Monday, 18 October 2010

Portuguese Citizens' Card authentication on glassfish v3

Intro


For enabling the authentication on the glasshfish server, the folowing steps are needed:

  1. Add the CA's used by the portuguese state to sing the certificates on the card.
  2. Consfigure the Client-Cert authentication realm
  3. Define the security constrains on the web.xml, in order to make use of the previous created realm.
Problems in java version 1.6.20.
   Oracle has temporary disabled the SSL Renegotiating as quick workground a security discloser, more info .
    In the glassfish web admin console, go to Configuration -> JVM Settings -> JVM Options and Add JVM Option-Dsun.security.ssl.allowUnsafeRenegotiation=true .
   Then restart the glassfish server.

1 - Adding the CA's certificates to the glassfish
  1. Download all .cer from the http://pki.cartaodecidadao.pt/ to cc_cert directory
  2. Use the keytool to import all the certificates to the domain keychain (default password = changeit) always use a different name to the alias of the certificate, and choose for all trust this certificate: Yes. 
keytool -import -trustcacerts -alias CC1 -file Cartao_de_Cidadao_001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_1 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_2 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0002.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_3 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0003.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_4 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0004.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_1 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_2 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0002.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_3 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0003.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_4 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0004.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;

2 - Configure the certificate realm

  1. Go to the admin web console and on the certificate realm, assign the group pteid to the assigned groups on the realm certificate.
  2. If there's is an error, insert directly the configuration on the file domain.xml on the domain1/config directory. Substitute the line where is the realm certificate (auth-realm name="certificate") by the following ones.
       
<auth-realm name="certificate"
classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm">
         
<property name="assign-groups" value="pteid" />
       
</auth-realm>

3 - Define the security constrains on the application




In file web.xml should be defined the security constrains to the application, should be inserted the following configuration:

  <security-constraint>
    <display-name>Portuguese EID authenticationdisplay-name>
    <web-resource-collection>
      <web-resource-name>Entire applicationweb-resource-name>
      <url-pattern>/*url-pattern>
    web-resource-collection>
    <auth-constraint>
      <role-name>pteid_id_rolerole-name>
    auth-constraint>
    <user-data-constraint>
      <description />
      <transport-guarantee>CONFIDENTIALtransport-guarantee>
    user-data-constraint>
  security-constraint>
  <login-config>
    <auth-method>CLIENT-CERTauth-method>
  login-config>
  <security-role>
    <description>Certificate of portuguese id-cardsdescription>
    <role-name>pteid_id_rolerole-name>
  security-role>

In the file sun-web.xml is done the role mapping, it should be inserted the following configuration:


  <security-role-mapping>
    <role-name>pteid_id_rolerole-name>
    <group-name>pteidgroup-name>
  security-role-mapping>

  


No comments: