aspose file tools*
The moose likes Security and the fly likes Enable Security for JBoss + WS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Enable Security for JBoss + WS" Watch "Enable Security for JBoss + WS" New topic
Author

Enable Security for JBoss + WS

Alan Prado
Greenhorn

Joined: Jan 20, 2011
Posts: 2
Hello JavaRanch,

I'm new here!
I'm using jboss-as-distribution-6.0.0.20100429-M3 + WS (axis 1.4)
I have to provide a secure way to transmit data from client to server. I've read that SSL with mutual authentication is a good way to provide it. But, if any body has a better sugestion on how to do it, let me know.
I'm trying to configure mutual authentication with BaseCertLoginModule
over SSL, but I'm getting the following errors:


**************************************************************************************
error at server side
17:19:26,812 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] Handshake failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:523) [:1.6]
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:355) [:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789) [:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120) [:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147) [:1.6]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131) [:1.6]
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:186)
at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:1143)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
at java.lang.Thread.run(Thread.java:619) [:1.6.0_20]


error at client side
java.net.SocketException: Software caused connection abort: socket write error
**************************************************************************************

Here follows my configuration files

script to generate the keys
**************************************************************************************
set SERVER_DN="CN=server, OU=X, O=Y, L=Z, S=XY, C=YZ"
set CLIENT_DN="CN=client, OU=X, O=Y, L=Z, S=XY, C=YZ"
set KSDEFAULTS=-storepass changeit -storetype JKS
set KEYINFO=-keyalg RSA
keytool -genkey -dname %SERVER_DN% %KSDEFAULTS% -keystore server.ks %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore server.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore client.ts -alias serverkey -noprompt
keytool -genkey -dname %CLIENT_DN% %KSDEFAULTS% -keystore client.ks %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore client.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore server.ts -alias clientkey -noprompt
**************************************************************************************


file:${jboss.server.home.dir}/conf/server.ks
**************************************************************************************
Keystore type: JKS
Keystore provider: SUN


Your keystore contains 1 entry


Alias name: mykey
Creation date: 17/01/2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ
Issuer: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ
Serial number: 4d34949e
Valid from: Mon Jan 17 17:12:30 BRST 2011 until: Sun Apr 17 16:12:30 BRT 2011
Certificate fingerprints:
MD5: 5A:56D8:5B:9E:94:55:77:7E:703:AE:E5:0B:C5
SHA1: 14:B3:95:33:E72:F3:BB:94A:E9:1C:38:8A:9F:03:1B:35:4E:8C
Signature algorithm name: SHA1withRSA
Version: 3




**************************************************************************************


file/${jboss.server.home.dir}/conf/server.ts
**************************************************************************************
Keystore type: JKS
Keystore provider: SUN


Your keystore contains 1 entry


Alias name: clientkey
Creation date: 17/01/2011
Entry type: trustedCertEntry


Owner: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ
Issuer: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ
Serial number: 4d34949f
Valid from: Mon Jan 17 17:12:31 BRST 2011 until: Sun Apr 17 16:12:31 BRT 2011
Certificate fingerprints:
MD5: B2:C1:C8:9A:BB:84:F0:79:03:68:91:89:20:EC:85:CF
SHA1: C5:BC:7A:7D:E6:0E:5E4:1F9:BC:563:91:20:A3:25:09:B2:2A
Signature algorithm name: SHA1withRSA
Version: 3




**************************************************************************************


file:c:/client.ks
**************************************************************************************
Keystore type: JKS
Keystore provider: SUN


Your keystore contains 1 entry


Alias name: mykey
Creation date: 17/01/2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ
Issuer: CN=client, OU=X, O=Y, L=Z, ST=XY, C=YZ
Serial number: 4d3469a5
Valid from: Mon Jan 17 14:09:09 BRST 2011 until: Sun Apr 17 13:09:09 BRT 2011
Certificate fingerprints:
MD5: 91:57:82:07:38:34:C5:1F:AB:5C:0D:51:65B:5B:B0
SHA1: 7D:12:14:E1:75:78:E3:79:1B:62:B6:A3:17:A9:FA:11:51:A7:69:06
Signature algorithm name: SHA1withRSA
Version: 3




**************************************************************************************


file:c:/client.ts
**************************************************************************************
Keystore type: JKS
Keystore provider: SUN


Your keystore contains 1 entry


Alias name: serverkey
Creation date: 17/01/2011
Entry type: trustedCertEntry


Owner: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ
Issuer: CN=server, OU=X, O=Y, L=Z, ST=XY, C=YZ
Serial number: 4d3469a4
Valid from: Mon Jan 17 14:09:08 BRST 2011 until: Sun Apr 17 13:09:08 BRT 2011
Certificate fingerprints:
MD5: 99:9F:51:27:BA:40:C1:91:14:B6:1B:36:EB:39:4F:57
SHA1: 7A:98:0E:B5:99:2A:4A:41:6D:CC3:90:4D:AB:3A:93:81:87:AE:B8
Signature algorithm name: SHA1withRSA
Version: 3
**************************************************************************************


file:${jboss.server.home.dir}/deploy/interligation-service.xml
**************************************************************************************

**************************************************************************************


file:${jboss.server.home.dir}/deploy/jbossweb.sar/server.xml
**************************************************************************************

**************************************************************************************


file:${jboss.server.home.dir}/conf/login-config.xml
**************************************************************************************

**************************************************************************************


file:${jboss.server.home.dir}/conf/props/interligation-users.properties
**************************************************************************************
CN\=server,\ OU\=X,\ O\=Y,\ L\=Z,\ ST\=XY,\ C\=YZ=JBossAdmin
admin=JBossAdmin
**************************************************************************************


file:${jboss.server.home.dir}/conf/props/interligation-roles.properties
**************************************************************************************
admin=JBossAdmin,HttpInvoker
**************************************************************************************


file:$webapp/WebContent/web.xml
**************************************************************************************

**************************************************************************************


file:$webapp/WebContent/jboss-web.xml
**************************************************************************************

**************************************************************************************


file:$clientapp/client-config.wsdd
**************************************************************************************

**************************************************************************************
Thanks for advice,
Alan
Alan Prado
Greenhorn

Joined: Jan 20, 2011
Posts: 2
Hello again!!!
I was passing wrong port to server, than connector was redirecting to http instead of https.
But now I'm getting this following error:

server side:
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545289296 sessioncount 0
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545289296 sessioncount 0
15:41:29,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
15:41:39,765 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /datacenter/services/InterligationServiceController
15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against POST /services/InterligationServiceController --> true
15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against POST /services/InterligationServiceController --> true
15:41:39,765 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
15:41:39,765 DEBUG [org.apache.catalina.realm.RealmBase] Redirecting to https://127.0.0.1:8443/datacenter/services/InterligationServiceController
15:41:39,781 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed hasUserDataPermission() test
15:41:49,296 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1295545309296 sessioncount 0
15:41:49,296 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
15:41:49,812 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_3] - TORecoveryModule - first pass
15:41:49,968 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.firstpass] Local XARecoveryModule - first pass
15:41:59,968 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_6] - TORecoveryModule - second pass
15:41:59,968 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.secondpass] Local XARecoveryModule - second pass

client-side:
(302)Moved Temporarily

Thanks for advice,
Alan
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Enable Security for JBoss + WS