How to configure Keystore, LDAP & Wildfly for TLS Handshake tests

vrindanayak edited this page May 19, 2016 · 3 revisions
Clone this wiki locally

Creation of Server side Keystore.jks

The below tool is used to generate a new keystore.jks file with the key algorithm as RSA

keytool -genkeypair -keyalg RSA -keystore keystore.jks

Once the above command is typed, it will prompt for details to be entered by user as shown below

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:  dcm4che
What is the name of your City or Locality?
  [Unknown]:  Vienna
What is the name of your State or Province?
  [Unknown]:  Vienna
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Unknown, OU=Unknown, O=dcm4che, L=Vienna, ST=Vienna, C=AT correct?
  [no]:  yes

Enter key password for <mykey>
        (RETURN if same as keystore password):
Re-enter new password:

The password entered above will be needed in LDAP configuration mentioned below.

Creation of Server side & Client side Truststore

Create client side truststore (required in Wildfly configuration) from the clientKey received from the Client side

   keytool -importcert -file clientKey.pem -keystore client.truststore  

Create server side truststore (required in Wildfly configuration)

   keytool -importcert -file keystore.pem -keystore server.truststore

LDAP Configuration for TLS Handshake tests

  1. Place this newly created keystore.jks file in your jboss location : $WILDFLY_HOME/standalone/configuration/dcm4chee-arc/keystore.jks
  2. On dcm4chee-arc device level, add the attribute dcmKeystoreURL and its value should point the above location.
  3. On dcm4chee-arc device level, add another attribute dcmKeystorePin. The value should be the password used while generating the keystore.jks as shown above in Creation of keystore.jks
  4. On dcm4chee-arc device level, modify the value of userCertificate;binary to point to server side certificate.
  5. To add client side certificate in LDAP configuration you may add following attributes in a new device or update an existing device which is not being used

       objectClass: pkiUser
       userCertificate;binary: <add client certificate here>
    
  6. On dcm4chee-arc device level, add a new dicomAuthorizedNodeCertificateReference and point its value to the device (newly added or updated as mentioned in point 5, which has the client certificate information)

Wildfly Configuration

  1. Modify the $WILDFLY_HOME/standalone/configuration/application-roles.properties

       CN\=client,\ OU\=<authentication>,\ O\=JBoss,\ ST\=UP,\ C\=IN=JBossAdmin
       admin=JBossAdmin
    
  2. Add below code snippets in the $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml

....
....
<management>
        <security-realms>
        ....
        ....
        <security-realm name="UndertowRealm">
                <server-identities>
                    <ssl>
                        <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="myPass" alias="myAlias" key-password="myPass"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="clientPass"/>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
....
....
<subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
            ....
            ....
            <security-domain name="client_cert_domain" cache-type="default">
                    <authentication>
                        <login-module code="CertificateRoles" flag="required">
                            <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
                            <module-option name="securityDomain" value="client_cert_domain"/>
                            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/application-roles.properties"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="myPass" keystore-url="file:${jboss.server.config.dir}/keystore.jks" truststore-password="myPass" truststore-url="file:${jboss.server.config.dir}/server.truststore" cipher-suites="TLS_RSA_WITH_AES_128_CBC_SHA" client-auth="true" protocols="SSLv3, TLSv1"/>
                </security-domain>
....
....
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" max-post-size="100000000" socket-binding="http"/>
                <https-listener name="https" max-post-size="100000000" verify-client="REQUIRED" security- realm="UndertowRealm" socket-binding="https"/>
....
....