Glassfish 4 certificate based client authentication

Question

For couple of days I'm trying to set up my development environment for certificate-based client authentication and it just don't want to work. I'm using the Glassfish 4 documentation (security guide) and creating according to it self signed client certificate for test purposes but I'm not sure what I'm missing, since there is not complete description of the whole process. When I enable Client Authentication for my Http-Listener and don't get any error message in the server log, but when I try to connect from a browser I just cannot establish a connection with the server. Without this option my web application is working just fine. In chrome I see the following message:

This site can’t be reached

127.0.0.1 refused to connect.

ERR_CONNECTION_REFUSED

And in firefox:

The connection to 192.168.1.9:8181 was interrupted while the page was loading.

So for me it seems that something (unfortunately I cannot understand what exactly) is happening, but a connection cannot be established.

Since the setup is pretty complex I'm looking for a tutorial or how-to page which has step by step instruction, but any help and advise will be higly appreciated.

Answer 1

Ok, I finally got it how it works :) I found very good step by step instructions in the book Java EE 7 with GlassFish 4 Application Server, Chapter 9, The cerrtificate realm (p. 247) One have to basicly do the following 3 Steps:

1. Create Client Certificate 1.1 Generate a self-signed certificate:

keytool -genkey -v -alias myalias -keyalg RSA -storetype PKCS12 -keystore clientCert_1.p12 -storepass wonttellyou -keypass wonttellyou

1.2 Import it in a browser NB!: When the certificate is not imported the browser doesn't ask for it, but instead returns a connection error message, which for me is pretty misleading.

2. Export the certificate from step 1. into a format that Glassfish can understand

keytool -export -alias myalias -keystore clientCert_1.p12 -storetype PKCS12 -storepass wonttellyou -rfc -file clientCert_1.cer

RESULT => Certificate stored in file clientCert_1.cer

3. Since we issued a self-signed certificate, in order for GlassFish to accept our certificate, we need to import it into the cacerts keystore.

keytool -import -v -trustcacerts -alias myalias -file clientCert_1.cer -keystore ../cacerts.jks -keypass changeit -storepass changeit

Note

• The part: -import -v -trustcacerts is not in the book, but without it the keytool may crash throwing an exception.
• changeit is the default glassfish password

Finally one needs to setup the application server for certificate based client authentication, which has two parts. The first one is adding the a login configuration to web.xml:

...
<login-config>
   <auth-method>CLIENT-CERT</auth-method>
   <realm-name>certificate</realm-name>
</login-config>
...

And the second one is configuring the role mapping in glassfish-web.xml, so that your application has a corresponding role for that login. It looks like this:

 ... 
 <security-role-mapping>
    <role-name>YOUR_ROLE</role-name>
    <group-name>YOUR_GROUP</group-name>
    <principal-name>CN=Test User, OU=n/a, O=Test User, L=Cologne, ST=NRW, C=DE</principal-name>
 </security-role-mapping>
...

For more detailed information, about key generation and setting up your glassfish consult the book.

And finally one more thing which was confusing for me. Over the admin interface one can find the SSL configuration tab of an existing http-listener. You don't have to enable the Client Authentication option!