I’m trying to install a wildfly9 server with client certificate authorization. To do that I have:
On the Client: Create a self signed certificate:
keytool -genkey -keystore client.keystore -validity 3650 -keyalg RSA -keysize 4096 -storetype pkcs12 -alias myClientOn the Client: export certificate
keytool -exportcert -keystore client.keystore -alias myClient -storetype pkcs12 -file myClient.crtOn the server: Import the crt certificate file into the truststore
keytool -import -file myClient.crt -keystore /etc/pki/wildfly/client.truststoreOn the server: adjusting the wildfly config (enabling client certifacte authentication):
<security-realm name="UndertowRealm"> <server-identities> <ssl> <keystore path="/etc/pki/wildfly/server.keystore" keystore-password="123456" alias="server" key-password="123456"/> </ssl> </server-identities> <authentication> <truststore path="/etc/pki/wildfly/client.truststore" keystore-password="123456"/> <local default-user="$local" skip-group-loading="true"/> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> ... <subsystem xmlns="urn:jboss:domain:undertow:2.0"> <server name="default-server"> <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" verify-client="REQUIRED"/> ... </server> </subsystem>The client is a python script. For this client I need the certifacte and the key in PEM format. To export the certificate in PEM I do (all on client side):
Export certificate key:
keytool -v -importkeystore -srckeystore client.keystore -srcalias myClient -destkeystore myClient.key.tmp.pem -deststoretype PKCS12 -destkeypass 123456Remove the password from key (yes, of course I will also restrict the access to the key later by changing the file mode):
openssl pkcs12 -in myClient.key.tmp.pem -nocerts -nodes > myClient.key.pem
Remove all outside ‘—–BEGIN PRIVATE KEY—–‘ and ‘—–END PRIVATE KEY—–‘ of the myClient.key.pem
Export the certificat as PEM:
keytool -exportcert -keystore client.keystore -alias myClient
-rfc -file myClient.pemBut every time if I want connect the server I get (on the server) the error:
2016-10-31 09:50:55,102 DEBUG [io.undertow.request.io] (default I/O-1) Error reading request: javax.net.ssl.SSLException: Received fatal alert: unknown_ca at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688) at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620) at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:574) at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:89) at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:150) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:128) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)If I disable the client certificate authentification all is fine. so there must be anything wrong with the client certificate authentification.
Anybody knows whats wrong?
Answer
We cannot resolve this problem. We have another installation (our test system) which we could configure successful. However. Now we have put in front of the wildfly server a apache httpd proxy. The apache proxy is now also managing the client certificate stuff. That’s works for us.
Attribution
Source : Link , Question Author : Steffen , Answer Author : Steffen
