this CA. If not installed, accessing web sites certified by this CA leads to a warning message suggesting the "Web Site Certified by an Unknown Authority".

Most browsers provide such installation function. When using Mozilla Firefox, certificates can be installed with the Import option in the Certificate Manager.

Add an HTTPS listener with client authentication

Apache Geronimo comes with a predefined HTTPS listener on port 8443 but this listener is not configured for client authentication. In this example we will add a new HTTPS listener and configure it to request client authentication using the certificates we created and imported in the previous steps.

Note that in this example we are using the Tomcat distribution of Geronimo, although the process is the same some names and links may vary slightly if you are using the Jetty distribution.

From the Geronimo Administration Console click on Web Server to access the Network Listener portlet.

From the Network Listener portlet click on Add new HTTPS listener for Tomcat

Fill in the fields with the appropriate data and click Save. For this example we only specified the keystore and not a trustore. When specifying the keystore file path you should add something similar to var/security/keystores/<your_keystore>, this path is relative to Geronimo's installation home directory.

Select the Client Auth Required check box, this tells the HTTPS listener to only establish an encrypted connection with a client that provides a valid client certificate. The client certificates are verified against the CA certificates stored in any of these locations (in order):

  1. The trust store configured above
  2. A keystore file specified by the javax.net.ssl.trustStore system property
  3. java-home/lib/security/jssecacerts
  4. java-home/lib/security/cacerts

Once you saved this HTTPS network listener configuration it will get started automatically as you can see in the status displayed. If you try to access this port with your browser it should fail because at this point you have not configured your client with a valid certificate.

Adding a Certificate Properties File Realm

After you configured the HTTPS listener with client authentication, you can add a Certificate Properties File Realm to authenticate web applications.

To create a new security realm, click Add new security realm from the Security Realms portlet. Enter the name of security realm and select Certificate Properties File Realm from the Realm type: dropdown menu. Click Next and follow the instructions.

The properties files should be based on the client certificate intended to be used for client authentication. For example, a Certificate Properties File Realm CertificatePropsRealm with the user and group properties files based on My_Private_key created in the #Create keystore and certificate section is as follows:

xmlsoliduser_sample.properties client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC
  • The password of client1 is based on the information of My_Private_key.
xmlsolidgroup_sample.properties admin=client1,client2

The deployment plan of the Certificate Properties File Realm CertificatePropsRealm is as follows:

xmlsolidExcerpt from the deployment plan of CertificatePropsRealm <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2"> <environment> <moduleId> <groupId>console.realm</groupId> <artifactId>cert-prop-file-realm</artifactId> <version>1.0</version> <type>car</type> </moduleId> <dependencies> <dependency> <groupId>org.apache.geronimo.framework</groupId> <artifactId>j2ee-security</artifactId> <type>car</type> </dependency> </dependencies> </environment> <gbean name="cert-prop-file-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep= "http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="realmName">CertificatePropsRealm</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <log:login-module control-flag="REQUIRED" wrap-principals="false"> <log:login-domain-name>CertificatePropsRealm</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class> <log:option name="usersURI">var/security/user_sample.properties</log:option> <log:option name="groupsURI">var/security/group_sample.properties</log:option> </log:login-module> </log:login-config> </xml-reference> </gbean> </module>

where

  • <moduleId> .. </moduleId>:defines the module ID of the security realm. Applications which use this security realm for authentication should include this attribute as a dependency in the deployment plan.
  • <attribute name="realmName">CertificatePropsRealm</attribute>:CertificatePropsRealm is the name of the security realm.

Configure the deployment descriptor and deployment plan of your web application to use the Certificate Properties File Realm for client authentication. The deployment descriptor is configured as follows:

xmlsolidExcerpt from web.xml <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Not Required for CLIENT-CERT</realm-name> </login-config>

where

  • <auth-method>CLIENT-CERT</auth-method>: suggests that the auth-method is set to CLIENT-CERT and thus, uses client certificate for authentication. CLIENT-CERT is often used for SSL mutual authentication. In Geronimo, such configuration suggests that a Certificate Properties File Realm is used for authentication with a client certificate.

Web applications which use the CertificatePropsRealm security realm, for example, must configure their deployment plans as follows:

xmlsolidExcerpt from geronimo-web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1" xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2" xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2"> <sys:environment> <sys:moduleId> <sys:groupId>org.apache.geronimo</sys:groupId> <sys:artifactId>sampleapplication</sys:artifactId> <sys:version>1.0</sys:version> <sys:type>car</sys:type> </sys:moduleId> <sys:dependencies> <sys:dependency> <sys:groupId>console.realm</sys:groupId> <sys:artifactId>cert-prop-file-realm</sys:artifactId> <sys:version>1.0</sys:version> <sys:type>car</sys:type> </sys:dependency> </sys:dependencies> </sys:environment> <context-root>/cert-realm-sample</context-root> <security-realm-name>CertificatePropsRealm</security-realm-name> <security> <default-principal realm-name="CertificatePropsRealm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/> <!-- name should match the entries from cert-users.properties of the realm --> </default-principal> <role-mappings> <role role-name="content-administrator"> <realm realm-name="CertificatePropsRealm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/> <!-- name should match the entries from cert-groups.properties of the realm --> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client2"/> </realm> </role> </role-mappings> </security> </web-app>

where

  • <security-realm-name>CertificatePropsRealm</security-realm-name>:CertificatePropsRealm is the Certificate Properties File Realm used for client authentication.
  • <sys:dependency> .. </sys:dependency>:elements in this tag identify the module ID of the Certificate Properties File Realm used for authentication.

You can install a client certificate into the web browser to authenticate against web servers. For the sample application described above which use the CertificatePropsRealm security realm, install the My_Private_key certificate into your web browser to verify your identity, in this case client1, during authentication. The installation process is provided in the Install certificate on client section below.

   Delicious Bookmark this on Delicious    Digg! Digg this    Privacy Policy  -   Copyright © 2003-2011, The Apache Software Foundation, Licensed under ASL 2.0.