Masoud Kalali's Blog: How to have your Own CA and configure Glassfish and your clients for mutual authentication?

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

Advanced Search

Masoud Kalali's Blog

«SHIFT+ALT+ENTER, a cool NetBeans shortcut | Main | How to have your Own CA and configure Glassfish and your clients for mutual authentication?, Part II »

How to have your Own CA and configure Glassfish and your clients for mutual authentication?

Posted by kalali on August 16, 2007 at 09:05 AM | Comments (0)

How to have your Own CA and conf

One of the most repeated question in GlassFish mailing list is SSL, Certification, Mutual Authentication,.... In this Entry I will try to address some of this questions by giving an step by step guide for using EJBCA to issue certificate, use them in both glassfish and clients which connect to glassfish in some manner. clients like web browser, standalone java applications,...

There are several tutorial and blog entry about configuring glassfish to use some specific certification in order to perform server authentication for clients over SSL and each of those weblog is an invaluable source of information. In this blog entry and perhaps the next one I will address another concerns which some people has for their GlassFish and client security. Some times we are running an application within an enterprise and we need to have mutual authentication for every clients that connect to server so we will need to have one certification for client and another one for our glassfish server. both of this certification should be valid (issued by an already known CA within glassfish trust store and client trust store). For these two entries I assume that our client and server will just accept certification issued by our own CA which is based on EJBCA.

Before we start the main job you will need to download and install EJBCA from its web site, then you will need to install it according to its manual which you can find in documentation section. After you installed and could view EJBCA administration console then you can follow the rest of the entry.

In order to create server certification we will need to perform following steps as described in 4 sections:

Section 1: Creating servers certification profile:

Go to https://localhost:8080/ejbca/ and select Administration.
Select Edit Certification profiles from the left side menu.
Enter a name for the profile and press add button. I choose servers as the name.
From the list select servers Item and press Edit button.
Now profile edit page will open change the attribute as follow:
- for Key Usage you should select at least Digital Signature and Key Encypherment.
- From Extended Key Usage select Server Authentication
press save button.

Section 2: Create servers end entities profile:

Now you have create a profile which in next sections you can create certifications which will comply with it. Now we will need to create an End Entity Profile so follow these steps to create it.

From the left side menu click on edit end entities profile .
Enter ServersProfile as profile name and press add button.
From the list select ServersProfile and press Edit End Entity Profile button.
Enter a user name and a password for the profile, I choose sAdmin/ sAdminAdmin.
Enter the common name
From the list of Available Certificate Profiles select Servers which we made in last step.
select JKS as default token.
click Save

Now we are reaching an step in which we will create the real certificate that Glassfish will use in its SSL enabled listener. To create the certificate perform following steps:

Section 3: Create server certification

From the left side menu select add end entity link.
Select ServersProfile as End Entity Profile.
Enter all information as you like but make sure that CN should be Exact and fully qualified name of your sever as will access it from clients, for example if you are going to access the serve as computer1.mydomain.com then the CN should be the same if you are going to access it as Comuter1 then the CN should be that.
Select JKS as Token.
press add end entity button

Section 4: Use the certification in Application Server.

You are done, the certification is ready to be downloaded and used.

Go to https://localhost:8080/ejbca/ and select Certification Enrollment.
Select Manually for a Server
enter user name and password which you have entered for end entity in previous step.
Click OK.

By pressing OK a JKS file will download to your computer.

Create two copies of the file and Rename them to keystore.JKS and cacerts.jks.
Goto Glassfish/domains/domain1 (If domain 1 is the domain that you want to configure for SSL).
Make sure that application server is stopped by issuing the following command.

	Glassfish_home/bin/asadmin  stop-domain domain1

Now we need to change the master password in order to let glassfish open our new cacert.jks and keystore.jks so perform following command.

	Glassfish_home/bin/asadmin  change-master-password  \\\Here you should write the password that you choosed in last step/// --savemasterpassword=true

Now Goto glassfish_home/domains/domain1/config and create a backup from cacert.jks and keystore.jks.
Copy files that we create in first step of this section to this folder (overwrite the original files).
Open domain.xml (it is in domain1/config folder) by a text editor and replace all s1as occurrences with CN name that you have choose in section 3.
Start the application server.

You are done, you application server should start normally, but you have some more steps before you complete the mutual authentication capability.

Section 5: Enabling mutual authentication for a listener.

Open application server administration console and from the left side menu select Configuration> HTTP Service> HTTP Listeners> http-listener-2, now you should check the Security check box and select SSL tab, now make sure that you have checked Client Authentication check box.

You are done, point your browser to https://computer1.mydomain.com:8181 you will see that this page will only open for the browser that you have imported EJBCA administration certification. it means that both server and client must prove their identity before they could communicate.

In next entry of this series I will demonstrate steps that you need to follow in order to create a stand alone web service client.

Make sure that you need to delete the private key of you server from cacerts.jks (it is not necessary by the way). Best way to explore you key stores is using keytool which you can find more information about it Here. Also if you are may find more cool key store editor in NetBeans Module Portal

For more information or maybe to find some of your questions answered you may take a look at:

Bookmark blog post: