#EasyRSA Certificate based authentication of #SoapUI client to a secure WebService running on #JBoss or #WildFly application server

By | May 12, 2019

The following is a very quick guide on how to set up a EasyRSA certificate based authentication of SoapUI API client to connect to a WebService based API that runs on JBoss or WildFly.

Generate a local CA with EasyRSA

Download and install easy-rsa – https://github.com/OpenVPN/easy-rsa

Go to the installation folder and change the following files:

x509-types/client

keyUsage = digitalSignature,nonRepudiation

x509-types/server

keyUsage = digitalSignature,keyEncipherment,nonRepudiation

vars

# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE       3650

# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE     3650

Generate Certificates Hierarchy

To initialize pki and build the CA root, use the following commands.

Choose a suggestive Common Name for the CA and a password when prompted for. The default password to use when sending the generated certificates and keystores to all our clients should be storepwd.

easy-rsa init-pki
easy-rsa build-ca

To create the server certificate, run the following command. Choose an alias and a password. A good recommendation not to complicated things is to use the same password as the one in the previous steps.

easy-rsa build-server-full MYSERVER

To generate the client certificates, run the following command. Choose an alias and a password, as before.

easy-rsa build-client-full CLIENT1

To export the client certificate private key in P12 format, run the following command, using the client_alias generated before:

easy-rsa export-p12 CLIENT1

You can find all generated certificates in the easy-rsa installation folder, as follows:

  • pki/ca.crt
  • pki/issued
  • pki/private

Generate server side key-stores

Go to the EasyRSA root directory and create a keystore.jks. The keystore.jks key-store must contain MYSERVER’s (server) full key (private/certificate + public key) as well as all participants (client) public key

Import the ca.crt and generate the keystore.jks keystore

keytool -import -v -trustcacerts -alias MYCA -file pki/ca.crt -keystore keystore.jks -keypass storepwd

Import MYSERVER’s (server) public key

 keytool -import -v -trustcacerts -alias MYSERVER -file pki/issued/MYSERVER.crt -keystore truststore.jks -keypass storepwd

Import MYSERVER’s (server) private key

keytool -importkeystore -destkeystore truststore.jks -srckeystore pki/private/MYSERVER.p12 -srcstoretype PKCS12

Import CLIENT1’s (client) public key

keytool -import -v -trustcacerts -alias CLIENT1 -file pki/issued/CLIENT1.crt -keystore mms.jks -keypass storepwd

Do the same for all the other participants …

Generate also a key-store with only the CA certificate

keytool -import -v -trustcacerts -alias MYCA -file pki/ca.crt -keystore cacerts.jks -keypass storepwd

Configure the server side (WildFly)

Add a separate https-listener to WildFly standalone.xml with required client authentication (verify-client=”REQUIRED”

 <https-listener name="https-external" socket-binding="https2" security-realm="ApplicationRealm" verify-client="REQUIRED" enabled-cipher-suites="ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256" enabled-protocols="TLSv1.2" enable-http2="true"/>

Add also a new entry for this binding

<socket-binding name="https2" port="${jboss.https.port:7083}"/>

Configure the security realm in WildFly to refer to the new defined keystore.jks and cacerts.jks

            <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="/home/gvoina/EasyRSA-v3.0.6/keystore.jks" keystore-password="storepwd" alias="1" />
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="/home/gvoina/EasyRSA-v3.0.6/cacerts.jks"  keystore-password="storepwd"/>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>

Restart the application server.

Configure the client side (SoapUI)

Configure SOAPUI for VTBLAOL0 client

Change directory to the root EasyRSA directory. Create a client keystore and import CLIENT1’s (client) public key

keytool -import -v -trustcacerts -alias CLIENT1 -file pki/issued/CLIENT1.crt -keystore client1.jks -keypass storepwd

Copy also the the cacerts.jks on the client machine

Set the client keystore in SoapUI

File -> Preferences -> SSL Settings

Add “Keystore” and “Keystore Password” with the location of the client1.jks and password storepwd

Add the SSL keystore to the project of our client WSDL (we assume is alredy imported in a new project). Double click on the project (WSMessageGatewayImpl in my case) to open the project configuration panel.

Project Properties -> WS-Security Configurations -> Keystores

add the client1.jks

On the request we want to use client authentication under “Request Properties” -> “SSL Keystore” select client1.jks

Add the truststore to the project of our client WSDL (we assume is alredy imported in a new project)

Project Properties -> WS-Security Configurations -> Truststores

add the cacerts.jks

Access the Webservice endpoint using the new https-listener
https://localhost:7083/mms/WSMessageGatewayImpl

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.