You are currently browsing the monthly archive for March 2010.

This post I show you how to grab Microsoft server’s SSL certificate and import into JSE keystore. I have customer only used Microsoft IIS and bought CA certificate from Comodo. They don’t know Java Security and they don’t have CSR in hand, so they have to export it as PFX (Personal Exchange file). When I got *.PFX, then I do

STEP 1. Export your private key and SSL Certificate from Microsoft IIS

but JSE keystore can’t be imported from outside, then
STEP 2. Import private key and certificate into Java Key Store

Reference:
1. Dealing with java keystores

2. OpenSsl/Keytool Cheat Sheet

3. A Step-by-Step Guide to Advanced Certificate Management

4. How to back up a server certificate in Internet Information Services 5.0

Advertisements

Part-1 setup on JBoss server with CAS war

1. Download CAS (Central Authentication Service) from here.
You may like to read their document.

2. Unzip and place CAR web application on C:\jboss-4.2.2.GA\server\default\deploy\cas.war. This is example path.

3. I assume you use JBoss login-config.xml to setup for your LoginContext, so you have the name of application-policy like I configure it as “MyLoginRealm”.

4. Now you can go to ${jboss_server}\cas.war\WEB-INF\deployerConfigContext.xml, and modify

<property name=”authenticationHandlers”>

<bean>
<property name=”realm”><value>MyLoginRealm</value></property>
</bean>

5. Create your host server’s keystore and crt.

Creating the keystore and private key:
a. keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -validity 3650 -keystore MyServer.keystore

b. keytool -list -keystore MyServer.keystore

Generating and storing the certificate:
c. keytool -export -alias jbosskey -keypass changeit -file MyServer.crt -validity 3650 -keystore MyServer.keystore

d. keytool -import -alias jbosscert -keypass changeit -file MyServer.crt -keystore MyServer.keystore

e. keytool -list -keystore MyServer.keystore

6. Copy MyServer.keystore and MyServer.crt into ${jboss_server}\conf

7. Add

SET JAVA_OPTS=%JAVA_OPTS%  -Djavax.net.ssl.trustStore=${jboss_server}\conf\MyServer.keystore into your JVM option. (usually it is at run.bat)

8. Change server.xml at ${jboss_server}\deploy\jboss-web.deployer. Uncomment the 8443 security port like this

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”conf/MyServer.keystore”
keystorePass=”changeit”/>

Part-2 setup on your web apllicarion with CAS client
Now go to ${your_web_app}\WEB-INF\web.xml, and we need to add this into web.xml

<!-- CAS: Java Client 3.1.3-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>

<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://hostname:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:8443</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
</filter>

<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://hostname:8443/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:8443</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>

<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

Test drive
If you reques this, http://bestsite:8080, it will redirect to CAS login page. You will see like this,
https://bestsite:8443/cas/login?service=https%3A%2F%2Fbestsite%3A8080%2F. That means you are good now.

Recently I have project about Single Sign On. I want to put all of my research here because I got them from internet and love to share with you.

1. SSL Converter

2. The Most Common Java Keytool Keystore Commands

3. The Most Common OpenSSL Commands

4. Installing an SSL Certificate in Windows Server 2008 (IIS 7.0)

5. How to use SSL Certificates with Exchange 2007

6. How to Create A Self Signed Certificate

7. Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more

8. OpenSSL how-to