Jboss https two way auth in FSW

Solution Verified - Updated -

Environment

  • Red Hat JBoss Fuse Service Works (FSW)
    • 6.0.0

Issue

  • We have 2 scenario to implement:

    • client --> https two way auth --> jboss application
    • jboss application --> https two way auth --> target

  • In scenario 1 we use apache httpd for the two way auth management:

    • client --> https two way auth --> apache httpd (verify the client certs) --> simple https --> jboss application

  • Do you have any best practice or suggestion for scenario 2? Is there a way to implement scenario 2 without develop a custom code?

  • We tried using services based on fsw_6.0.0 and receive the following errors:
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking : Received fatal alert: handshake_failure
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.7.0_55]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) [rt.jar:1.7.0_55]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [rt.jar:1.7.0_55]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526) [rt.jar:1.7.0_55]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1474) [cxf-rt-transports-http-2.6.8.redhat-7.jar:2.6.8.redhat-7]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1459) [cxf-rt-transports-http-2.6.8.redhat-7.jar:2.6.8.redhat-7]
        at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) [cxf-api-2.6.8.redhat-7.jar:2.6.8.redhat-7]
        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:660) [cxf-rt-transports-http-2.6.8.redhat-7.jar:2.6.8.redhat-7]
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) [cxf-api-2.6.8.redhat-7.jar:2.6.8.redhat-7]
        ... 294 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Resolution

  • Make sure that the keystore types are configured in proper shape.
  • Change the keystore type to PKCS12 and added the following property to the standalone*xml:
<property name="javax.net.ssl.trustStoreType" value="jks"></property>
<property name="javax.net.ssl.keyStoreType" value="PKCS12"></property>

Diagnostic Steps

  • Check for your entry in keystore using keytool -list.
  • Check if there are a common set of supported cipher suites between your client and server.
  • Finally, point the file to .jks in both keyManagers and trustManagers.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments