Certificate authentication with password fallback in Elytron
30 May 2018
This tutorial describes configuration of certificate authentication with password (BASIC/PLAIN) fallback authentication for management interface of WildFly using WildFly Elytron.
Prepare LDAP directory
To login using certificate, LDAP entry needs to be resolvable using information in certificate.
In this example we will use certificate with subject OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Firefly - we will be extracting the CN part to obtain name to obtain the identity from the LDAP.
The username will be in this case Firefly.
For simplicity we will not define new object class in this example, but we will use attribute pager to store serial number of the certificate.
The serial number of testing certificate is 01.
Configure LDAP realm
Define connection to the LDAP server: (maybe you will need to specify principal and credential-reference too, if your LDAP server requires login)
Define LDAP realm with appropriate x509-credential-mapper (for certificates verification) and user-password-mapper (for strong password authentication - requires permission to read password hashes from the LDAP) OR direct-verification (for plain passsword authentication without receiving passwords from the LDAP):
Resulting XML:
To check configuration try to obtain testing identity:
Configure security domain for LDAP realm
Configure ManagementDomain to use one security realm - ldapRealm.
Configure principal decoder
To be able to obtain identity from security realm by used certificate, you need to define x500-attribute-principal-decoder which will decode identity name from it:
In this example attribute cn from the subject of the certificate will be used.
Enable Elytron for management interface
Configure management interface to use elytron for both, HTTP and SASL authentication:
Start using created SSL context for management interface:
Configure CLIENT_CERT and BASIC in HTTP authentication factory
The authentication of user accesing web console is secured by HTTP authentication factory.
Configure it to try to use CLIENT_CERT at first and, if it fails, to use BASIC as fallback.
XML:
Configure EXTERNAL and PLAIN in SASL authentication factory
XML:
Troubleshotting
For troubleshotting you may want to enable debug logging of Elytron security:
Testing
Web console (HTTP auth)
Try to access management console over HTTPS:
https://localhost:9993/console/
Web browser should ask for client SSL certifice first, BASIC login dialog should be shown if certificate authentication fails.
Password auth via CLI
Try to connect using jboss-cli with password authentication:
Certificate auth via CLI
Try to connect using jboss-cli with SSL certificate:
You will need to add SSL section into bin/jboss-cli.xml:
The paths are relative to working directory (from where you are starting jboss-cli.sh).
Now you can connect:
If the SSL authentication fail, the client will request PLAIN credentials.