Mutual TLS with Elytron without need for Authentication Setup

[Marco Strauch]

Hi,

we migrated follow the legacy mutual tls configuration to Elytron (Widlfy 24).

<management>
<security-realms>
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore provider="PKCS12" path="${javax.net.ssl.keyStore}" keystore-password="${javax.net.ssl.keyStorePassword}" alias="CAT" key-password="${javax.net.ssl.keyStorePassword}"/>
</ssl>
</server-identities>
<authentication>
<truststore provider="PKCS12" path="${javax.net.ssl.trustStore}" keystore-password="${javax.net.ssl.trustStorePassword}"/>
</authentication>
</security-realm>
</security-realms>
</management>

In Elytron the configuration is now:

<tls>
<key-stores>
<key-store name="MyKeystore">
<credential-reference clear-text="${javax.net.ssl.keyStorePassword}"/>
<implementation type="${javax.net.ssl.keyStoreType}" provider-name="BC"/>
<file path="${javax.net.ssl.keyStore}" />
</key-store>
<key-store name="MyTrustStore">
<credential-reference clear-text="${javax.net.ssl.trustStorePassword}"/>
<implementation type="${javax.net.ssl.trustStoreType}" provider-name="BC"/>
<file path="${javax.net.ssl.trustStore}" />
</key-store>
</key-stores>
<key-managers>
<key-manager name="MyKeyManager" key-store="MyKeystore" alias-filter="${javax.net.ssl.keyAlias}">
<credential-reference clear-text="${javax.net.ssl.keyStorePassword}"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="MyTrustManager" key-store="MyTrustStore" alias-filter="AcceptClientAlias" />
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="TLS_Context" key-manager="MyKeyManager" cipher-suite-filter="HIGH" protocols="TLSv1.2" />
<server-ssl-context name="MTLS_Context" key-manager="MyKeyManager" trust-manager="MyTrustManager" cipher-suite-filter="HIGH" protocols="TLSv1.2" need-client-auth="true" />
</server-ssl-contexts>
</tls>

Within the Undertow settings I reference the 2 ssl contexts in the http listeners

<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" read-timeout="300000" write-timeout="300000" max-connections="1000" socket-binding="http" max-post-size="1073741824" record-request-start-time="true" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" read-timeout="300000" write-timeout="300000" max-connections="1000" socket-binding="https" max-post-size="1073741824" record-request-start-time="true" ssl-context="TLS_Context" enable-http2="true"/>
<https-listener name="mtls" read-timeout="300000" write-timeout="300000" max-connections="1000" socket-binding="mtls" max-post-size="1073741824" record-request-start-time="true" ssl-context="MTLS_Context" enable-http2="true"/>

...

Using that configuration the TLS Handshake is successful. But after that the request aborts with status 403 (Forbidden).

So I have added follow configuration to the elytron subsystem:

<http>

<configurable-http-server-mechanism-factory name="clientcert-authentication" http-server-mechanism-factory="global">
<properties>
<property name="org.wildfly.security.http.skip-certificate-verification" value="true"/>
</properties>
</configurable-http-server-mechanism-factory>

</http>

Now I get the status 401 (Unauthorized).

I think I understand why I get this error. The reason is that the user of the certificate must be authorized by Elytron.

But I won't enable Client Cert Authentication within my application because client cert authentication is a optional setting. My goal ist only to build up the ssl context and the authentication is being done later in the application.

So how can I reach that after the ssl context was established no authentication or authorization is done by elytron and the  request continues as it would be done using the standard TLS endpoint?

Regards

Marco