Versions Compared

Old Version 6

changes.mady.by.user maojia

Saved on

compared with

New Version Current

changes.mady.by.user maojia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

This realm type allows you to configure Web applications to authenticate users against it. To get to that point, you will need to first configure Geronimo to use a custom SSL port listener and to get to that point you will need to configure SSL keys and keystore. The following sections describe step-by-step how to configure each of these modules.

Create keystore and certificate

...

This is a PKCS10 certification request, you should copy this text and paste it into a flat txt file so it can be sent to a CA.

...

...

You can now click Back to return to the private key details portlet.

For this example we used a custom, home made CA so we could sign our own certificates for this test without altering the standard procedure. Assuming that you sent you CSR to a CA, the CA should respond back with another similar file containing the CA signed certificate.

...

...

From the private key details portlet click on Import CA reply. Remove any pre-filled text in the certificate reply window and paste the text from the CA reply file and click on Save.

...

In order to enable client authentication you will need to import the CA who signed your CSR as a trusted certificate, this process has to be only once. The CA should provide along with the signed CSR a separate certificate for the CA itself. For this example we are using our own CA so we generated the following CA certificate.

...

...

While in the Keystore Configuration portlet click on the keystore file you created and then click on Add Trust Certificate. Delete any pre-filled content from Trusted Certificate window and paste the content from the CA certificate and add an alias to this certificate.

...

Click on Review Certificate and then click on Import Certificate. You should now see the trusted certificate you just imported.

To use a client certificate to authenticate against web server, you should first install the CA certificate and the client certificate into your web browser. Install a CA certificate to designate this CA as trusted and thus, grant access to any web sites certified by this CA. If not installed, accessing web sites certified by this CA leads to a warning message suggesting the "Web Site Certified by an Unknown Authority".

Most browsers provide such installation function. When using Mozilla Firefox, certificates can be installed with the Import option in the Certificate Manager.

Add an HTTPS listener with client authentication

...

Once you saved this HTTPS network listener configuration it will get started automatically as you can see in the status displayed. If you try to access this port with your browser it should fail because at this point you have not configured your client with a valid certificate.

Adding a

...

Certificate Properties File Realm

After you configured the HTTPS listener with client authentication, you can add a certificate properties file security realm Certificate Properties File Realm to authenticate web applications.

To create a new security realm, click Add new security realm from the Security Realms portlet. Enter the name of security realm and select Certificate Properties File Realm from the Realm type: dropdown menu. Click Next and follow the instructions.

Create the properties file security realm with the steps described in **. The properties files should be based on the client certificate intended to be used for client authentication. For example, a security realm Certificate Properties File Realm CertificatePropsRealm with the user and group properties files based on My_Private_key created above in the #Create keystore and certificate section is as follows:

...

...

  • The password of client1 is based on the information of My_Private_key.

...

The deployment plan of the Certificate Properties File Realm CertificatePropsRealm is as follows:

...

where

  • <moduleId> .. </moduleId>:defines the module ID of the security realm. Applications which use this security realm for authentication should include this attribute as a dependency in the deployment plan.
  • <attribute name="realmName">CertificatePropsRealm</attribute>:CertificatePropsRealm is the name of the security realm.

Configure the deployment descriptor and deployment plan of your web application to use the properties file security realm created Certificate Properties File Realm for client authentication. For example, applications which use the CertificatePropsRealm security realm must configure their The deployment descriptor is configured as follows:

...

where

  • <auth-method>CLIENT-CERT</auth-method>: suggests that the auth-method is set to CLIENT-CERT and thus, the certificate properties file realm uses client certificate for authentication. CLIENT-CERT is often used for SSL mutual authentication. In Geronimo, such configuration suggests that a Certificate Properties File Realm is used for authentication with a client authenticationcertificate.

The deployment plan is configured Web applications which use the CertificatePropsRealm security realm, for example, must configure their deployment plans as follows:

...

...

where

  • <security-realm-name>CertificatePropsRealm</security-realm-name>:CertificatePropsRealm is the Certificate Properties File Realm used for client authentication.
  • <sys:dependency> .. </sys:dependency>:elements in this tag identify the module ID of the Certificate Properties File Realm used for authentication.

You can install a client certificate into the web browser to authenticate against Web servers. The client certificate should be based on the information provided in the group and user properties files.

properties file 2个 例子 字段和key中字段的关系

创建 security realm deployment descriptor deployment planweb servers. For the sample application described above which use the CertificatePropsRealm security realm, install the My_Private_key certificate into your web browser to verify your identity, in this case client1, during authentication. The installation process is provided in the Install certificate on client section below.