You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by "Stefaniuk, Marcin " <ma...@credit-suisse.com> on 2018/04/18 08:45:11 UTC

Client certificate login to management console

I'm struggling to configure Artemis 2.4.0 management console to use the same client certificate based JAAS realm.

CertLogin {
   org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
        debug=true
        org.apache.activemq.jaas.textfiledn.user="certificate-users.properties"
        org.apache.activemq.jaas.textfiledn.role="certificate-roles.properties"
        reload=true;
};

I've reached point where users that are not listed in certificate-users.properties are rejected but those that are listed here are prompted for user / password on default console form:

08:42:58,720 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:42:59,010 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for plugin
08:42:59,924 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled is set to value false
08:42:59,925 INFO  [io.hawt.web.keycloak.KeycloakServlet] Keycloak integration is disabled
08:42:59,925 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for keycloak
08:43:00,012 DEBUG [io.hawt.system.ConfigManager] Property authenticationEnabled is set to value true
08:43:00,013 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled is set to value false
08:43:00,013 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for user
08:43:00,157 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:00,204 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:01,730 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for refresh
08:43:02,784 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for img
08:43:02,853 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:03,068 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:11,646 DEBUG [io.hawt.web.RedirectFilter] Accessing /console/login, which isn't valid, returning index.html
08:43:12,448 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:12,669 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for plugin
08:43:13,717 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for keycloak
08:43:13,861 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for user
08:43:13,863 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:13,931 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:15,215 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, but allowing request for img
08:43:15,418 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia
08:43:15,420 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled, denying request for jolokia

Configuration of console seems ok with clientAuth enabled:

<web keyStorePath="/tmp/host.net.jks" keyStorePassword="host.net" clientAuth="true" bind="https://host.net:8443" path="web" trustStorePath="/opt/truststore.jks" trustStorePassword="truststore">
  <app url="activemq-branding" war="activemq-branding.war"/>
  <app url="artemis-plugin" war="artemis-plugin.war"/>
  <app url="console" war="console.war"/>
</web>

Hawt.io is logging out actual configuration and proper realm is mentioned here:

08:27:06,502 DEBUG [io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] Realm explicit configured CertLogin. Apache Tomcat userdata authentication integration not in use.
08:27:06,502 INFO  [io.hawt.web.AuthenticationFilter] Starting hawtio authentication filter, JAAS realm: "CertLogin" authorized role(s): "amq" role principal classes: "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"

User that I'm testing has a amq role attached. User certificate is provided by default to each request.

To verify if JAAS configuration is ok I've connected to a broker using technical certificate also listed in the same configuration file and it was successful.
09:31:06,061 DEBUG [io.netty.handler.ssl.SslHandler] [id: 0x484ffd99, L:/10.205.36.164:61617 - R:/10.195.113.9:52093] HANDSHAKEN: TLS_RSA_WITH_AES_128_CBC_SHA256
09:31:06,153 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader] Initialized debug
09:31:06,154 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] Certificate for user: S113635
09:31:06,154 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] commit
09:31:06,188 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader] Initialized debug
09:31:06,188 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] Certificate for user: S113635
09:31:06,188 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] commit
09:31:06,441 DEBUG [org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl] RemotingServiceImpl::removing connection ID 484ffd99

Is there a way to use certificate based user login to management console? If yes what I should look into to fix?

Kind regards
Marcin Stefaniuk
CREDIT SUISSE (POLAND) SP. Z O.O
Solution Architect | Messaging Engineering Warsaw, MITM 47
Atrium 2 | 00-849 Warsaw | Poland
marcin.stefaniuk@credit-suisse.com<ma...@credit-suisse.com> | www.credit-suisse.com<http://www.credit-suisse.com/>

=============================================================================== 
Please access the attached hyperlink for an important electronic communications disclaimer: 
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html 
===============================================================================

Re: Client certificate login to management console

Posted by Justin Bertram <jb...@apache.org>.

The management console is served by an embedded instance of Jetty [1].
Therefore, if you want to configure the management console for certificate
based authentication you'll need to find out if Jetty itself supports this
functionality. I tend to doubt that Jetty supports certificate based
authentication because I have looked for this myself and I've not found
anything. Looking at their JAAS code[2] I see no evidence that they are
even attempting to handle this use-case. Google searches have only turned
up SSL/TLS configuration information, not actual JAAS auth details.


Justin

[1] https://www.eclipse.org/jetty/
[2]
https://github.com/eclipse/jetty.project/tree/jetty-9.4.x/jetty-jaas/src/main/java/org/eclipse/jetty/jaas

On Wed, Apr 18, 2018 at 3:45 AM, Stefaniuk, Marcin <
marcin.stefaniuk@credit-suisse.com> wrote:

> I'm struggling to configure Artemis 2.4.0 management console to use the
> same client certificate based JAAS realm.
>
> CertLogin {
>    org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
> required
>         debug=true
>         org.apache.activemq.jaas.textfiledn.user="certificate-
> users.properties"
>         org.apache.activemq.jaas.textfiledn.role="certificate-
> roles.properties"
>         reload=true;
> };
>
> I've reached point where users that are not listed in
> certificate-users.properties are rejected but those that are listed here
> are prompted for user / password on default console form:
>
> 08:42:58,720 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:42:59,010 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for plugin
> 08:42:59,924 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled
> is set to value false
> 08:42:59,925 INFO  [io.hawt.web.keycloak.KeycloakServlet] Keycloak
> integration is disabled
> 08:42:59,925 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for keycloak
> 08:43:00,012 DEBUG [io.hawt.system.ConfigManager] Property
> authenticationEnabled is set to value true
> 08:43:00,013 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled
> is set to value false
> 08:43:00,013 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for user
> 08:43:00,157 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:00,204 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:01,730 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for refresh
> 08:43:02,784 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for img
> 08:43:02,853 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:03,068 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:11,646 DEBUG [io.hawt.web.RedirectFilter] Accessing /console/login,
> which isn't valid, returning index.html
> 08:43:12,448 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:12,669 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for plugin
> 08:43:13,717 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for keycloak
> 08:43:13,861 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for user
> 08:43:13,863 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:13,931 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:15,215 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, but allowing request for img
> 08:43:15,418 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
> 08:43:15,420 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication
> enabled, denying request for jolokia
>
> Configuration of console seems ok with clientAuth enabled:
>
> <web keyStorePath="/tmp/host.net.jks" keyStorePassword="host.net"
> clientAuth="true" bind="https://host.net:8443" path="web"
> trustStorePath="/opt/truststore.jks" trustStorePassword="truststore">
>   <app url="activemq-branding" war="activemq-branding.war"/>
>   <app url="artemis-plugin" war="artemis-plugin.war"/>
>   <app url="console" war="console.war"/>
> </web>
>
> Hawt.io is logging out actual configuration and proper realm is mentioned
> here:
>
> 08:27:06,502 DEBUG [io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery]
> Realm explicit configured CertLogin. Apache Tomcat userdata authentication
> integration not in use.
> 08:27:06,502 INFO  [io.hawt.web.AuthenticationFilter] Starting hawtio
> authentication filter, JAAS realm: "CertLogin" authorized role(s): "amq"
> role principal classes: "org.apache.activemq.artemis.
> spi.core.security.jaas.RolePrincipal"
>
> User that I'm testing has a amq role attached. User certificate is
> provided by default to each request.
>
> To verify if JAAS configuration is ok I've connected to a broker using
> technical certificate also listed in the same configuration file and it was
> successful.
> 09:31:06,061 DEBUG [io.netty.handler.ssl.SslHandler] [id: 0x484ffd99, L:/
> 10.205.36.164:61617 - R:/10.195.113.9:52093] HANDSHAKEN:
> TLS_RSA_WITH_AES_128_CBC_SHA256
> 09:31:06,153 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader]
> Initialized debug
> 09:31:06,154 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
> Certificate for user: S113635
> 09:31:06,154 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
> commit
> 09:31:06,188 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader]
> Initialized debug
> 09:31:06,188 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
> Certificate for user: S113635
> 09:31:06,188 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
> commit
> 09:31:06,441 DEBUG [org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl]
> RemotingServiceImpl::removing connection ID 484ffd99
>
> Is there a way to use certificate based user login to management console?
> If yes what I should look into to fix?
>
> Kind regards
> Marcin Stefaniuk
> CREDIT SUISSE (POLAND) SP. Z O.O
> Solution Architect | Messaging Engineering Warsaw, MITM 47
> Atrium 2 | 00-849 Warsaw | Poland
> marcin.stefaniuk@credit-suisse.com<mailto:marcin.
> stefaniuk@credit-suisse.com> | www.credit-suisse.com<http://
> www.credit-suisse.com/>
>
> ===============================================================================
>
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
> ===============================================================================
>
>