Configuring SSL with client authentification
Julien
We have to set up a partnership in Hermes H2O with SSL (server AND
client authentification).
Could you please give us some explanations about the configuration
needed for client authentification :
- outbound messages :
Where do we configure the client certificate Hermes will present to
the receiver ?
- inbound messages :
Where do we add the public client certificate provided by our partner
to authorize the transaction ?
Thanks in advance for your help,
- Julien
Ronnie Kwok
Sorry for the late reply.
Let's illustrate the setup with an example. Server A, which is the
sender side and Server B is the receiver side.
We need to configure the Corvus WebApps in Server A (to set the
location of the keystore that show its identity and also the trust
manager that possess the public certificate from Server B)
1. Edit the file <corvus webapps>/WEB-INF/classes/hk/hku/cecid/piazza/
corvus/core/conf/corvus.module.xml
2. Uncomment the block that defines SSL Key Manager and fill in your
own value.
<!-- Set up a SSL Key Manager for SSL connection -->
<component id="ssl-key-manager" name="SSL Key Manager">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreKeyManager</
class>
<parameter name="keystore-location" value="hk/hku/cecid/piazza/
corvus/core/certs/corvus2.p12" />
<parameter name="keystore-password" value="password" />
<parameter name="key-alias" value="corvus2" />
<parameter name="key-password" value="password" />
<parameter name="keystore-type" value="PKCS12" />
<parameter name="keystore-provider"
value="org.bouncycastle.jce.provider.BouncyCastleProvider" />
</component>
3. Uncomment the block that defines SSL Trust Manager . One thing to
note, I find that the value for keystore-location in SSL Trust Manager
needs to be an absolute path. Also, you should import the certificate
of Server B to this trust manager so that the server authentication
can succeed.
<!-- Set up a SSL Trust Manager for SSL connection -->
<component id="ssl-trust-manager" name="SSL Trust Manager">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</
class>
<parameter name="keystore-location" value="/root/hermes2/cacerts" />
<parameter name="keystore-password" value="changeit" />
</component>
4. Setup the tomcat on Server B in listening to HTTPS request and
enble the client authentication. Edit the file server.xml
5. The tomcat on Server B will need to enable the HTTPS Connector.
Below is the setting that I use in my testing.
You should import the certificate of Server A to the truststorefile
defined so that client authentication can succeed.
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/home/ronnie/data/shuttle.keystore"
keystorePass="password"
keyAlias="tomcat"
truststoreFile="/home/ronnie/data/cacerts"
truststorePass="changeit"
truststoreType="JKS"
/>
You can find the details from this URL,
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.
After that, define the target endpoint in the partnership properly and
sending from Server A to Server B with HTTPS Client Authentication
should works OK.
Hope this help.
Regards,
ronnie
Julien
Everything is perfectly clear.
I just have one more question. In my understanding, in step 2, Hermes
does only allow for one certificate to authenticate the client/sender.
It seems therefore not possible to set-up Hermes so that it presents
different client certificates depending on the server it is sending
to.
Can you confirm ?
Regards,
- Julien
> You can find the details from this URL,http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.
Ronnie Kwok
Correct, this is how it works.
The keystore and trust manager is loaded when the HTTPConnector object
is invoked. I guess you can modify the behavior by changing the class
hk.hku.piazza.commons.net.HttpConnector.
Regards,
ronnie