Versions Compared

Old Version 23

changes.mady.by.user maojia

Saved on

compared with

New Version 24

changes.mady.by.user maojia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

This is a PKCS10 certification request, you should copy this text and paste it into a flat txt file so it can be sent to a CA.

No Format
borderStylesolid
titlecsr.txt
borderStylesolid
-----BEGIN CERTIFICATE REQUEST-----
MIIBqDCCARECAQAwajESMBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbz
EPMA0GA1UEChMGQXBhY2hlMRAwDgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0
ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzm
EjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0dRskM8oNg+3kZeKuOplwq5KGEUnp+xbf
q7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2RfbTc2AplcldCPofUVuMUbDLPsmE1
YQQr+OcHtcNspZL5tdAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAZFuPz0gzKqMZNA0bYLm0
aPFLbR9a19NA0EbgJL2SYzoKnuKyplG2JzMVQ6myaez0J8t+iWtuthz70kBihRzU2vqOWp
B4oqh+zbPwn4f87l4l8PjJh3SkiDIYdMcL5U1rxwFNAaIEpfjft/uJLY/Bv7DZQG7UPsGz
+SPdn+DbdBo=
-----END CERTIFICATE REQUEST-----

...

For this example we used a custom, home made CA so we could sign our own certificates for this test without altering the standard procedure. Assuming that you sent you CSR to a CA, the CA should respond back with another similar file containing the CA signed certificate.

solid
No Format
borderStyle
titlecsr_ca_reply.txt
borderStylesolid
-----BEGIN CERTIFICATE-----
MIICQjCCAa2gAwIBAgIBAjALBgkqhkiG9w0BAQQwaDEWMBQGA1UEAxMNR2Vyb25pbW8ncyBDQTER
MA8GA1UECxMIR2Vyb25pbW8xDzANBgNVBAoTBkFwYWNoZTENMAsGA1UEBxMEQ2l0eTEOMAwGA1UE
CBMFU3RhdGUxCzAJBgNVBAYTAlVTMB4XDTA4MDIyMDA2MDAwMFoXDTA5MDIyMTA2MDAwMFowajES
MBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQLEwhHZXJvbmltbzEPMA0GA1UEChMGQXBhY2hlMRAw
DgYDVQQHDAdNeV9DaXR5MREwDwYDVQQIDAhNeV9TdGF0ZTELMAkGA1UEBhMCQ0MwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMfqprJ/aMbVzmEjDimnMQuVN/CaO7Yb89KP6ed3VQf+/Ea2i+p0
dRskM8oNg+3kZeKuOplwq5KGEUnp+xbfq7M6tLGrWqQ8qL3EZUFE2nizH5VzV093vKu5jgnR2Rfb
Tc2AplcldCPofUVuMUbDLPsmE1YQQr+OcHtcNspZL5tdAgMBAAEwCwYJKoZIhvcNAQEEA4GBAB9s
1QuMD+dNe6H6XcizZSxNPOh1EocjGp05Z4VOpgFnB4gVRqJqyxiuNqCBPvEo30IuHNJZOm6jFhGs
YWKGlzL1zw0yXWAVRnI7Cs8C7Ibeoo+I4yBA93w3XyGiBlSb03yHOiCN06bf7BhCN6Z45NMhBGbP
pCpnP+uM9VI2gn9H
-----END CERTIFICATE-----

...

In order to enable client authentication you will need to import the CA who signed your CSR as a trusted certificate, this process has to be only once. The CA should provide along with the signed CSR a separate certificate for the CA itself. For this example we are using our own CA so we generated the following CA certificate.

solid
No Format
borderStyle
titleMy_Own_CA_Certificate.txt
borderStylesolid
-----BEGIN CERTIFICATE-----
MIICJTCCAZCgAwIBAgICK2cwCwYJKoZIhvcNAQEEMFoxDTALBgNVBAMTBFRlc3QxDzANBgNVBAsT
BkFwYWNoZTERMA8GA1UEChMIR2Vyb25pbW8xCzAJBgNVBAcTAkxMMQswCQYDVQQIEwJTVDELMAkG
A1UEBhMCTEswHhcNMDcwMjAyMTgwMDAwWhcNMDgwMjAyMTgwMDAwWjBaMQ0wCwYDVQQDEwRUZXN0
MQ8wDQYDVQQLEwZBcGFjaGUxETAPBgNVBAoTCEdlcm9uaW1vMQswCQYDVQQHEwJMTDELMAkGA1UE
CBMCU1QxCzAJBgNVBAYTAkxLMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUZl1e1eTKLoh0
15vfYqqvhk6Iviva7BWQxZ6mOV9Ye2mii37Btmxajnngz0jKfiwHKqWRQBp6CUzbd9gfZrz2go9g
TwsUBWQwSf6iVypKX1q0Y4WhtTwLcEx78Lx5XN1YCqk34pn4by26SJiHdugs7/ClOiIlcpCt9QVa
Q9BH7wIDAQABMAsGCSqGSIb3DQEBBAOBgQAnmoT/dLvJa7jGstvZJLrsWtMwWQNVJ1ZQmbrDGq9u
oFnkAH1mGHIDbaz2avy/wotHJUIysGBlDP0btk5GVskl45EG/feWHLgCVmqwf3NkdRdLl+CznBBJ
KCC5tINbcI6GqXsbO8hhjIrOGweNyV1653WEvZiQVuMYaHTnGNx+RA==
-----END CERTIFICATE-----

...

The properties files should be based on the client certificate intended to be used for client authentication. For example, a Certificate Properties File Realm CertificatePropsRealm with the user and group properties files based on My_Private_key created in the #Create keystore and certificate section is as follows:

Code Block
xmlborderStylesolid
titleuser_sample.properties
borderStylesolid
xml
client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC
client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC
  • The password of client1 is based on the information of My_Private_key.
Code Block
xmlborderStylesolid
titlegroup_sample.properties
borderStylesolid
xml
admin=client1,client2

The deployment plan of the Certificate Properties File Realm CertificatePropsRealm is as follows:

Code Block
xmlborderStylesolid
titleExcerpt from the deployment plan of CertificatePropsRealm
borderStylesolid
xml
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>cert-prop-file-realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="cert-prop-file-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep=
"http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">CertificatePropsRealm</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="REQUIRED" wrap-principals="false">
                    <log:login-domain-name>CertificatePropsRealm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option name="usersURI">var/security/user_sample.properties</log:option>
                    <log:option name="groupsURI">var/security/group_sample.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

...

Configure the deployment descriptor and deployment plan of your web application to use the Certificate Properties File Realm for client authentication. The deployment descriptor is configured as follows:

Code Block
xmlborderStylesolid
titleExcerpt from web.xml
borderStylesolid
xml
 <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>Not Required for CLIENT-CERT</realm-name>
</login-config>

...

Web applications which use the CertificatePropsRealm security realm, for example, must configure their deployment plans as follows:

Code Block
xmlborderStylesolid
titleExcerpt from geronimo-web.xml
borderStylesolid
xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1" 
         xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2" 
         xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" 
         xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <sys:environment>
        <sys:moduleId>
            <sys:groupId>org.apache.geronimo</sys:groupId>
            <sys:artifactId>sampleapplication</sys:artifactId>
            <sys:version>1.0</sys:version>
            <sys:type>car</sys:type>
        </sys:moduleId>
       <sys:dependencies>
            <sys:dependency>
            <sys:groupId>console.realm</sys:groupId>
            <sys:artifactId>cert-prop-file-realm</sys:artifactId>
            <sys:version>1.0</sys:version>
            <sys:type>car</sys:type>
            </sys:dependency>
        </sys:dependencies>
   </sys:environment>
  <context-root>/cert-realm-sample</context-root>
  <security-realm-name>CertificatePropsRealm</security-realm-name>
  <security>
    <default-principal realm-name="CertificatePropsRealm">
      <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
         <!-- name should match the entries from cert-users.properties of the realm -->
    </default-principal>
    <role-mappings>
      <role role-name="content-administrator">
        <realm realm-name="CertificatePropsRealm">
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
             <!-- name should match the entries from cert-groups.properties of the realm -->
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client2"/>
        </realm>
      </role>
    </role-mappings>
  </security>
</web-app>

...