Apache Jboss SSL authentication

apachejbossreverse-proxyssl

Resummarising my question:

I have got a Apache web server fronting the Jboss.
below is the ssl part of the Httpd conf

ProxyRequests Off
SSLProxyEngine on

SSLCertificateFile 
/FinMgmt/deploy/https/certs/webserver/fm.insurance.co.uk_a_cert.pem
SSLCertificateKeyFile
/FinMgmt/deploy/https/certs/webserver/fm.insurance.co.uk_a_key.pem

SSLCACertificateFile       
/FinMgmt/deploy/https/certs/fm.insurance.co.uk_CA_cert.pem
SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData
ProxyPass /webapp1 https://fm.insurance.co.uk:8443/webapp1
ProxyPassReverse /webapp1 https://fm.insurance.co.uk:8443/webapp1
ProxyPass /webapp2 https://fm.insurance.co.uk:8443/webapp2
ProxyPassReverse /webapp2 https://fm.insurance.co.uk:8443/webapp2

Below is the ssl part from jboss server.xml:

    <!-- SSL/TLS Connector configuration using the admin devl guide keystore clientAuth=false -->
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="500" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
    keystorePass="glamdev"
    truststoreFile="${jboss.server.home.dir}/conf/server.truststore"

    truststorePass="passwd"/>

As per my understanding, Apache is configured to use 2 way mutual authentication with SSLVerifyClient optional_no_ca meaning that client may or maynot provide the certificate.

Now jboss is configured to one way SSL authentication.
Now what I understand is ,when browser send request apache,apache will respond with the certificate and browser will try to authenticate using its root CA or throw an exception asking user to store it.

And when apache will route request to jboss,here apache will act as client and jboss as SSL server,jboss will send its certificate from keystore which will be verified by the Apache using SSLCACertificateFile directive

And if jboss has to redirect to itself ,it will have to go through the reverse proxy as we have set proxyPassReverse.In that case jboss will act as SSL client and Apache http as SSL server and Apache will will send its certificate which jboss verify using the CA certificate in trustore.
Am I right in interpreting the config files?

Also I dont exactly understand the use of optional_no_ca in SSLVerifyClient.Will apache request the certificate from browser or not or it depends upon the browser ?

Actually I have inherited this application with no documentation whatsover and I am trying hard to make some sense out of it.

Best Answer

I'm assuming that what you're after is to use client-certificate authentication in your JBoss application, to authenticate browsers (not Apache Httpd as a client to JBoss).

If you want to have Apache Httpd as a reverse proxy in front of you JBoss container, you need to configure Apache Httpd to request and handle client-certificate authentication. In particular, you should use its SSLCA* and SSLVerifyClient directives, part of mod_ssl.

Whether you configure SSL/TLS between Apache Httpd and your JBoss worker node is independent. It's often unnecessary if you're on a trusted network at that point. If you do want SSL/TLS there, use Apache Httpd's SSLProxy* directives to configure which CA to trust. This being said, doing so will certainly create more confusion within your application, since there would be an ambiguity as to where the client-certificate information comes from: either a real-client certificate authentication at the JBoss container level, or a relayed certificate, as handled by Apache Httpd.

Indeed, you'll need to pass on the client-certificate information to your container for further information, as described in this answer.

If instead, what you're after is client-certificate authentication between Apache Httpd and JBoss, where you need this connection to be secured with SSL/TLS and to make sure if comes from the reverse proxy (which would present its certificate), you should be able to to this using SSLProxyMachineCertificateFile available in Apache Httpd 2.4. (This configuration is certainly unusual.)

EDIT: (Following changes to the question.)

As per my understanding, Apache is configured to use 2 way mutual authentication with SSLVerifyClient optional_no_ca meaning that client may or maynot provide the certificate.

SSLVerifyClient optional_no_ca means that Apache Httpd will only check that the client has the private key for the certificate it presents: it won't verify that the certificate is trusted (making SSLCACertificateFile useless). If you want presentation of the certificate to be optional, but still verify it against your PKI, use SSLVerifyClient optional (with SSLCACertificateFile).

Now jboss is configured to one way SSL authentication. Now what I understand is ,when browser send request apache,apache will respond with the certificate and browser will try to authenticate using its root CA or throw an exception asking user to store it.

Yes, and the connection between the browser and Apache Httpd has nothing to do with JBoss.

And when apache will route request to jboss,here apache will act as client and jboss as SSL server,jboss will send its certificate from keystore which will be verified by the Apache using SSLCACertificateFile directive

No, it's SSLProxyCACertificateFile (or ...Path)

And if jboss has to redirect to itself ,it will have to go through the reverse proxy as we have set proxyPassReverse.In that case jboss will act as SSL client and Apache http as SSL server and Apache will will send its certificate which jboss verify using the CA certificate in trustore. Am I right in interpreting the config files?

I'm not sure under which circumstances JBoss would "redirect to itself" (or what you mean by this). There's nothing to suggest JBoss has a role as a client here. This is not what ProxyPassReverse is for.

Also I dont exactly understand the use of optional_no_ca in SSLVerifyClient.Will apache request the certificate from browser or not or it depends upon the browser ?

When you set SSLVerifyClient to optional, optional_no_ca or require, the server will request a certificate. With require, it will terminate the connection if the client doesn't send one (that it trusts).

As your configuration stands, there's nothing to suggest that the client-certificate is conveyed to the JBoss container. It's not verified in any way at the Apache Httpd level (anyone with a self-signed client-certificate could connect here). You could in principle use optional_no_ca, let any certificate through and only verify them once they arrive to the Java container, but you'd certainly need some extra custom code to do so in your JBoss application. You would also need to convey the certificate itself somehow (e.g. via mod_header and a custom header or more directly using mod_proxy_ajp. It would also be harder to break the connection to make the client try another certificate if the one it presented initially was incorrect.

Related Solutions

Apache SSL Configuration Error (SSL Connection Error)

I had the same problem as @User39604, and had to follow VARIOUS advices. Since he doesnt remember the precise path he followed, let me list my path:

check if you have SSL YES using <?php echo phpinfo();?>

if necessary

A. enable ssl on apache sudo a2enmod ssl

B. install openssl sudo apt-get install openssl

C. check if port 443 is open sudo netstat -lp

D. if necessary, change /etc/apache2/ports.conf, this works

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

acquire a key and a certificate by

A. paying a Certificating Authority (Comodo, GoDaddy, Verisign) for a pair

B. generating your own* - see below (testing purposes ONLY)

change your configuration (in ubuntu12 /etc/apache2/httpd.conf - default is an empty file) to include a proper <VirtualHost> (replace MYSITE.COM as well as key and cert path/name to point to your certificate and key):

<VirtualHost _default_:443> 
ServerName MYSITE.COM:443
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/MYSITE.COM.key
SSLCertificateFile /etc/apache2/ssl/MYSITE.COM.cert
ServerAdmin MYWEBGUY@localhost
DocumentRoot /var/www
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>


ErrorLog ${APACHE_LOG_DIR}/errorSSL.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/accessSSL.log combined

</VirtualHost>

while many other virtualhost configs wil be available in /etc/apache2/sites-enabled/ and in /etc/apache2/sites-available/ it was /etc/apache2/httpd.conf that was CRUCIAL to solving all problems.

for further info:

http://wiki.vpslink.com/Enable_SSL_on_Apache2

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert

*generating your own certificate (self-signed) will result in a certificate whose authority the user's browser will not recognize. therefore, the browser will scream bloody murder and the user will have to "understand the risks" a dozen times before the browser actually opens up the page. so, it only works for testing purposes. having said that, this is the HOW-TO:

goto the apache folder (in ubuntu12 /etc/apache2/)
create a folder like ssl (or anything that works for you, the name is not a system requirement)
goto chosen directory /etc/apache2/ssl
run sudo openssl req -new -x509 -nodes -out MYSITE.COM.crt -keyout MYSITE.COM.key
use MYSITE.COM.crt and MYSITE.COM.key in your <VirtualHost> tag

name format is NOT under a strict system requirement, must be the same as the file :) - names like 212-MYSITE.COM.crt, june2014-Godaddy-MYSITE.COM.crt should work.

JBoss mutual certificate authentication fails on SSL Handshake

You might want to give a try by adding cipher suite you your ssl connector:

<ssl name="ssl" key-alias="sercer" password="changeit" certificate-key-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/cacerts.jks" cipher-suite="AES+RSA"/>

Best Answer

Related Solutions

Apache SSL Configuration Error (SSL Connection Error)

JBoss mutual certificate authentication fails on SSL Handshake

Related Topic