Skip to content

Commit

Permalink
[WFLY-18475] moves README.adoc to README-source.adoc; syncs versions …
Browse files Browse the repository at this point in the history
…properties; simplifies basic testing
  • Loading branch information
emmartins committed Mar 25, 2024
1 parent aa89803 commit 8560879
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 116 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@ jobs:
uses: ./.github/workflows/quickstart_ci.yml
with:
QUICKSTART_PATH: helloworld-mutual-ssl-secured
SERVER_PROVISIONING_SERVER_HOST: https://localhost:8443/
TEST_PROVISIONED_SERVER: true
TEST_OPENSHIFT: false
133 changes: 32 additions & 101 deletions helloworld-mutual-ssl-secured/README-source.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -32,88 +32,24 @@ include::../shared-doc/add-application-user.adoc[leveloffset=+1]

IMPORTANT: For the purpose of this quickstart the password can contain any valid value because the `ApplicationRealm` will be used for authorization only, for example, to obtain the security roles.

[[set_up_client_keystore_using_java_keytool]]
== Set Up the Client Keystore Using Java Keytool
// Back Up the {productName} Standalone Server Configuration
include::../shared-doc/back-up-server-standalone-configuration.adoc[leveloffset=+1]
// Start the {productName} Standalone Server
include::../shared-doc/start-the-standalone-server.adoc[leveloffset=+1]

. Open a terminal and navigate to the {productName} server `configuration` directory:
+
[source,subs="+quotes,attributes+",options="nowrap"]
----
$ cd __{jbossHomeName}__/standalone/configuration/
----
[[set_up_client_keystore_using_java_keytool]]
== Set Up the Client Keystore

. Create the client certificate, which is used to authenticate against the server when accessing a resource through TLS.
+
[source,options="nowrap"]
----
$>keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
What is your first and last name?
[Unknown]: quickstartUser
What is the name of your organizational unit?
[Unknown]: Sales
What is the name of your organization?
[Unknown]: My Company
What is the name of your City or Locality?
[Unknown]: Sao Paulo
What is the name of your State or Province?
[Unknown]: Sao Paulo
What is the two-letter country code for this unit?
[Unknown]: BR
Is CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR correct?
[no]: yes
----

+
Notice that it sets the `first and last name` to `quickstartUser` and that this matches the user that was added to the `ApplicationRealm`. When authorizing access to a resource, the CN (common name) of the client's certificate is extracted by a principal decoder and this name is then used by the `ApplicationRealm` to obtain the client's roles.

. Export the client certificate and create a truststore by importing this certificate.
+
[source,options="nowrap"]
[source,subs="+quotes,attributes+", options="nowrap"]
----
$>keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass secret -keypass secret -file client.crt
$>keytool -import -file client.crt -alias quickstartUser -keystore client.truststore -storepass secret
Owner: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
Issuer: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
Serial number: 7fd95ce4
Valid from: Mon Jul 24 16:14:03 BRT 2017 until: Tue Jul 24 16:14:03 BRT 2018
Certificate fingerprints:
MD5: 87:41:C5:CC:E6:79:91:F0:9D:90:AD:9E:DD:57:81:80
SHA1: 55:35:CA:B0:DC:DD:4F:E6:B8:9F:45:4B:4B:98:93:B5:3B:7C:55:84
SHA256: 0A:FC:93:B6:25:5A:74:42:B8:A1:C6:5F:69:88:72:7F:27:A9:81:B0:17:0C:F1:AF:3D:DE:B7:E5:F1:69:66:4B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 84 BE C6 32 BB 2B 13 4C 7F 5D D4 C4 C8 22 12 ....2.+.L.]...".
0010: CB 09 39 09 ..9.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-client-cert.cli
----
+
It is worth noticing that the client certificate was imported under the `quickstartUser` alias. When authenticating a client in a `CLIENT_CERT` configuration, the CN (common name) of the client's certificate is extracted by a principal decoder and this name is then used by the `KeyStoreRealm` to match an alias in the trust store. If a trusted certificate is found under this alas, the client is considered authenticated.

. Export client certificate to pkcs12 format.
+
[source,options="nowrap"]
----
$>keytool -importkeystore -srckeystore client.keystore -srcstorepass secret -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass secret
----
NOTE: For Windows, use the `__{jbossHomeName}__\bin\jboss-cli.bat` script.

. The certificate and keystore are now properly configured.

// Back Up the {productName} Standalone Server Configuration
include::../shared-doc/back-up-server-standalone-configuration.adoc[leveloffset=+1]
// Start the {productName} Standalone Server
include::../shared-doc/start-the-standalone-server.adoc[leveloffset=+1]
The certificate and keystore are now properly configured.

[[configure_the_server]]
== Configure the Server
Expand Down Expand Up @@ -157,7 +93,7 @@ After stopping the server, open the `__{jbossHomeName}__/standalone/configuratio
<key-store name="qsTrustStore">
<credential-reference clear-text="secret"/>
<implementation type="JKS"/>
<file path="client.truststore" relative-to="jboss.server.config.dir"/>
<file path="server.truststore" relative-to="jboss.server.config.dir"/>
</key-store>
----

Expand Down Expand Up @@ -233,22 +169,22 @@ It maps the `client_cert_domain` from the quickstart application to the `http-au
[[test_the_server_ssl_configuration]]
== Test the Server TLS Configuration

To test the TLS configuration, access: https://localhost:8443
To test the TLS configuration, start {productName} and access: https://localhost:8443

If it is configured correctly, you should be asked to trust the server certificate.

[[import_the_client_certificate_into_your_browser]]
== Import the Certificate into Your Browser

Before you access the application, you must import the _clientCert.p12_, which holds the client certificate, into your browser.
Before you access the application, you must import the _client.keystore.P12_, which holds the client certificate, into your browser.

[[import_the_client_certificate_into_google_chrome]]
=== Import the Certificate into Google Chrome

. Click the Chrome menu icon (3 dots) in the upper right on the browser toolbar and choose *Settings*. This takes you to `link:`chrome://settings/`.
. Click on *Privacy and security* and then on *Security*.
. Scroll down to the *Advanced* section and on the *Manage certificates* screen, select the *Your Certificates* tab and click on the *Import* button.
. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`.
. Select the *client.keystore.p12* file. You will be prompted to enter the password: `secret`.
. The client certificate is now installed in the Google Chrome browser.

[[import_the_client_certificate_into_mozilla_firefox]]
Expand All @@ -258,14 +194,14 @@ Before you access the application, you must import the _clientCert.p12_, which h
. A new window will open. Click on *Privacy & Security* and scroll down to the *Certificates* section.
. Click the *View Certificates* button.
. A new window will open. Select the *Your Certificates* tab and click the *Import* button.
. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`.
. Select the *client.keystore.p12* file. You will be prompted to enter the password: `secret`.
. The certificate is now installed in the Mozilla Firefox browser.

// Build and Deploy the Quickstart
include::../shared-doc/build-and-deploy-the-quickstart.adoc[leveloffset=+1]

// Additional deployment information
If mutual TLS is configured properly and the WAR application is secured, you will be able to access the application only if the DN of client certificate, for example `clientCert.p12`, is same as the one defined in `app-roles.properties` file. Otherwise, it will result in an HTTP error status code of `403 Access Denied/Forbidden`.
If mutual TLS is configured properly and the WAR application is secured, you will be able to access the application only if the DN of client certificate, for example `client.keystore.p12`, is same as the one defined in `app-roles.properties` file. Otherwise, it will result in an HTTP error status code of `403 Access Denied/Forbidden`.

== Access the Application

Expand All @@ -292,6 +228,9 @@ dzXZz0EjjWCPJk+LVEhEvH0GcWAp3x3irpNU4hRZLd0XomY0Z4NnUt7VMBNYDOxVxgT9qcLnEaEpIfYU
ynfnMaOxI67FC2QzhfzERyKqHj47WuwN0xWbS/1gBypS2nUwvItyxaEQG2X5uQY8j8QoY9wcMzIIkP2Mk14gJGHUnA8=
----

// Server Distribution Testing
:extraStandardDistTestParams: -Dserver.dir=__{jbossHomeName}__
include::../shared-doc/run-integration-tests-with-server-distribution.adoc[leveloffset=+2]
// Undeploy the Quickstart
include::../shared-doc/undeploy-the-quickstart.adoc[leveloffset=+1]

Expand All @@ -313,6 +252,13 @@ include::../shared-doc/restore-standalone-server-configuration-manual.adoc[level

== Remove the keystores and certificates created for this quickstart

. Run the CLI script to restore client cert configuration:
+
[source,subs="+quotes,attributes+",options="nowrap"]
----
$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=restore-client-cert.cli
----
+
. Open a terminal and navigate to the {productName} server `configuration` directory:
+
[source,subs="+quotes,attributes+",options="nowrap"]
Expand All @@ -322,7 +268,7 @@ $ cd __{jbossHomeName}__/standalone/configuration/
+
NOTE: For Windows, use the `__{jbossHomeName}__\bin\standalone.bat` script.

. Remove the `clientCert.p12`, `client.crt`, and `client.truststore` files that were generated for this quickstart.
. Remove the `client.keystore.P12`, `clientCert.crt`, and `server.truststore` files that were generated for this quickstart.

[[remove_the_client_certificate_from_your_browser]]
== Remove the Client Certificate from Your Browser
Expand All @@ -346,26 +292,11 @@ After you are done with this quickstart, remember to remove the certificate that
. Select the *quickstartUser* certificate and click the *Delete* button.
. The certificate has now been removed from the Mozilla Firefox browser.

// Run the Quickstart in Red Hat CodeReady Studio or Eclipse
include::../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc[leveloffset=+1]

// Additional Red Hat CodeReady Studio instructions
* Make sure you configure the keystores and client certificates as described under xref:set_up_client_keystore_using_java_keytool[Set Up the Client Keystore Using Java Keytool].
* Depending on the browser you choose, make sure you either xref:import_the_client_certificate_into_google_chrome[import the certificate into Google Chrome] or xref:import_the_client_certificate_into_mozilla_firefox[import the certificate into Mozilla Firefox].
* Make sure you configure the server by running the JBoss CLI commands as described above under xref:configure_the_server[Configure the Server]. Stop the server at the end of that step.
* In {JBDSProductName}, choose *Window* –> *Web Browser*, then select the browser you chose to import the certificate.
* To deploy the application, right-click on the *{artifactId}* project and choose *Run As* –> *Run on Server*.
* Make sure you xref:restore_the_server_configuration[restore the {productName} server configuration] when you have completed testing this quickstart.

// Debug the Application
include::../shared-doc/debug-the-application.adoc[leveloffset=+1]

//*************************************************
// Product Release content only
//*************************************************
ifdef::ProductRelease[]
// Build and run sections for other environments/builds
ifndef::ProductRelease,EAPXPRelease[]
:server_provisioning_server_host: https://localhost:8443
include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1]
endif::[]

// Quickstart not compatible with OpenShift
include::../shared-doc/openshift-incompatibility.adoc[leveloffset=+1]
endif::[]
13 changes: 6 additions & 7 deletions helloworld-mutual-ssl-secured/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,12 @@
</licenses>

<properties>
<!-- Version for the server -->
<version.server>31.0.0.Beta1</version.server>
<!-- The versions for BOMs, Packs and Plugins -->
<!-- the version for the Server -->
<version.server>31.0.0.Final</version.server>
<!-- the versions for BOMs, Packs and Plugins -->
<version.bom.ee>${version.server}</version.bom.ee>
<version.pack.cloud>5.0.0.Final</version.pack.cloud>
<version.plugin.wildfly>4.2.1.Final</version.plugin.wildfly>
<version.pack.cloud>6.0.0.Final</version.pack.cloud>
<version.plugin.wildfly>5.0.0.Beta3</version.plugin.wildfly>
</properties>

<repositories>
Expand Down Expand Up @@ -151,11 +151,10 @@
<scope>test</scope>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient -->
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
<scope>test</scope>
</dependency>

</dependencies>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
public class BasicRuntimeIT {

private static final String DEFAULT_SERVER_HOST = "https://localhost:8443/helloworld-mutual-ssl-secured";
private static final String DEFAULT_SERVER_DIR = System.getProperty("user.dir") + "/target/server";

@Test
public void testHTTPEndpointIsAvailable() throws IOException, URISyntaxException, KeyStoreException {
Expand All @@ -63,17 +64,14 @@ public void testHTTPEndpointIsAvailable() throws IOException, URISyntaxException
if (serverHost == null) {
serverHost = DEFAULT_SERVER_HOST;
}
String serverDir = System.getenv("SERVER_HOME");
String serverDir = System.getProperty("server.dir");
if (serverDir == null) {
if (System.getProperty("jboss.server.config.dir").contains("target/server")) {
serverDir = System.getProperty("user.dir") + "/" + System.getProperty("jboss.server.config.dir");
} else {
serverDir = System.getProperty("jboss.server.config.dir");
}
serverDir = DEFAULT_SERVER_DIR;
}
String serverConfigDir = serverDir + "/standalone/configuration";
HttpGet request = new HttpGet(new URI(serverHost+"/"));
KeyStore trustStore = createTrustStore(serverDir, "application.keystore", "password", "server", "PKCS12");
final HttpClient client = getHttpClientWithSSL(new File(serverDir + "/client.keystore.P12"), "secret", "PKCS12", new File(serverDir + "/client.truststore"), "password", "PKCS12");
KeyStore trustStore = createTrustStore(serverConfigDir, "application.keystore", "password", "server", "PKCS12");
final HttpClient client = getHttpClientWithSSL(new File(serverConfigDir + "/client.keystore.P12"), "secret", "PKCS12", new File(serverConfigDir + "/client.truststore"), "password", "PKCS12");
HttpResponse response = client.execute(request);
assertEquals(200, response.getStatusLine().getStatusCode());
}
Expand Down

0 comments on commit 8560879

Please sign in to comment.