The following is a very quick guide on how to set up a EasyRSA certificate based authentication of SoapUI API client to connect to a WebService based API that runs on JBoss or WildFly.
Generate a local CA with EasyRSA
Download and install easy-rsa – https://github.com/OpenVPN/easy-rsa
Go to the installation folder and change the following files:
x509-types/client
keyUsage = digitalSignature,nonRepudiation
x509-types/server
keyUsage = digitalSignature,keyEncipherment,nonRepudiation
vars
# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE 3650
Generate Certificates Hierarchy
To initialize pki and build the CA root, use the following commands.
Choose a suggestive Common Name for the CA and a password when prompted for. The default password to use when sending the generated certificates and keystores to all our clients should be storepwd.
easy-rsa init-pki
easy-rsa build-ca
To create the server certificate, run the following command. Choose an alias and a password. A good recommendation not to complicated things is to use the same password as the one in the previous steps.
easy-rsa build-server-full MYSERVER
To generate the client certificates, run the following command. Choose an alias and a password, as before.
easy-rsa build-client-full CLIENT1
To export the client certificate private key in P12 format, run the following command, using the client_alias generated before:
easy-rsa export-p12 CLIENT1
You can find all generated certificates in the easy-rsa installation folder, as follows:
- pki/ca.crt
- pki/issued
- pki/private
Generate server side key-stores
Go to the EasyRSA root directory and create a keystore.jks. The keystore.jks key-store must contain MYSERVER’s (server) full key (private/certificate + public key) as well as all participants (client) public key
Import the ca.crt and generate the keystore.jks keystore
keytool -import -v -trustcacerts -alias MYCA -file pki/ca.crt -keystore keystore.jks -keypass storepwd
Import MYSERVER’s (server) public key
keytool -import -v -trustcacerts -alias MYSERVER -file pki/issued/MYSERVER.crt -keystore truststore.jks -keypass storepwd
Import MYSERVER’s (server) private key
keytool -importkeystore -destkeystore truststore.jks -srckeystore pki/private/MYSERVER.p12 -srcstoretype PKCS12
Import CLIENT1’s (client) public key
keytool -import -v -trustcacerts -alias CLIENT1 -file pki/issued/CLIENT1.crt -keystore mms.jks -keypass storepwd
Do the same for all the other participants …
Generate also a key-store with only the CA certificate
keytool -import -v -trustcacerts -alias MYCA -file pki/ca.crt -keystore cacerts.jks -keypass storepwd
Configure the server side (WildFly)
Add a separate https-listener to WildFly standalone.xml with required client authentication (verify-client=”REQUIRED”
<https-listener name="https-external" socket-binding="https2" security-realm="ApplicationRealm" verify-client="REQUIRED" enabled-cipher-suites="ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256" enabled-protocols="TLSv1.2" enable-http2="true"/>
Add also a new entry for this binding
<socket-binding name="https2" port="${jboss.https.port:7083}"/>
Configure the security realm in WildFly to refer to the new defined keystore.jks and cacerts.jks
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="/home/gvoina/EasyRSA-v3.0.6/keystore.jks" keystore-password="storepwd" alias="1" />
</ssl>
</server-identities>
<authentication>
<truststore path="/home/gvoina/EasyRSA-v3.0.6/cacerts.jks" keystore-password="storepwd"/>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
Restart the application server.
Configure the client side (SoapUI)
Configure SOAPUI for VTBLAOL0 client
Change directory to the root EasyRSA directory. Create a client keystore and import CLIENT1’s (client) public key
keytool -import -v -trustcacerts -alias CLIENT1 -file pki/issued/CLIENT1.crt -keystore client1.jks -keypass storepwd
Copy also the the cacerts.jks on the client machine
Set the client keystore in SoapUI
File -> Preferences -> SSL Settings
Add “Keystore” and “Keystore Password” with the location of the client1.jks and password storepwd
Add the SSL keystore to the project of our client WSDL (we assume is alredy imported in a new project). Double click on the project (WSMessageGatewayImpl in my case) to open the project configuration panel.
Project Properties -> WS-Security Configurations -> Keystores
add the client1.jks
On the request we want to use client authentication under “Request Properties” -> “SSL Keystore” select client1.jks
Add the truststore to the project of our client WSDL (we assume is alredy imported in a new project)
Project Properties -> WS-Security Configurations -> Truststores
add the cacerts.jks
Access the Webservice endpoint using the new https-listener
https://localhost:7083/mms/WSMessageGatewayImpl