keytool -genkey -alias server -keyalg RSA -keystore server.keystore -storepass change_it -validity 365
The PicketLink Identity Provider can be easily configured to support SSL.
Most of the configuration is done at the container side, where you need first to enable and configure properly the SSL/HTTPS configuration.
The first thing you should do is create the certificates, the keystore and truststore that will be used during all the configuration.
Create a certificate for your server using the following command:
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -storepass change_it -validity 365
You'll be prompted for some additional information, you can provide the values your want.
Now, let's create the client certificate, which you'll use to authenticate against the server when accessing a resource through SSL.
keytool -genkey -alias client -keystore client.keystore -storepass change_it -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
Now we need to export the client's certificate and create a truststore by importing this certificate:
keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass change_it -alias client -keypass change_it -file client.cer keytool -import -file client.cer -alias client -keystore client.truststore
Now that we have our certificates/keystores properly configured, you need to change your server installation to enable ssl. Add the following connector to the web subsystem:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="localhost-ssl" key-alias="server" password="change_it"
certificate-key-file="${jboss.server.config.dir}/server.keystore"
protocol="TLSv1"
verify-client="want"
ca-certificate-file="${jboss.server.config.dir}/client.truststore"/>
</connector>
You can now restart your server and check if it is responding at https://localhost:8443.
If everything is ok, you will be asked to trust the server certificate.
Add the following security domain to your server installation. If you're in standalone mode, add this to the JBOSS_HOME/standalone/configuration/standalone.xml:
<security-domain name="idp" cache-type="default">
<authentication>
<login-module code="CertificateRoles" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="securityDomain" value="idp"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
</login-module>
<login-module code="UsersRoles" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="usersProperties" value="users.properties"/>
<module-option name="rolesProperties" value="roles.properties"/>
</login-module>
</authentication>
<jsse keystore-password="change_it" keystore-url="jboss.server.config.dir/server.keystore" truststore-password="change_it" truststore-url="jboss.server.config.dir/server.keystore" client-auth="true"/>
</security-domain>
The configuration above will first try to validate any provided certificate. If no certificate was provided or the authentication fails, we fallback to a user/password based authentication.
In order to authenticate your users using their certificates you must configure the IDP with the SSLClientAuthentication attribute:
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SSLClientAuthentication="true">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
</PicketLinkIDP>
This attribute tells the IDP that SSL requests must be validated. If the validation fails, the configured authentication method will be used as a fallback. This means that you can have your application configured to FORM authentication but still supporting CLIENT_CERT.
You can use this configuration:
for clients who do not want to make use of certificates
for when the client certificate expires
to allow clients to log in for the first time without a certificate
to allow different "user-levels" - high security vs. low security, with different functions available
Take a look at the following quickstart:
https://github.com/picketlink2/picketlink-quickstarts/tree/master/saml/idp-ssl