Securing Jakarta Enterprise Beans with mutual TLS authentication
source link: https://wildfly-security.github.io/wildfly-elytron/blog/ejb-over-tls/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
An Overview of Mutual TLS authentication
In a standard TLS handshake, the server presents its certificate to the client, which then inspects the contents and signature. If the certificate matches one that the client trusts, or is signed by an entity that it trusts, the server’s identity is verified and a key exchange is performed to secure the session. In mutual TLS authentication, the client also presents its own certificate, which the server will then use to verify the identity of the client.
Using the Elytron subsystem, a WildFly server can form a mutual TLS connection with a remote client. To do so, the client will generate a certificate, which the server will import into its truststore. The client will be configured to present the certificate when performing the TLS handshake, which the server will verify using its truststore.
Generating the Client Certificate
In order for the client to use a certificate, it must be signed by a server-trusted entity. For the purposes of this demonstration, we will self-sign a certificate and then import it into the server’s truststore. However, such certificates are generally treated as insecure since the identity cannot be externally verified. To use a certificate signed by a trusted Certificate Authority, take a look at this blog post.
We will begin by generating a 2048-bit key pair, and saving it to a local file with the alias client. Using the
Java keytool, we store it in a PKCS #12 keystore:
Note that we have also set the common name on the key to client (using the option -dname "CN=client"). Once the key
pair is created, we export the certificate to a file:
Generating the Server Certificate
We will now perform a similar configuration for the WildFly server. Start the server, and then in another terminal connect to it using the management CLI:
(Note: In this post, replace WILDFLY_HOME with the actual path to your WildFly installation.)
We will use the Elytron subsystem to create a keystore to hold the server’s key pair. The keystore will be
saved in the server configuration directory, relative to jboss.server.config.dir:
Then, we generate a key pair with alias localhost, and save it to the keystore. Like with the client,
we also specify the server’s common name (distinguished-name="CN=localhost").
The self-signed certificate is exported to a file in the configuration directory:
Finally, we create a key manager, which will be used to access the keystore during the TLS handshake:
Importing the Certificates
Since we are already connected to the server, we will import the client certificate first. We configure a new truststore for holding certificates:
We import the client certificate, specifying it with its alias, and then save it to the truststore file. Since this is a self-signed certificate, we will not validate its authenticity.
We also configure a trust manager, which will verify the certificate during the TLS handshake:
With the server now setup, we return to the client. Open a new terminal and navigate to the root folder of this example. We use the keytool once again, identify the server’s certificate by its alias and importing it into a client truststore:
At this point, the client and server both have their corresponding key pairs, and trust the certificates of the other. The TLS configuration is complete.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK