...
This is a PKCS10 certification request, you should copy this text and paste it into a flat txt file so it can be sent to a CA.
No Format |
---|
borderStyle | solid |
---|
title | csr.txt | borderStyle | solid |
---|
|
-----BEGIN CERTIFICATE REQUEST-----
MIIBqDCCARECAQAwajESMBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbz
EPMA0GA1UEChMGQXBhY2hlMRAwDgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0
ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzm
EjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0dRskM8oNg+3kZeKuOplwq5KGEUnp+xbf
q7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2RfbTc2AplcldCPofUVuMUbDLPsmE1
YQQr+OcHtcNspZL5tdAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAZFuPz0gzKqMZNA0bYLm0
aPFLbR9a19NA0EbgJL2SYzoKnuKyplG2JzMVQ6myaez0J8t+iWtuthz70kBihRzU2vqOWp
B4oqh+zbPwn4f87l4l8PjJh3SkiDIYdMcL5U1rxwFNAaIEpfjft/uJLY/Bv7DZQG7UPsGz
+SPdn+DbdBo=
-----END CERTIFICATE REQUEST-----
|
...
For this example we used a custom, home made CA so we could sign our own certificates for this test without altering the standard procedure. Assuming that you sent you CSR to a CA, the CA should respond back with another similar file containing the CA signed certificate.
No Format |
---|
borderStyle | solid |
---|
title | csr_ca_reply.txt | borderStyle | solid |
---|
|
-----BEGIN CERTIFICATE-----
MIICQjCCAa2gAwIBAgIBAjALBgkqhkiG9w0BAQQwaDEWMBQGA1UEAxMNR2Vyb25pbW8ncyBDQTER
MA8GA1UECxMIR2Vyb25pbW8xDzANBgNVBAoTBkFwYWNoZTENMAsGA1UEBxMEQ2l0eTEOMAwGA1UE
CBMFU3RhdGUxCzAJBgNVBAYTAlVTMB4XDTA4MDIyMDA2MDAwMFoXDTA5MDIyMTA2MDAwMFowajES
MBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbzEPMA0GA1UEChMGQXBhY2hlMRAw
DgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzmEjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0
dRskM8oNg+3kZeKuOplwq5KGEUnp+xbfq7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2Rfb
Tc2AplcldCPofUVuMUbDLPsmE1YQQr+OcHtcNspZL5tdAgMBAAEwCwYJKoZIhvcNAQEEA4GBAB9s
1QuMD+dNe6H6XcizZSxNPOh1EocjGp05Z4VOpgFnB4gVRqJqyxiuNqCBPvEo30IuHNJZOm6jFhGs
YWKGlzL1zw0yXWAVRnI7Cs8C7Ibeoo+I4yBA93w3XyGiBlSb03yHOiCN06bf7BhCN6Z45NMhBGbP
pCpnP+uM9VI2gn9H
-----END CERTIFICATE-----
|
...
In order to enable client authentication you will need to import the CA who signed your CSR as a trusted certificate, this process has to be only once. The CA should provide along with the signed CSR a separate certificate for the CA itself. For this example we are using our own CA so we generated the following CA certificate.
No Format |
---|
borderStyle | solid |
---|
title | My_Own_CA_Certificate.txt | borderStyle | solid |
---|
|
-----BEGIN CERTIFICATE-----
MIICJTCCAZCgAwIBAgICK2cwCwYJKoZIhvcNAQEEMFoxDTALBgNVBAMTBFRlc3QxDzANBgNVBAsT
BkFwYWNoZTERMA8GA1UEChMIR2Vyb25pbW8xCzAJBgNVBAcTAkxMMQswCQYDVQQIEwJTVDELMAkG
A1UEBhMCTEswHhcNMDcwMjAyMTgwMDAwWhcNMDgwMjAyMTgwMDAwWjBaMQ0wCwYDVQQDEwRUZXN0
MQ8wDQYDVQQLEwZBcGFjaGUxETAPBgNVBAoTCEdlcm9uaW1vMQswCQYDVQQHEwJMTDELMAkGA1UE
CBMCU1QxCzAJBgNVBAYTAkxLMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUZl1e1eTKLoh0
15vfYqqvhk6Iviva7BWQxZ6mOV9Ye2mii37Btmxajnngz0jKfiwHKqWRQBp6CUzbd9gfZrz2go9g
TwsUBWQwSf6iVypKX1q0Y4WhtTwLcEx78Lx5XN1YCqk34pn4by26SJiHdugs7/ClOiIlcpCt9QVa
Q9BH7wIDAQABMAsGCSqGSIb3DQEBBAOBgQAnmoT/dLvJa7jGstvZJLrsWtMwWQNVJ1ZQmbrDGq9u
oFnkAH1mGHIDbaz2avy/wotHJUIysGBlDP0btk5GVskl45EG/feWHLgCVmqwf3NkdRdLl+CznBBJ
KCC5tINbcI6GqXsbO8hhjIrOGweNyV1653WEvZiQVuMYaHTnGNx+RA==
-----END CERTIFICATE-----
|
...
The properties files should be based on the client certificate intended to be used for client authentication. For example, a Certificate Properties File Realm CertificatePropsRealm
with the user and group properties files based on My_Private_key
created in the #Create keystore and certificate section is as follows:
Code Block |
---|
| xml |
---|
borderStyle | solid |
---|
title | user_sample.properties | borderStyle | solid |
---|
| xml |
---|
|
client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC
client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC
|
- The password of
client1
is based on the information of My_Private_key
.
Code Block |
---|
| xml |
---|
borderStyle | solid |
---|
title | group_sample.properties | borderStyle | solid |
---|
| xml |
---|
|
admin=client1,client2
|
The deployment plan of the Certificate Properties File Realm CertificatePropsRealm
is as follows:
Code Block |
---|
| xml |
---|
borderStyle | solid |
---|
title | Excerpt from the deployment plan of CertificatePropsRealm | borderStyle | solid |
---|
| xml |
---|
|
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>cert-prop-file-realm</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
</dependencies>
</environment>
<gbean name="cert-prop-file-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep=
"http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">CertificatePropsRealm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUIRED" wrap-principals="false">
<log:login-domain-name>CertificatePropsRealm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option name="usersURI">var/security/user_sample.properties</log:option>
<log:option name="groupsURI">var/security/group_sample.properties</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>
|
...
Configure the deployment descriptor and deployment plan of your web application to use the Certificate Properties File Realm for client authentication. The deployment descriptor is configured as follows:
Code Block |
---|
| xml |
---|
borderStyle | solid |
---|
title | Excerpt from web.xml | borderStyle | solid |
---|
| xml |
---|
|
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Not Required for CLIENT-CERT</realm-name>
</login-config>
|
...
Web applications which use the CertificatePropsRealm
security realm, for example, must configure their deployment plans as follows:
Code Block |
---|
| xml |
---|
borderStyle | solid |
---|
title | Excerpt from geronimo-web.xml | borderStyle | solid |
---|
| xml |
---|
|
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"
xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2"
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0"
xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2">
<sys:environment>
<sys:moduleId>
<sys:groupId>org.apache.geronimo</sys:groupId>
<sys:artifactId>sampleapplication</sys:artifactId>
<sys:version>1.0</sys:version>
<sys:type>car</sys:type>
</sys:moduleId>
<sys:dependencies>
<sys:dependency>
<sys:groupId>console.realm</sys:groupId>
<sys:artifactId>cert-prop-file-realm</sys:artifactId>
<sys:version>1.0</sys:version>
<sys:type>car</sys:type>
</sys:dependency>
</sys:dependencies>
</sys:environment>
<context-root>/cert-realm-sample</context-root>
<security-realm-name>CertificatePropsRealm</security-realm-name>
<security>
<default-principal realm-name="CertificatePropsRealm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
<!-- name should match the entries from cert-users.properties of the realm -->
</default-principal>
<role-mappings>
<role role-name="content-administrator">
<realm realm-name="CertificatePropsRealm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
<!-- name should match the entries from cert-groups.properties of the realm -->
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client2"/>
</realm>
</role>
</role-mappings>
</security>
</web-app>
|
...