#EasyRSA Certificate based authentication of #SoapUI client to a secure WebService running on #JBoss or #WildFly application server

By | March 1, 2019

The following is a very quick guide on how to set up a EasyRSA certificate based authentication of SoapUI API client to connect to a WebService based API that runs on JBoss or WildFly.

Generate a local CA with EasyRSA

Download and install easy-rsa – https://github.com/OpenVPN/easy-rsa

Go to the installation folder and change the following files:

x509-types/client

x509-types/server

vars

Generate Certificates Hierarchy

To initialize pki and build the CA root, use the following commands.

Choose a suggestive Common Name for the CA and a password when prompted for. The default password to use when sending the generated certificates and keystores to all our clients should be storepwd.

To create the server certificate, run the following command. Choose an alias and a password. A good recommendation not to complicated things is to use the same password as the one in the previous steps.

To generate the client certificates, run the following command. Choose an alias and a password, as before.

To export the client certificate private key in P12 format, run the following command, using the client_alias generated before:

You can find all generated certificates in the easy-rsa installation folder, as follows:

  • pki/ca.crt
  • pki/issued
  • pki/private

Generate server side key-stores

Go to the EasyRSA root directory and create a keystore.jks. The keystore.jks key-store must contain MYSERVER’s (server) full key (private/certificate + public key) as well as all participants (client) public key

Import the ca.crt and generate the keystore.jks keystore

Import MYSERVER’s (server) public key

Import MYSERVER’s (server) private key

Import CLIENT1’s (client) public key

Do the same for all the other participants ā€¦

Generate also a key-store with only the CA certificate

Configure the server side (WildFly)

Add a separate https-listener to WildFly standalone.xml with required client authentication (verify-client=”REQUIRED”

Add also a new entry for this binding

Configure the security realm in WildFly to refer to the new defined keystore.jks and cacerts.jks

Restart the application server.

Configure the client side (SoapUI)

Configure SOAPUI for VTBLAOL0 client

Change directory to the root EasyRSA directory. Create a client keystore and import CLIENT1’s (client) public key

Copy also the the cacerts.jks on the client machine

Set the client keystore in SoapUI

File -> Preferences -> SSL Settings

Add “Keystore” and “Keystore Password” with the location of the client1.jks and password storepwd

Add the SSL keystore to the project of our client WSDL (we assume is alredy imported in a new project). Double click on the project (WSMessageGatewayImpl in my case) to open the project configuration panel.

Project Properties -> WS-Security Configurations -> Keystores

add the client1.jks

On the request we want to use client authentication under “Request Properties” -> “SSL Keystore” select client1.jks

Add the truststore to the project of our client WSDL (we assume is alredy imported in a new project)

Project Properties -> WS-Security Configurations -> Truststores

add the cacerts.jks

Access the Webservice endpoint using the new https-listener
https://localhost:7083/mms/WSMessageGatewayImpl

Contribute to this site maintanance !

This is a self hosted site, on own hardware and Internet connection. The old, down to earth way šŸ™‚. If you think that you found something useful here please contribute. Choose the form below (default 1 EUR) or donate using Bitcoin (default 0.0001 BTC) using the QR code. Thank you !

€1.00

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.