Replaced old client cert generation instructions with instructions to…

… use a CLI script instead of keytool

helloworld-mutual-ssl-secured/README.adoc

@@ -33,79 +33,13 @@ include::../shared-doc/add-application-user.adoc[leveloffset=+1]
 IMPORTANT: For the purpose of this quickstart the password can contain any valid value because the `ApplicationRealm` will be used for authorization only, for example, to obtain the security roles.
 
 [[set_up_client_keystore_using_java_keytool]]
-== Set Up the Client Keystore Using Java Keytool
-
-. Open a terminal and navigate to the {productName} server `configuration` directory:
-+
-[source,subs="+quotes,attributes+",options="nowrap"]
-----
-$ cd __{jbossHomeName}__/standalone/configuration/
-----
+== Set Up the Client Keystore
 
 . Create the client certificate, which is used to authenticate against the server when accessing a resource through TLS.
 +
-[source,options="nowrap"]
-----
-$>keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
-
-What is your first and last name?
-    [Unknown]:  quickstartUser
-What is the name of your organizational unit?
-    [Unknown]:  Sales
-What is the name of your organization?
-    [Unknown]:  My Company
-What is the name of your City or Locality?
-    [Unknown]:  Sao Paulo
-What is the name of your State or Province?
-    [Unknown]:  Sao Paulo
-What is the two-letter country code for this unit?
-    [Unknown]:  BR
-Is CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR correct?
-    [no]:  yes
-----
-
-+
-Notice that it sets the `first and last name` to `quickstartUser` and that this matches the user that was added to the `ApplicationRealm`. When authorizing access to a resource, the CN (common name) of the client's certificate is extracted by a principal decoder and this name is then used by the `ApplicationRealm` to obtain the client's roles.
-
-. Export the client certificate and create a truststore by importing this certificate.
-+
-[source,options="nowrap"]
-----
-$>keytool -exportcert -keystore client.keystore  -storetype pkcs12 -storepass secret -keypass secret -file client.crt
-$>keytool -import -file client.crt -alias quickstartUser -keystore server.truststore -storepass secret
-
-Owner: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
-Issuer: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
-Serial number: 7fd95ce4
-Valid from: Mon Jul 24 16:14:03 BRT 2017 until: Tue Jul 24 16:14:03 BRT 2018
-Certificate fingerprints:
-     MD5:  87:41:C5:CC:E6:79:91:F0:9D:90:AD:9E:DD:57:81:80
-     SHA1: 55:35:CA:B0:DC:DD:4F:E6:B8:9F:45:4B:4B:98:93:B5:3B:7C:55:84
-     SHA256: 0A:FC:93:B6:25:5A:74:42:B8:A1:C6:5F:69:88:72:7F:27:A9:81:B0:17:0C:F1:AF:3D:DE:B7:E5:F1:69:66:4B
-     Signature algorithm name: SHA256withRSA
-     Version: 3
-
-Extensions:
-
-#1: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: 95 84 BE C6 32 BB 2B 13   4C 7F 5D D4 C4 C8 22 12  ....2.+.L.]...".
-0010: CB 09 39 09                                        ..9.
-]
-]
-
-Trust this certificate? [no]:  yes
-Certificate was added to keystore
-----
-+
-It is worth noticing that the client certificate was imported under the `quickstartUser` alias. When authenticating a client in a `CLIENT_CERT` configuration, the CN (common name) of the client's certificate is extracted by a principal decoder and this name is then used by the `KeyStoreRealm` to match an alias in the trust store. If a trusted certificate is found under this alas, the client is considered authenticated.
-
-. Export client certificate to pkcs12 format.
-+
-[source,options="nowrap"]
+[source,subs="+quotes,attributes+", options="nowrap"]
 ----
-$>keytool -importkeystore -srckeystore client.keystore -srcstorepass secret -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass secret
+$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-ssl.cli
 ----
 
 . The certificate and keystore are now properly configured.
@@ -130,7 +64,7 @@ You configure the SSL context and required security domain by running JBoss CLI
 +
 [source,subs="+quotes,attributes+",options="nowrap"]
 ----
-$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-ssl.cli
+$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-client-cert.cli
 ----
 +
 NOTE: For Windows, use the `__{jbossHomeName}__\bin\jboss-cli.bat` script.
@@ -240,15 +174,15 @@ If it is configured correctly, you should be asked to trust the server certifica
 [[import_the_client_certificate_into_your_browser]]
 == Import the Certificate into Your Browser
 
-Before you access the application, you must import the _clientCert.p12_, which holds the client certificate, into your browser.
+Before you access the application, you must import the _client.keystore.P12_, which holds the client certificate, into your browser.
 
 [[import_the_client_certificate_into_google_chrome]]
 === Import the Certificate into Google Chrome
 
 . Click the Chrome menu icon (3 dots) in the upper right on the browser toolbar and choose *Settings*. This takes you to `link:`chrome://settings/`.
 . Click on *Privacy and security* and then on *Security*.
 . Scroll down to the *Advanced* section and on the *Manage certificates* screen, select the *Your Certificates* tab and click on the *Import* button.
-. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`.
+. Select the *client.keystore.p12* file. You will be prompted to enter the password: `secret`.
 . The client certificate is now installed in the Google Chrome browser.
 
 [[import_the_client_certificate_into_mozilla_firefox]]
@@ -258,14 +192,14 @@ Before you access the application, you must import the _clientCert.p12_, which h
 . A new window will open. Click on *Privacy & Security* and scroll down to the *Certificates* section.
 . Click the *View Certificates* button.
 . A new window will open. Select the *Your Certificates* tab and click the *Import* button.
-. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`.
+. Select the *client.keystore.p12* file. You will be prompted to enter the password: `secret`.
 . The certificate is now installed in the Mozilla Firefox browser.
 
 // Build and Deploy the Quickstart
 include::../shared-doc/build-and-deploy-the-quickstart.adoc[leveloffset=+1]
 
 // Additional deployment information
-If mutual TLS is configured properly and the WAR application is secured, you will be able to access the application only if the DN of client certificate, for example `clientCert.p12`, is same as the one defined in `app-roles.properties` file. Otherwise, it will result in an HTTP error status code of `403 Access Denied/Forbidden`.
+If mutual TLS is configured properly and the WAR application is secured, you will be able to access the application only if the DN of client certificate, for example `client.keystore.p12`, is same as the one defined in `app-roles.properties` file. Otherwise, it will result in an HTTP error status code of `403 Access Denied/Forbidden`.
 
 == Access the Application
 
@@ -315,6 +249,13 @@ include::../shared-doc/restore-standalone-server-configuration-manual.adoc[level
 
 == Remove the keystores and certificates created for this quickstart
 
+. Run the CLI script to restore client cert configuration: 
++
+[source,subs="+quotes,attributes+",options="nowrap"]
+----
+$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=restore-client-cert.cli
+----
++
 . Open a terminal and navigate to the {productName} server `configuration` directory:
 +
 [source,subs="+quotes,attributes+",options="nowrap"]
@@ -324,7 +265,7 @@ $ cd __{jbossHomeName}__/standalone/configuration/
 +
 NOTE: For Windows, use the `__{jbossHomeName}__\bin\standalone.bat` script.
 
-. Remove the `clientCert.p12`, `client.crt`, and `server.truststore` files that were generated for this quickstart.
+. Remove the `client.keystore.P12`, `clientCert.crt`, and `server.truststore` files that were generated for this quickstart.
 
 [[remove_the_client_certificate_from_your_browser]]
 == Remove the Client Certificate from Your Browser

helloworld-mutual-ssl-secured/configure-ssl.cli

@@ -3,16 +3,15 @@
 # Start batching commands
 batch
 
-# Add the keystore and trust manager configuration in the elytron subsystem
-/subsystem=elytron/key-store=qsTrustStore:add(path=server.truststore,relative-to=jboss.server.config.dir,type=PKCS12,credential-reference={clear-text=secret})
-/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=qsTrustStore)
+# Add the trust manager configuration in the elytron subsystem
+/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=serverTS)
 
 # Update the default server-ssl-context to reference the new trust-manager and require client auth
 /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=trust-manager, value=qsTrustManager)
 /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=need-client-auth, value=true)
 
 # Add a keystore realm that relies on the truststore to authenticate requests
-/subsystem=elytron/key-store-realm=KeyStoreRealm:add(key-store=qsTrustStore)
+/subsystem=elytron/key-store-realm=KeyStoreRealm:add(key-store=serverTS)
 
 # Add an aggregate realm that uses the keystore realm for authentication and the application realm for authorization
 /subsystem=elytron/aggregate-realm=QuickstartRealm:add(authentication-realm=KeyStoreRealm,authorization-realm=ApplicationRealm)

helloworld-mutual-ssl-secured/restore-configuration.cli

@@ -5,6 +5,7 @@ batch
 
 # Remove the keypair with the alias server from the application keystore
 /subsystem=elytron/key-store=applicationKS:remove-alias(alias=server)
+/subsystem=elytron/key-store=applicationKS:store()
 
 # Remove the application-security-domain mapping that was added for the quickstart
 /subsystem=undertow/application-security-domain=client_cert_domain:remove
@@ -26,7 +27,6 @@ batch
 
 # Remove the trust manager and keystore configuration from the elytron subsystem
 /subsystem=elytron/trust-manager=qsTrustManager:remove
-/subsystem=elytron/key-store=qsTrustStore:remove
 
 # Run the batch commands
 run-batch