From 309d2e5deb7e715029d0d05f8755eab2e5d22eb6 Mon Sep 17 00:00:00 2001 From: Prarthona Paul Date: Thu, 5 Oct 2023 12:30:58 -0400 Subject: [PATCH 1/2] [WFLY-18476] helloworld-mutual-ssl Quickstart Common Enhancements CY2023Q3 --- .../quickstart_helloworld-mutual-ssl_ci.yml | 17 +++ helloworld-mutual-ssl/README.adoc | 9 ++ .../configure-client-cert.cli | 19 +++ helloworld-mutual-ssl/configure-ssl.cli | 10 +- helloworld-mutual-ssl/pom.xml | 113 +++++++++++++++-- .../restore-client-certs.cli | 7 ++ .../restore-configuration.cli | 3 + .../helloworld_mutual_ssl/BasicRuntimeIT.java | 118 ++++++++++++++++++ .../helloworld_mutual_ssl/KeyStoreUtils.java | 59 +++++++++ 9 files changed, 346 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/quickstart_helloworld-mutual-ssl_ci.yml create mode 100644 helloworld-mutual-ssl/configure-client-cert.cli create mode 100644 helloworld-mutual-ssl/restore-client-certs.cli create mode 100644 helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java create mode 100644 helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/KeyStoreUtils.java diff --git a/.github/workflows/quickstart_helloworld-mutual-ssl_ci.yml b/.github/workflows/quickstart_helloworld-mutual-ssl_ci.yml new file mode 100644 index 0000000000..b8bbca1994 --- /dev/null +++ b/.github/workflows/quickstart_helloworld-mutual-ssl_ci.yml @@ -0,0 +1,17 @@ +name: WildFly helloworld-mutual-ssl Quickstart CI + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + paths: + - 'helloworld-mutual-ssl/**' + - '.github/workflows/quickstart_ci.yml' + +jobs: + call-quickstart_ci: + uses: ./.github/workflows/quickstart_ci.yml + with: + QUICKSTART_PATH: helloworld-mutual-ssl + SERVER_PROVISIONING_SERVER_HOST: https://localhost:8443/ + TEST_PROVISIONED_SERVER: true + TEST_OPENSHIFT: false \ No newline at end of file diff --git a/helloworld-mutual-ssl/README.adoc b/helloworld-mutual-ssl/README.adoc index 751614a594..0606becf5e 100644 --- a/helloworld-mutual-ssl/README.adoc +++ b/helloworld-mutual-ssl/README.adoc @@ -232,6 +232,8 @@ DHo1uoz5/dzXZz0EjjWCPJk+LVEhEvH0GcWAp3x3irpNU4hRZLd0XomY0Z4NnUt7VMBNYDOxVxgT9qcL aEWK4zhPVFynfnMaOxI67FC2QzhfzERyKqHj47WuwN0xWbS/1gBypS2nUwvItyxaEQG2X5uQY8j8QoY9wcMzIIkP2Mk14gJGHUnA8= ---- +// Server Distribution Testing +include::../shared-doc/run-integration-tests-with-server-distribution.adoc[leveloffset=+2] // Undeploy the Quickstart include::../shared-doc/undeploy-the-quickstart.adoc[leveloffset=+1] // Restore the {productName} Standalone Server Configuration @@ -288,6 +290,7 @@ After you are done with this quickstart, remember to remove the certificate that // Run the Quickstart in Red Hat Studio or Eclipse include::../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc[leveloffset=+1] + // Additional Red Hat CodeReady Studio instructions * Make sure you configure the keystore and client certificate as described under xref:set_up_client_keystore_using_java_keytool[Set Up the Client Keystore Using Java Keytool]. * Depending on the browser you choose, make sure you either xref:import_the_client_certificate_into_google_chrome[import the certificate into Google Chrome] or xref:import_the_client_certificate_into_mozilla_firefox[import the certificate into Mozilla Firefox]. @@ -309,6 +312,12 @@ $ mvn dependency:resolve -Dclassifier=javadoc //************************************************* // Product Release content only //************************************************* +// Build and run sections for other environments/builds +ifndef::ProductRelease,EAPXPRelease[] +:server_provisioning_server_host: https://localhost:8443 +include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1] +endif::[] + ifdef::ProductRelease[] // Quickstart not compatible with OpenShift diff --git a/helloworld-mutual-ssl/configure-client-cert.cli b/helloworld-mutual-ssl/configure-client-cert.cli new file mode 100644 index 0000000000..6f851c2fef --- /dev/null +++ b/helloworld-mutual-ssl/configure-client-cert.cli @@ -0,0 +1,19 @@ +# Configure the client's keystore. This will be used to generate the client's certificate. +# The path to the keystore file doesn’t actually have to exist yet. +/subsystem=elytron/key-store=clientKS:add(path=client.keystore.P12, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) + +# Generate a new key pair for the client. We'll use an RSA key of size 2048 and we'll use CN=quickstartUser +/subsystem=elytron/key-store=clientKS:generate-key-pair(alias=quickstartUser, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=secret}, distinguished-name="cn=quickstartUser") + +# Export the client's certificate to a file called clientCert.crt +/subsystem=elytron/key-store=clientKS:export-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true) + +# Create the server's truststore +/subsystem=elytron/key-store=serverTS:add(path=server.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) + +# Import the client certificate into the server's truststore +/subsystem=elytron/key-store=serverTS:import-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, validate=false) + +# Persist the changes we've made to the client's keystore and the server's truststore +/subsystem=elytron/key-store=serverTS:store() +/subsystem=elytron/key-store=clientKS:store() diff --git a/helloworld-mutual-ssl/configure-ssl.cli b/helloworld-mutual-ssl/configure-ssl.cli index e1b79efee2..33fe78c80e 100644 --- a/helloworld-mutual-ssl/configure-ssl.cli +++ b/helloworld-mutual-ssl/configure-ssl.cli @@ -4,17 +4,23 @@ batch # Add the keystore and trust manager configuration in the elytron subsystem -/subsystem=elytron/key-store=qsTrustStore:add(path=client.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=secret}) +/subsystem=elytron/key-store=qsTrustStore:add(path=server.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=qsTrustManager:add(key-store=qsTrustStore) # Update the default server-ssl-context to reference the new trust-manager and require client auth /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=trust-manager, value=qsTrustManager) /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=need-client-auth, value=true) +# Generate the server's certificate +/subsystem=elytron/key-store=applicationKS:generate-key-pair(alias=server, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=password}, distinguished-name="cn=localhost") + +# Store the key-pair in a keystore file +/subsystem=elytron/key-store=applicationKS:store() + # Run the batch commands run-batch # Reload the server configuration -reload +#reload diff --git a/helloworld-mutual-ssl/pom.xml b/helloworld-mutual-ssl/pom.xml index ba65c4563b..21bb460409 100644 --- a/helloworld-mutual-ssl/pom.xml +++ b/helloworld-mutual-ssl/pom.xml @@ -29,6 +29,16 @@ 6 + + + + 31.0.0.Beta1 + + ${version.server} + 5.0.0.Beta1 + 4.2.1.Final + + helloworld-mutual-ssl 31.0.0.Final-SNAPSHOT war @@ -43,11 +53,6 @@ - - - 31.0.0.Beta1 - - jboss-public-maven-repository @@ -109,7 +114,7 @@ org.wildfly.bom wildfly-ee-with-tools - ${version.server.bom} + ${version.bom.ee} pom import @@ -117,7 +122,6 @@ - jakarta.enterprise @@ -140,5 +144,100 @@ provided + + + junit + junit + test + + + + + org.apache.httpcomponents + httpclient + 4.5.13 + + + + + + + org.wildfly.plugins + wildfly-maven-plugin + ${version.plugin.wildfly} + + + + + + + + provisioned-server + + + + org.wildfly.plugins + wildfly-maven-plugin + + + + org.wildfly:wildfly-galleon-pack:${version.server} + + + + + cloud-server + undertow-https + + + + + + + + + + false + + + + ROOT.war + + + + + package + + + + + + + + + integration-testing + + + + org.apache.maven.plugins + maven-failsafe-plugin + + + **/BasicRuntimeIT + + + + + + integration-test + verify + + + + + + + + diff --git a/helloworld-mutual-ssl/restore-client-certs.cli b/helloworld-mutual-ssl/restore-client-certs.cli new file mode 100644 index 0000000000..bd5cebbae0 --- /dev/null +++ b/helloworld-mutual-ssl/restore-client-certs.cli @@ -0,0 +1,7 @@ +# Remove the keypairs and certificates from the keystore and truststore +/subsystem=elytron/key-store=serverTS:remove-alias(alias=quickstartUser) +/subsystem=elytron/key-store=clientKS:remove-alias(alias=quickstartUser) + +# Remove the keystore and truststore +/subsystem=elytron/key-store=serverTS:remove +/subsystem=elytron/key-store=clientKS:remove \ No newline at end of file diff --git a/helloworld-mutual-ssl/restore-configuration.cli b/helloworld-mutual-ssl/restore-configuration.cli index 4e7c56191b..0ea41d0be0 100644 --- a/helloworld-mutual-ssl/restore-configuration.cli +++ b/helloworld-mutual-ssl/restore-configuration.cli @@ -3,6 +3,9 @@ # Start batching commands batch +# Remove the keypair with the alias server from the application keystore +/subsystem=elytron/key-store=applicationKS:remove-alias(alias=server) + # Remove the changes that were made to the default server-ssl-context /subsystem=elytron/server-ssl-context=applicationSSC:undefine-attribute(name=trust-manager) /subsystem=elytron/server-ssl-context=applicationSSC:undefine-attribute(name=need-client-auth) diff --git a/helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java b/helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java new file mode 100644 index 0000000000..eca8b33784 --- /dev/null +++ b/helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java @@ -0,0 +1,118 @@ +/* + * Copyright 2023 JBoss by Red Hat. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.jboss.as.quickstarts.helloworld_mutual_ssl; + +import org.junit.Test; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.KeyStore; +import java.security.KeyStoreException; + +import org.apache.http.client.HttpClient; +import org.apache.http.config.Registry; +import org.apache.http.config.RegistryBuilder; +import org.apache.http.conn.socket.ConnectionSocketFactory; +import org.apache.http.conn.socket.PlainConnectionSocketFactory; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.impl.conn.DefaultSchemePortResolver; +import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.http.ssl.SSLContexts; +import javax.net.ssl.SSLContext; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.HttpResponse; + +import static org.jboss.as.quickstarts.helloworld_mutual_ssl.KeyStoreUtils.loadKeyPairFromKeyStore; +import static org.junit.Assert.assertEquals; + +/** + * The very basic runtime integration testing. + * @author Prarthona Paul + * @author emartins + */ +public class BasicRuntimeIT { + + private static final String DEFAULT_SERVER_HOST = "https://localhost:8443/helloworld-mutual-ssl"; + + @Test + public void testHTTPEndpointIsAvailable() throws IOException, InterruptedException, URISyntaxException, KeyStoreException { + String serverHost = System.getenv("SERVER_HOST"); + if (serverHost == null) { + serverHost = System.getProperty("server.host"); + } + if (serverHost == null) { + serverHost = DEFAULT_SERVER_HOST; + } + String serverDir = System.getenv("SERVER_HOME"); + if (serverDir == null) { + if (System.getProperty("jboss.server.config.dir").contains("target/server")) { + serverDir = System.getProperty("user.dir") + "/" + System.getProperty("jboss.server.config.dir"); + } else { + serverDir = System.getProperty("jboss.server.config.dir"); + } + } + HttpGet request = new HttpGet(new URI(serverHost+"/")); + KeyStore trustStore = loadKeyPairFromKeyStore(serverDir, "application.keystore", "password", "server", "PKCS12"); + final HttpClient client = getHttpClientWithSSL(new File(serverDir + "/client.keystore.P12"), "secret", "PKCS12", new File(serverDir + "/client.truststore"), "password", "PKCS12"); + HttpResponse response = client.execute(request); + assertEquals(200, response.getStatusLine().getStatusCode()); + } + + public HttpClient getHttpClientWithSSL(File keyStoreFile, String keyStorePassword, String keyStoreProvider, + File trustStoreFile, String trustStorePassword, String trustStoreProvider) { + + try { + KeyStore trustStore = KeyStore.getInstance(trustStoreProvider); + try (FileInputStream fis = new FileInputStream(trustStoreFile)) { + trustStore.load(fis, trustStorePassword.toCharArray()); + } + SSLContextBuilder sslContextBuilder = SSLContexts.custom() + .setProtocol("TLS") + .loadTrustMaterial(trustStore, null); + if (keyStoreFile != null) { + KeyStore keyStore = KeyStore.getInstance(keyStoreProvider); + try (FileInputStream fis = new FileInputStream(keyStoreFile)) { + keyStore.load(fis, keyStorePassword.toCharArray()); + } + sslContextBuilder.loadKeyMaterial(keyStore, keyStorePassword.toCharArray(), null); + } + SSLContext sslContext = sslContextBuilder.build(); + SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE); + + Registry registry = RegistryBuilder.create() + .register("http", PlainConnectionSocketFactory.getSocketFactory()) + .register("https", socketFactory) + .build(); + + return HttpClientBuilder.create() + .setSSLSocketFactory(socketFactory) +// .setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) + .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) + .setConnectionManager(new PoolingHttpClientConnectionManager(registry)) + .setSchemePortResolver(new DefaultSchemePortResolver()) + .build(); + + } catch (Exception e) { + throw new RuntimeException("Creating HttpClient with customized SSL failed.", e); + } + } +} \ No newline at end of file diff --git a/helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/KeyStoreUtils.java b/helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/KeyStoreUtils.java new file mode 100644 index 0000000000..b18cc9080d --- /dev/null +++ b/helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/KeyStoreUtils.java @@ -0,0 +1,59 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2020 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.jboss.as.quickstarts.helloworld_mutual_ssl; + +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.FileNotFoundException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.cert.Certificate; + +/** + * An interface to obtain the certificate from a keystore file and create s truststore. + * + * @author Prarthona Paul + */ + +public class KeyStoreUtils { + + public static KeyStore loadKeyPairFromKeyStore(String serverDir, String keyStoreFile, String storePassword, String keyAlias, String keyStoreType) throws KeyStoreException { + FileInputStream stream = findFile(serverDir + "/" + keyStoreFile); + try { + KeyStore keyStore = KeyStore.getInstance(keyStoreType); + keyStore.load(stream, storePassword.toCharArray()); + Certificate cert = keyStore.getCertificate(keyAlias); + KeyStore trustStore = keyStore.getInstance(keyStoreType); + trustStore.load(null, null); + trustStore.setCertificateEntry("server", cert); + trustStore.store(new FileOutputStream(serverDir + "/" + "client.truststore"), storePassword.toCharArray()); + return trustStore; + } catch (Exception e) { + throw new KeyStoreException(e.getMessage()); + } + } + + public static FileInputStream findFile(String keystoreFile) { + try { + return new FileInputStream(keystoreFile); + } catch (FileNotFoundException e) { + throw new RuntimeException(e); + } + } +} From 6b83c2739680a3a13a7ffa5e5bc7dbe6b009e678 Mon Sep 17 00:00:00 2001 From: Prarthona Paul Date: Wed, 20 Dec 2023 11:26:13 -0500 Subject: [PATCH 2/2] Replaced old client cert generation instructions with instructions to use a CLI script instead of keytool --- helloworld-mutual-ssl/README.adoc | 81 +++---------------- helloworld-mutual-ssl/configure-ssl.cli | 3 +- ...ient-certs.cli => restore-client-cert.cli} | 0 .../restore-configuration.cli | 2 +- 4 files changed, 13 insertions(+), 73 deletions(-) rename helloworld-mutual-ssl/{restore-client-certs.cli => restore-client-cert.cli} (100%) diff --git a/helloworld-mutual-ssl/README.adoc b/helloworld-mutual-ssl/README.adoc index 0606becf5e..dde052d914 100644 --- a/helloworld-mutual-ssl/README.adoc +++ b/helloworld-mutual-ssl/README.adoc @@ -28,74 +28,13 @@ include::../shared-doc/system-requirements.adoc[leveloffset=+1] include::../shared-doc/use-of-jboss-home-name.adoc[leveloffset=+1] [[set_up_client_keystore_using_java_keytool]] -== Set Up the Client Keystore Using Java Keytool - -. Open a terminal and navigate to the {productName} server `configuration` directory: -+ -[source,subs="+quotes,attributes+",options="nowrap"] ----- -$ cd __{jbossHomeName}__/standalone/configuration/ ----- +== Set Up the Client Keystore . Create the client certificate, which is used to authenticate against the server when accessing a resource through TLS. + -[source,options="nowrap"] ----- -$>keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12 - -What is your first and last name? - [Unknown]: quickstartUser -What is the name of your organizational unit? - [Unknown]: Sales -What is the name of your organization? - [Unknown]: My Company -What is the name of your City or Locality? - [Unknown]: Sao Paulo -What is the name of your State or Province? - [Unknown]: Sao Paulo -What is the two-letter country code for this unit? - [Unknown]: BR -Is CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR correct? - [no]: yes ----- - -. Export the client certificate and create a truststore by importing this certificate: -+ -[source,options="nowrap"] ----- -$>keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass secret -keypass secret -file client.crt -$>keytool -import -file client.crt -alias quickstartUser -keystore client.truststore -storepass secret - -Owner: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR -Issuer: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR -Serial number: 7fd95ce4 -Valid from: Mon Jul 24 16:14:03 BRT 2017 until: Tue Jul 24 16:14:03 BRT 2018 -Certificate fingerprints: - MD5: 87:41:C5:CC:E6:79:91:F0:9D:90:AD:9E:DD:57:81:80 - SHA1: 55:35:CA:B0:DC:DD:4F:E6:B8:9F:45:4B:4B:98:93:B5:3B:7C:55:84 - SHA256: 0A:FC:93:B6:25:5A:74:42:B8:A1:C6:5F:69:88:72:7F:27:A9:81:B0:17:0C:F1:AF:3D:DE:B7:E5:F1:69:66:4B - Signature algorithm name: SHA256withRSA - Version: 3 - -Extensions: - -#1: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: 95 84 BE C6 32 BB 2B 13 4C 7F 5D D4 C4 C8 22 12 ....2.+.L.]...". -0010: CB 09 39 09 ..9. -] -] - -Trust this certificate? [no]: yes -Certificate was added to keystore ----- - -. Export client certificate to pkcs12 format -+ -[source,options="nowrap"] +[source,subs="+quotes,attributes+",options="nowrap"] ---- -$>keytool -importkeystore -srckeystore client.keystore -srcstorepass secret -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass secret +$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-client-cert.cli ---- . The certificate and keystore are now properly configured. @@ -185,7 +124,7 @@ If it is configured correctly, you should be asked to trust the server certifica [[import_the_client_certificate_into_your_browser]] == Import the Client Certificate into Your Browser -Before you access the application, you must import the _clientCert.p12_, which holds the client certificate, into your browser. +Before you access the application, you must import the _client.keystore.P12_, which holds the client certificate, into your browser. [[import_the_client_certificate_into_google_chrome]] === Import the Client Certificate into Google Chrome @@ -193,7 +132,7 @@ Before you access the application, you must import the _clientCert.p12_, which h . Click the Chrome menu icon (3 dots) in the upper right on the browser toolbar and choose *Settings*. This takes you to `link:`chrome://settings/`. . Click on *Privacy and security* and then on *Security*. . Scroll down to the *Advanced* section and on the *Manage certificates* screen, select the *Your Certificates* tab and click on the *Import* button. -. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`. +. Select the *client.keystore.P12* file. You will be prompted to enter the password: `secret`. . The client certificate is now installed in the Google Chrome browser. [[import_the_client_certificate_into_mozilla_firefox]] @@ -203,7 +142,7 @@ Before you access the application, you must import the _clientCert.p12_, which h . A new window will open. Click on *Privacy & Security* and scroll down to the *Certificates* section. . Click the *View Certificates* button. . A new window will open. Select the *Your Certificates* tab and click the *Import* button. -. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`. +. Select the *client.keystore.P12* file. You will be prompted to enter the password: `secret`. . The certificate is now installed in the Mozilla Firefox browser. // Build and Deploy the Quickstart @@ -255,14 +194,16 @@ include::../shared-doc/restore-standalone-server-configuration-manual.adoc[level == Remove the keystores and certificates created for this quickstart -. Open a terminal and navigate to the {productName} server `configuration` directory: +. Run the CLI script for restoring client cert configuration: + [source,subs="+quotes,attributes+",options="nowrap"] ---- -$ cd __{jbossHomeName}__/standalone/configuration/ +$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=restore-client-cert.cli ---- ++ +NOTE: For Windows, use the `__{jbossHomeName}__\bin\jboss-cli.bat` script. -. Remove the `clientCert.p12`, `client.crt`, `client.keystore`, and `client.truststore` files that +. Remove the `client.keystore.P12`, `clientCert.crt`, `client.keystore`, and `client.truststore` files that were generated for this quickstart. [[remove_the_client_certificate_from_your_browser]] diff --git a/helloworld-mutual-ssl/configure-ssl.cli b/helloworld-mutual-ssl/configure-ssl.cli index 33fe78c80e..27826c0d84 100644 --- a/helloworld-mutual-ssl/configure-ssl.cli +++ b/helloworld-mutual-ssl/configure-ssl.cli @@ -4,8 +4,7 @@ batch # Add the keystore and trust manager configuration in the elytron subsystem -/subsystem=elytron/key-store=qsTrustStore:add(path=server.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=secret}) -/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=qsTrustStore) +/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=serverTS) # Update the default server-ssl-context to reference the new trust-manager and require client auth /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=trust-manager, value=qsTrustManager) diff --git a/helloworld-mutual-ssl/restore-client-certs.cli b/helloworld-mutual-ssl/restore-client-cert.cli similarity index 100% rename from helloworld-mutual-ssl/restore-client-certs.cli rename to helloworld-mutual-ssl/restore-client-cert.cli diff --git a/helloworld-mutual-ssl/restore-configuration.cli b/helloworld-mutual-ssl/restore-configuration.cli index 0ea41d0be0..7c42fd367d 100644 --- a/helloworld-mutual-ssl/restore-configuration.cli +++ b/helloworld-mutual-ssl/restore-configuration.cli @@ -5,6 +5,7 @@ batch # Remove the keypair with the alias server from the application keystore /subsystem=elytron/key-store=applicationKS:remove-alias(alias=server) +/subsystem=elytron/key-store=applicationKS:store() # Remove the changes that were made to the default server-ssl-context /subsystem=elytron/server-ssl-context=applicationSSC:undefine-attribute(name=trust-manager) @@ -12,7 +13,6 @@ batch # Remove the trust manager and keystore configuration from the elytron subsystem /subsystem=elytron/trust-manager=qsTrustManager:remove -/subsystem=elytron/key-store=qsTrustStore:remove # Run the batch commands run-batch