CLIENT-CERT authentication with Elytron
18 Oct 2017This blogspot describes how to use Elytron for two-way (client certificate) SSL authentication. This is draft which requires to have patch #1018 merged.
Lets suppose you have already your SSL key and certificate prepared in keystore file in standalone/configuration
directory. For testing purposes you can generate self-signed certificate:
Generate also client-side certificate as self-signed:
Re-export private key into PKCS12 to be able to import it into firefox:
Just note that truststore should contain certificate/public key only in production deployment.
SSL Elytron configuration
When keystore is on place, we can configure keystore
and key-manager
to be used by new server-ssl-context
.
In comparison with simple one-way SSL we need to configure trust-manager
too and to set want-client-auth
or need-client-auth
later.
Undertow configuration
For using created SSL context to secure regular HTTPS, providing deployed applications, you need to replace legacy security domain by new SSL context in Undertow HTTPS listener:
Management configuration
For using created SSL context to secure management inteface you need to set it into the HTTP management interface resource:
I don’t recommand to set this before you will have the SSL configuration and authentication tested sucessfuly in application scope - access to the management console can be disabled by following steps.
Extending to two-way SSL
At first we need to add user source, which will be used to obtain roles of users logged using certificate.
For now lets add user test
into default application properties realm - this user will be used for all users autheticated by certificate:
application-users.properties:
application-roles.properties:
Now we can active want-client-auth
flag (or need-client-auth
if you don’t want to allow SSL conection without valid client certificate) of the server-ssl-context
:
To use user test
for any user certificate we need to define constant principal transformer:
Before we add HTTP authentication factory, we need to add configuring factory, which will disable certificate verification against the security realm:
To provide username to the deployed application now we add HTTP authentication factory:
And to define Undertow security domain, which will use it:
Now should be logging into application using certificate possible - user with valid certificate will get roles of user test
and the application will get as user principal the certificate DN.
By similar way you can extract some part of the certificate DN and use it to rewrite user principal to user name with appropriate roles in used security realm.
Troubleshotting
To enable Elytron traces logging:
To check keystores availability: