I have created a server.keystore and then a client.keyStore with a client.crt which i used to client.truststore
the server.keystore with alias devmyserverkey
/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -genkey -alias devmyserverkey -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore myserver.keystore -validity 730 -storepass samepassword -dname "CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country" -keypass samepassword
the client.keystore with alias devclientkey
/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -genkey -keystore client.keystore -storepass samepassword -keyalg RSA -keysize 2048 -storetype pkcs12 -alias devclientkey -dname "CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country"
then the client crt with alias devclientkey
/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass samepassword -keypass samepassword -file client.crt -alias devclientkey
then the client truststore
/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -import -file client.crt -keystore client.truststore
then the pkc12 keystore
/myserver_opt/jdk1.8.0_latest/jre/bin/keytool -importkeystore -srckeystore client.keystore -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass samepassword
the client.truststore and server.keystore are in the configuration directory on my widlfly instance and when i try to access my application I get the following:
2018-03-16 08:23:18,177 TRACE [org.jboss.security] (default task-28) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@3e1567dc, cache entry: null 2018-03-16 08:23:18,177 TRACE [org.jboss.security] (default task-28) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@3e1567dc 2018-03-16 08:23:18,178 TRACE [org.jboss.security] (default task-28) PBOX00221: Begin getAppConfigurationEntry(mygenwebservicessecurity), size: 6 2018-03-16 08:23:18,179 TRACE [org.jboss.security] (default task-28) PBOX00224: End getAppConfigurationEntry(mygenwebservicessecurity), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.BaseCertLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=securityDomain, value=mygenwebservicessecurity
2018-03-16 08:23:18,181 TRACE [org.jboss.security] (default task-28) PBOX00236: Begin initialize method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00245: Found security domain: org.jboss.security.JBossJSSESecurityDomain 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00239: End initialize method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00240: Begin login method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00240: Begin login method 2018-03-16 08:23:18,192 TRACE [org.jboss.security] (default task-28) PBOX00252: Begin getAliasAndCert method 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00253: Found certificate, serial number: 13e04227, subject DN: CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00255: End getAliasAndCert method 2018-03-16 08:23:18,193 TRACE [org.jboss.security] (default task-28) PBOX00256: Begin validateCredential method 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28)
PBOX00056: Supplied credential: 13e04227
CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country
PBOX00057: Existing credential: PBOX00058: No match for alias CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country, existing aliases: [mykey] 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00260: End validateCredential method, result: false 2018-03-16 08:23:18,201 TRACE [org.jboss.security] (default task-28) PBOX00244: Begin abort method, overall result: false 2018-03-16 08:23:18,201 DEBUG [org.jboss.security] (default task-28) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00052: Supplied credential did not match existing credential for alias CN=dev.myserver.com, OU=CMJAVA, O=myserver, L=City, ST=State, C=Country
at org.jboss.security.auth.spi.BaseCertLoginModule.login(BaseCertLoginModule.java:231)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
I do not see any difference between the two. the only difference i see is the alias mykey. that si a default alias. but where is this coming from as I have supplied the alias myself for both.
This is what i added in the standalone.xml
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="myserver.keystore" relative-to="jboss.server.config.dir" keystore-password="samepassword" alias="devmyserverkey" key-password="samepassword"/>
</ssl>
</server-identities>
<authentication>
<truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="samepassword"/>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
<http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="SSLRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="mygenwebservicessecurity" cache-type="default">
<authentication>
<login-module code="Certificate" flag="required">
<module-option name="securityDomain" value="mygenwebservicessecurity"/>
<!--module-option name="rolesProperties" value="file:${jboss.server.config.dir}/user_roles.properties"/>
<module-option name="defaultRolesProperties" value="file:${jboss.server.config.dir}/default_roles.properties"/-->
</login-module>
</authentication>
<jsse keystore-password="samepassword" keystore-url="file:/myserver_opt/wildfly10_javatest/mlws/configuration/myserver.keystore" truststore-password="samepassword" truststore-url="file:/myserver_opt/wildfly10_javatest/mlws/configuration/client.truststore" client-auth="true"/>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="defaultHTTP" socket-binding="http" redirect-socket="https"/>
<https-listener name="default" enabled-protocols="TLSv1.2" verify-client="REQUIRED" security-realm="SSLRealm" socket-binding="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log predicate="not equals[%a, %A]" suffix=".log" prefix="access" pattern="%h %l %u %t "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" %D %T"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
After adding the above in my standalone.xml, when i try to access my application through http it comes also as Forbidden. but the above exception is the one that comes with https and doesn't make sense.
Edit:
I removed all alias references and made the certs again and checked with
keytool -list - v -keystore ( truststore/pC12Store/Server.keystore/client.keystore)
they all have the same alias mykey
i even looked into the code for the class throwing the error it seems that the alias coming down to this class is not 'mykey' but the DN definition/Subject
I added the below verifier in my security domain mygenwebservicessecurity
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
there is another verifier called X509Verifier but it is only an interface so you need to implement yours and add it into the jar if you need that
and AnyCertVerifier made it to validate.
now when i click on the link both http and https the same issue occured when the log only and only states :
2018-03-16 23:20:22,695 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null
2018-03-16 23:20:28,584 TRACE [org.jboss.security] (default task-13) PBOX00354: Setting security roles ThreadLocal: null
2018-03-16 23:20:30,570 TRACE [org.jboss.security] (default task-15) PBOX00354: Setting security roles ThreadLocal: null
as per the code in picketbox 4.9. which WF10 has in its modules this exception trace is only thrown in
i am kinda out of ideas about this error. it just does make sense as ppl have gotten this error but they added roles through a database query or something and that solved it . I have added roles.properties and users.properties but it does not take my roles.
Also, some class ( wildfly possibly) calls this class's setSecurityRoles method with no security roles ( null ) which is the null in the trace statement. ?? but this is a separate issue perhaps.