[Security & JAAS/JBoss] - How to limit the choice of client certificates in the browse
by segolas
Hello, i couldn't find a solution for my problem anywhere, so here it is:
I've made a self-signed CA that i use to sign client and server certificates. All of them have the same "Organization=" part in the DN.
Now the problem is, if a client browser has more than 1 certificate (1 issued by me and others by some 3rd party), it either chooses the wrong one automatically, or if you choose to select it manually, presents all of the certificates in the storage.
So, is there a way to limit this choice of client certificates, so that only those issued by the same CA as the server certificate, or the samo O= in DN are given to choose from?
I've heard this can be done on apache servers, and i definitely know some applications that utilize this, presenting only the certificates that are relevant.
Any help would be greatly appreciated..
Cheers
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4234067#4234067
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4234067
17 years
[Installation, Configuration & DEPLOYMENT] - ssl connection to ejb in cluster env
by smolin
Hello there,
could anybody help or point the right direction? I tried on JBoss users forum, but no any answer.
Conf:
JBoss 5.1.0CR1, JDK 1.6, XP (development env)
cluster (configuration: all)
I try to use ssl connection to reach ejb component.
1. added ssl-service.xml to META-INF of ejb jar
|
| <?xml version="1.0" encoding="UTF-8"?>
|
| <server>
| <!-- The server socket factory mbean to be used as attribute to socket invoker -->
| <!-- which uses the JaasSecurityDomain -->
| <mbean code="org.jboss.remoting.security.domain.DomainServerSocketFactoryService"
| name="jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced"
| display-name="SecurityDomain Server Socket Factory">
| <attribute name="SecurityDomain">java:/jaas/SSLAdvanced</attribute>
| <depends>jboss.security:service=JaasSecurityDomain,domain=SSLAdvanced</depends>
| </mbean>
|
| <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
| name="jboss.security:service=JaasSecurityDomain,domain=SSLAdvanced">
| <!-- This must correlate with the java:/jaas/SSL above -->
| <constructor>
| <arg type="java.lang.String" value="SSLAdvanced"/>
| </constructor>
| <!-- The location of the keystore
| resource: loads from the classloaders conf/ is the first classloader -->
| <attribute name="KeyStoreURL">traffic.keystore</attribute>
| <attribute name="KeyStorePass">trafficssl</attribute>
| </mbean>
|
| <!-- The Connector is the core component of the remoting server service. -->
| <!-- It binds the remoting invoker (transport protocol, callback configuration, -->
| <!-- data marshalling, etc.) with the invocation handlers. -->
| <mbean code="org.jboss.remoting.transport.Connector"
|
| name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
| display-name="Socket transport Connector">
|
| <attribute name="Configuration">
| <config>
| <invoker transport="sslsocket">
| <attribute name="dataType" isParam="true">invocation</attribute>
| <attribute name="marshaller" isParam="true">org.jboss.invocation.unified.marshall.InvocationMarshaller</attribute>
| <attribute name="unmarshaller" isParam="true">org.jboss.invocation.unified.marshall.InvocationUnMarshaller</attribute>
| <!-- The following is for setting the server socket factory. If want ssl support -->
| <!-- use a server socket factory that supports ssl. The only requirement is that -->
| <!-- the server socket factory value must be an ObjectName, meaning the -->
| <!-- server socket factory implementation must be a MBean and also -->
| <!-- MUST implement the org.jboss.remoting.security.ServerSocketFactoryMBean interface. -->
| <attribute name="serverSocketFactory">jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced</attribute>
| <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
| <attribute name="serverBindPort">3843</attribute>
| </invoker>
| <handlers>
| <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
| </handlers>
| </config>
| </attribute>
| <depends>jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced</depends>
|
| </mbean>
|
| </server>
|
2. generated all keystore/certificate etc.
3. added annotation to ejb (many different trials):
| @RemoteBinding(jndiBinding="someEjb/remote", clientBindUrl = "sslsocket://${jboss.bind.address}:3843")
| then
| @RemoteBinding(jndiBinding="someEjb/remote", clientBindUrl = "sslsocket://0.0.0.0:3843")
|
If I put real target ip of ejb container then it works fine, but only with one machines from cluster (obvious, you can't put two ip addresses in clientBindUrl), whenever I try to use 0.0.0.0 mask or ${jboss.bind.address} it doesn't work.
I couldn't find any working solution and of course many examples that use 0.0.0.0 mask works fine (but only for local communication: client and server on the same machine). Could not find any working solution for ssl in cluster setup.
Any help would be really appreciated!
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4234065#4234065
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4234065
17 years