java - JBoss5 CLIENT-CERT authentication getting HTTP Status 401 - Cannot authenticate with the provided credentials error -

i want mutual authentication using client-cert , specify role restful jersey web service. here clientauth="false" in server.xml

my web.xml follow:

<servlet>     <servlet-name>jersey-serlvet</servlet-name>     <servlet-class>         com.sun.jersey.spi.container.servlet.servletcontainer      </servlet-class>     <init-param>      <param-name>com.sun.jersey.config.property.packages</param-name>        <param-value>com.aditi.test</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <login-config>     **<auth-method>client-cert</auth-method>**     <realm-name>jmx console</realm-name> </login-config>  <security-role> <description>admin role</description> <role-name>admin</role-name>         </security-role> 

my jboss-web.xml is:

<jboss-web> <security-domain>java:/jaas/client_cert</security-domain> </jboss-web> 

also have created server.keystore, server.truststore, client.keystore, client.truststore , client.p12 using keytool , openssl.

changes in login-config.xml is:

<application-policy name="client_cert"> <authentication> <login-module code="org.jboss.security.auth.spi.usersrolesloginmodule" flag="required">     <module-option name="usersproperties">      props/cert-users.properties</module-option>     <module-option name="rolesproperties">       props/cert-roles.properties</module-option>     <module-option name="verifier">      com.secure.certverifier</module-option>   </login-module> </authentication> 

and jboss-service.xml contains:

<mbean code="org.jboss.security.plugins.jaassecuritydomain" name="jboss.security:service=securitydomain"> <constructor>     <arg type="java.lang.string" value="client_cert"/> </constructor> <attribute name="keystoreurl">${jboss.server.home.dir}/conf/server.keystore</attribute> <attribute name="keystorepass">base123</attribute> <attribute name="truststoreurl">${jboss.server.home.dir}/conf/server.truststore</attribute> <attribute name="truststorepass">base123</attribute> <depends>jboss.security:service=jaassecuritymanager</depends> 

and com.secure.certverifier is:

public class certverifier implements x509certificateverifier { @override public boolean verify(x509certificate xcert, string arg1, keystore arg2,         keystore arg3) {     system.out.println("hi verify");     principal pr=xcert.getsubjectdn();     system.out.println("hi dear "+pr.getname());     return true; }} 

also cert-users.properties file empty. , cert-roles.properties file is:

cn\=clienthost,\ ou\=test,\ o\=test,\ l\=pune,\ st\=mah,\ c=in=admin

now if access restful web service through browser want import client.p12 certificate , after getting error

http status 401 - cannot authenticate provided credentials 

how resolve it? want authentication authorization using client-cert in jboss5. going wrong here? how work?

xml is

<display-name>hello</display-name> <servlet> <servlet-class>com.sun.jersey.spi.container.servlet.servletcontainer</servlet-class> <init-param> <param-name>com.sun.jersey.config.property.packages</param-name> <param-value>com.aditi.test</param-value> <param-name>com.sun.jersey.config.property.packages</param-name> <param-value>com.aditi.test</param-value> <load-on-startup>1</load-on-startup> </servlet>  <servlet-mapping> <servlet-name>jersey-serlvet</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping>  <security-constraint> <web-resource-collection>     <web-resource-name>all</web-resource-name>     <url-pattern>/rest/hello/*</url-pattern>     <http-method>get</http-method>     <http-method>post</http-method> </web-resource-collection> <auth-constraint>     <role-name>*</role-name> </auth-constraint> <user-data-constraint>     <transport-guarantee>confidential</transport-guarantee> </user-data-constraint>      </security-constraint>  <login-config>     <auth-method>client-cert</auth-method> </login-config> 

jboss-web.xml is

<jboss-web> <security-domain>java:/jaas/simple-security-domain</security-domain> </jboss-web> 

${jboss_home}/server/default/deploy/jbossweb.sar/server.xml is

<connector protocol="http/1.1" sslenabled="true"          port="8443" address="${jboss.bind.address}"         scheme="https" secure="true" clientauth="false" sslprotocol = "tls"      securitydomain="java:/jaas/simple-security-domain"         sslimplementation="org.jboss.net.ssl.jbossimplementation"/> 

create certificates follows:

create server , application client key stores , certificates

keytool -genkeypair -alias serverkey -keyalg rsa -keysize 2048 -dname "cn=server,ou=application development,o=home,l=auckland,s=ak,c=nz" -keypass password -storepass password -keystore server.keystore keytool -genkeypair -alias clientkey -keyalg rsa -keysize 2048 -dname "cn=client,ou=application development,o=home,l=auckland,s=ak,c=nz" -keypass password -storepass password -keystore client.keystore  

copy client's public certificate server's keystore

keytool -exportcert -keystore client.keystore -storepass password -file client-public.cer -alias clientkey keytool -importcert -keystore server.keystore -storepass password -file client-public.cer -alias clientcert -noprompt  

take peek @ server's keystore make sure client's certificate there

keytool -v -list -keystore server.keystore -storepass password  

copy server's public certificate client's keystore

keytool -exportcert -keystore server.keystore -storepass password -file server-public.cer -alias serverkey keytool -importcert -keystore client.keystore -storepass password -file server-public.cer -alias servercert -noprompt  

take peek @ client's keystore make sure client's certificate there

keytool -v -list -keystore client.keystore -storepass password  

create browser keystore browsers can read easily

keytool -importkeystore -srckeystore client.keystore -srcstorepass password -srcalias clientkey -destkeystore client.p12 -deststoretype pkcs12 -deststorepass password -destalias clientkey -noprompt  

take peek @ browser's keystore make sure client's certificate there

keytool -v -list -keystore client.p12 -storetype pkcs12 -storepass password

copy server.keystore file ${jboss_home}/server/default/conf folder.

create jboss-service.xml file in deploy/ folder follow:

<mbean code="org.jboss.security.plugins.jaassecuritydomain" name="jboss.security:service=pbesecuritydomain">  <constructor> 

<attribute name="keystoreurl">resource:server.keystore</attribute> <attribute name="keystorepass"> {class}org.jboss.security.plugins.filepassword:${jboss.server.home.dir}/conf/server.password</attribute> <attribute name="truststoreurl">resource:server.keystore</attribute> <attribute name="truststorepass">  {class}org.jboss.security.plugins.filepassword:${jboss.server.home.dir}/conf/server.password</attribute> <attribute name="salt">welcometojboss</attribute> <attribute name="iterationcount">15</attribute> </mbean> 

here have create encrypted password file server.password execute following command

java -classpath $jboss_home /common/lib/jbosssx.jar org.jboss.security.plugins.filepassword welcometojboss 13 your-pass server.password

this command uses jbosssx.jar classpath (-cp) , filepassword security plug-in create keystore.password file password set unit-tests-server. verify have permission create keystore.password file, supply salt , iteration parameters configured in

the salt , iterationcount variables define strength of encrypted password, can vary shown. ensure record new values, , use when generating encrypted password.

it required jbosssx.jar may located in ${jboss_home}/common/lib folder. copy server.password file ${jboss_home}/server/default/conf folder.

kindly refer given link know more security concepts in jboss5

update tomcat service mbean

navigate $jboss_home/server/$profile/deploy/jbossweb.sar/meta-inf/. open jboss-beans.xml , append following tag webserver end of file. adding tag specifies tomcat must start after jboss.security:service=pbesecuritydomain

<bean name="webserver" .... class="org.jboss.web.tomcat.service.deployers.tomcatservice"> <depends>jboss.security:service=pbesecuritydomain</depends> 

deployment of web service , accessing client create xyz.war contains web service , deployed in ${jbos_home}/server/default/deploy/ folder.

import client.p12 certificate in browser. in mozilla go preferences --> view certificate --> click on import --> select client.p12 --> enter password ok

open browser , type following url: http://yourwebservicehost:8080/hello/rest/hello/test getting below window cilent certificate click on ok