401 No Cert Chain error with Two-Way SSL
I've been tasked with replacing the current username/password-based login
on our application with a two-way SSL handshake to identify the user on
JBoss AS 7.11. I am stuck with a "401 no cert chain" error that occurs
whenever an attempt is made to access a secured resource. I'm using my own
self-certified key as the root ca, and the server has a key that is
certified by my root ca. The user would also be certified by my root ca,
but the failure occurs before I have a chance to present their cert to the
server.
This is what I'm trying to accomplish: User goes to index.html (which is
not secure), clicks on a link. Link leads to test.html (which in web.xml,
is secured by CLIENT-CERT).
401 error occurs after clicking the link, but before selecting the cert to
present.
The dump from my keystore is as follows (with some elements scrubbed):
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: localhost
Creation date: Aug 28, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=localhost, OU=SRUBBED, O=SCRUBBED, L=SCRUBBED, ST=SCRUBBED, C=US
Issuer: CN=Root Key, OU=SCRUBBED, O=SCRUBBED, L=SCRUBBED, ST=SCRUBBED, C=US
Serial number: SCRUBBED
Valid from: SCRUBBED until: SCRUBBED
Certificate fingerprints:
MD5: 57:B9:8D:3F:28:A0:C7:B7:1B:8B:38:B9:F9:A3:26:FF
SHA1: EF:A3:51:BB:54:81:11:CF:91:B1:E9:93:5A:2E:43:F7:50:19:6B:5D
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=Root Key, OU=SCRUBBED, O=SCRUBBED, L=SCRUBBED, ST=Ohio, C=US
Issuer: CN=Root Key, OU=SCRUBBED, O=SCRUBBED, L=SCRUBBED, ST=Ohio, C=US
Serial number: e8a494cce4d26b5f
Valid from: SCRUBBED until: SCRUBBED
Certificate fingerprints:
MD5: 31:48:E3:D4:21:38:FE:85:A2:06:A9:2C:84:43:1C:E7
SHA1: 34:D8:A0:13:BE:02:A7:1E:56:B7:28:E7:C1:9E:1B:63:26:65:92:92
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
SCRUBBED
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
SCRUBBED
]
]
*******************************************
*******************************************
This is the dump from my truststore:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: root
Creation date: Aug 28, 2013
Entry type: trustedCertEntry
Owner: CN=Root Key, OU=SCRUBBED, O=SCRUBBED, L=SCRUBBED, ST=SCRUBBED, C=US
Issuer: CN=Root Key, OU=SCRUBBED, O=SCRUBBED, L=SCRUBBED, ST=SCRUBBED, C=US
Serial number: SCRUBBED
Valid from: SCRUBBED until: SCRUBBED
Certificate fingerprints:
MD5: 31:48:E3:D4:21:38:FE:85:A2:06:A9:2C:84:43:1C:E7
SHA1: 34:D8:A0:13:BE:02:A7:1E:56:B7:28:E7:C1:9E:1B:63:26:65:92:92
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
SCRUBBED
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
SCRUBBED
]
]
*******************************************
*******************************************
Web.xml:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>other</realm-name>
</login-config>
And finally, here are the relevant parts of my standalone.xml
<server xmlns="urn:jboss:domain:1.2">
<profile>
...
<subsystem>
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
...
<!-- login-modules, including BaseCertLoginModule>
...
</authentication>
<jsse keystore-password="mypass"
keystore-url="../standalone/configuration/keystore.jks"
truststore-password="mypass"
truststore-url="../standalone/configuration/truststore.jks"/>
...
</security-domains>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:web:1.1"
default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http"
socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https"
socket-binding="https" secure="true">
<ssl name="ssl" key-alias="localhost"
password="mypass"
certificate-key-file="../standalone/configuration/keystore.jks"
verify-client="true"
ca-certificate-file="../standalone/configuration/truststore.jks"
ca-certificate-password="mypass" keystore-type="jks"
truststore-type="jks"/>
</connector>
...
</subsystem>
...
</profile>
...
</server>
Why am I getting a 401 No Client Certificate Chain error? I suspect an
issue involving the cert in my server keys, but the chain seems to be
present.
No comments:
Post a Comment