Before moving onto the client-cert authentication let’s have
a basic idea about public key certificates.
In the previous authentication methods we could only encrypt
authentication details at the best case.
That is insecure because an eavesdropper can read our
content easily if they have the tools. So the content should also be encrypted
as well. Server first sends its public key to the browser and browser encrypts
the content with that key and the server decrypts. Problem with this protocol
is that we don’t have the data source integrity. Certification authorities are there to certify
the identity of web servers. Browser can
verify that certificate with the available certificates.
The above mentioned authentication mechanism is called server
only authentication because only the identity of the server is specified. Note
that this authentication is done at the protocol level.
First you have to find keytool.exe located at “C:\Java\jdk1.6.0_32\bin”
and copy it to “C:\jboss-eap-5.1\jboss-as\server\default\conf”.
Change your command line working directory to the above and
execute
keytool -genkey -alias serverCert -keyalg RSA
-validity 1500 –keystore server.keystore
This command creates a server certificate which is valid for
1500 days and stores it in server.keystore.
When you execute this you will be asked to fill some details
and add a password to the key store.
Locate server.xml at “C:\jboss-eap-5.1\jboss-as\server\default\deploy\jbossweb.sar”
and include
<Connector
port="8443"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="serverpass"
sslProtocol = "TLS" />
Under an existing connector element. For the keystoreFile attribute you must
provide the name of the key store you created before, to store server
certificates and keystorepass should be key store’s password.
Add a transport
guarantee in the web.xml’s security constraint element.
<user-data-constraint>
<description>Require SSL</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
This guarantees that even we connect to an insecure port we
are redirected to a secure port as specified in server.xml. You can either specify
an auth-method in the web.xml or not. Now you can open the URL in your browser
and see the http request is redirected to a port which handles https.
In addition to the server you can also authenticate the
client. We have two type of mechanisms.. Those mechanisms will discussing in future articles.
No comments:
Post a Comment