Custom SSL TrustManager for Java App server

Question

I'm trying to setup SSL connections for a web service that is B2B and need to do client authentication on the server. Since the server hosts URLs that are also accessible from regular users through browser, not all connections to the host need to do client-auth. Only specific URLs require client-auth to validate the callers X509 certificate. We are using JBoss 5.x, which is based on Tomcat 5.x so I have a connector configuration like so:

      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}" sslProtocol = "TLS" 
       scheme="https" secure="true"  enableLookups="true" clientAuth="false"
       keystoreFile="${jboss.server.home.dir}/conf/.myKeyStore"
       keystorePass="password1" />

As you can see I have a keystore configured so we can provide our Signed Cert and I have clientAuth=false as the specific URLs needing client-auth will be configured in web.xml like so:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>clientAuthResources</web-resource-name>
        <url-pattern>/clientauth/*</url-pattern>
         <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>authOnly</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
     <realm-name>myRealm</realm-name>
</login-config>
  <security-role>
    <role-name>authOnly</role-name>
</security-role>

Through a custom JAAS Login module I can actually get this to work IF in the connector config above I also specific a truststore that has the client certs. That is where my issue is. Given the setup of our application and how we scale, each jboss application server setup supports a specific segentation of our users and I do not want truststores configured all over the place on the file system. We need to load the trusted certificates dynamically in code from our database. The custom JAAS login moduble does this at web level, and it also assignes roles, however without the connector truststore the login module never gets called, connection is terminated at SSL level before HTTP getes involved.

After much research on the web I've determined I need a custom X509TrustManager configured in the SSLContext/SSLSocketFactory to get around this. This custom trust manager would also validate client certs off the ones stored in our database. I have created this custom trust manager, however I cannot seem to hook it up. Does anyone know a way to configure this in jboss or tomcat 5.x? I noticed in Tomcat 7 the following config is available on a connector, trustManagerClassName, however that is not an option for me. I assume its possible, any help is greatly appreciated.

Answer 1

You can write your own org.apache.tomcat.util.net.jsse.JSSEImplementation and pass its full class name in the SSLImplementation attribute of your connector.

See examples here:

• http://code.google.com/p/jsslutils/wiki/ApacheTomcatUsage
• http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat5/src/main/java/org/jsslutils/extra/apachetomcat5/JSSLutilsImplementation.java
• http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat5/src/main/java/org/jsslutils/extra/apachetomcat5/JSSLutilsJSSESocketFactory.java