Red Hat SummitChapter 4. Using Elytron client default SSLcontext security provider in JBoss EAP clients
To make a Java Virtual Machine (JVM) use the Elytron client configuration to provide a default SSLcontext, you can use the WildFlyElytronClientDefaultSSLContextProvider. Use this provider to make your client libraries automatically use the Elytron client configuration when requesting the default SSLContext.
4.1. Elytron client default SSL context security provider
Elytron client provides a Java security provider, org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider, that you can use to register a Java virtual machine (JVM)-wide default SSL context.
The WildFlyElytronClientDefaultSSLContextProvider provider works as follows:
The provider instantiates the
SSLContextwhen theSSLContext.getDefault()method is called. TheSSLContextis initiated from the authentication context obtained from one of the following places:- Elytron client configuration file passed as an argument to the provider.
Automatically discovered
wildfly-config.xmlfile on the filesystem. For more information, see The Default Configuration Approach.A client configuration file passed as an argument to the provider has the precedence.
When the
SSLContext.getDefault()method is called, the JVM returns theSSLContextinstantiated by the provider.As the Elytron client can have multiple SSL contexts configured, rules are used to choose a single SSL context for the connection. The default SSL Context is the one that matches all rules. The provider returns this default SSL context.
If no default SSLContext is configured or no configuration is present, the provider will be ignored.
When you register the WildFlyElytronClientDefaultSSLContextProvider provider, all client libraries that use SSLContext.getDefault() method use the Elytron client configuration without having to use Elytron client APIs in their code.
To register the provider, you must add runtime dependency on the following artifacts:
-
wildfly-elytron-client -
wildfly-client-config
You can register the provider either programmatically, in your client code, or statically in the java.security file. Use programmatic registration when you want to decide dynamically what providers to register and use.
Registering the provider programmatically
You can register the provider programmatically in your client code as shown below:
Security.insertProviderAt(new WildFlyElytronClientDefaultSSLContextProvider(CONFIG_FILE_PATH), 1);Registering the provider statically
You can register the provider in the java.security file as shown below:
security.provider.1=org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider <CONFIG_FILE_PATH>Additional resources
4.2. Example of creating a client that loads the default SSL context
The following example demonstrates registering of the WildFlyElytronClientDefaultSSLContextProvider provider programmatically and using the SSLContext.getDefault() method to obtain the SSLContext initialized by an Elytron client. The example uses static client configuration supplied as an argument to the provider.
4.2.1. Creating a Maven project for JBoss EAP client
To create a client for applications deployed to JBoss EAP, create a Maven project with the required dependencies and the directory structure.
Prerequisites
- You have installed Maven. For more information, see Downloading Apache Maven.
Procedure
Set up a Maven project by using the
mvncommand. The command creates the directory structure for the project and thepom.xmlconfiguration file.$ mvn archetype:generate \ -DgroupId=com.example.client \ -DartifactId=client-ssl-context \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-quickstart \ -DinteractiveMode=falseNavigate to the application root directory.
$ cd client-ssl-contextReplace the content of the generated
pom.xmlfile with the following text:<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.example.client</groupId> <artifactId>client-ssl-context</artifactId> <version>1.0-SNAPSHOT</version> <name>client-ssl-context</name> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>11</maven.compiler.source> <maven.compiler.target>11</maven.compiler.target> </properties> <repositories> <repository> <id>jboss-public-maven-repository</id> <name>JBoss Public Maven Repository</name> <url>https://repository.jboss.org/nexus/content/groups/public/</url> <releases> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </releases> <snapshots> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </snapshots> <layout>default</layout> </repository> <repository> <id>redhat-ga-maven-repository</id> <name>Red Hat GA Maven Repository</name> <url>https://maven.repository.redhat.com/ga/</url> <releases> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </releases> <snapshots> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </snapshots> <layout>default</layout> </repository> </repositories> <dependencies> <dependency>1 <groupId>org.wildfly.security</groupId> <artifactId>wildfly-elytron-client</artifactId> <version>2.0.0.Final-redhat-00001</version> </dependency> <dependency>2 <groupId>org.wildfly.client</groupId> <artifactId>wildfly-client-config</artifactId> <version>1.0.1.Final-redhat-00001</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>exec-maven-plugin</artifactId> <version>1.4.0</version> <configuration> <mainClass>com.example.client.App</mainClass> </configuration> </plugin> </plugins> </build> </project>Delete the
src/testdirectory.$ rm -rf src/test/
Verification
In the application root directory, enter the following command:
$ mvn installYou get an output similar to the following:
... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.682 s [INFO] Finished at: 2023-10-31T01:32:17+05:30 [INFO] ------------------------------------------------------------------------
4.2.2. Creating a client that loads the default SSLContext
Create a client for applications deployed to JBoss EAP that loads the SSLContext by using the SSLContext.getDefault() method.
In this procedure, <application_home> refers to the directory that contains the pom.xml configuration file for the application.
Prerequisites
You have secured the applications deployed to JBoss EAP with two-way TLS.
To do this, follow these procedures:
You have created a Maven project.
For more information, see Creating a Maven project for JBoss EAP client.
- JBoss EAP is running.
Procedure
Create a directory to store the Java files.
$ mkdir -p <application_home>/src/main/java/com/example/clientNavigate to the new directory.
$ cd <application_home>/src/main/java/com/example/clientCreate the Java file
App.javawith the following content:package com.example.client; import java.io.IOException; import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.net.http.HttpResponse.BodyHandlers; import java.security.NoSuchAlgorithmException; import java.security.Security; import java.util.Properties; import javax.net.ssl.SSLContext; import org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider; public class App { public static void main( String[] args ) { String url = "https://localhost:8443/";1 try { Security.insertProviderAt(new WildFlyElytronClientDefaultSSLContextProvider("src/wildfly-config-two-way-tls.xml"), 1);2 HttpClient httpClient = HttpClient.newBuilder().sslContext(SSLContext.getDefault()).build(); HttpRequest request = HttpRequest.newBuilder() .uri(URI.create(url)) .GET() .build(); HttpResponse<Void> httpRresponse = httpClient.send(request, BodyHandlers.discarding()); String sslContext = SSLContext.getDefault().getProvider().getName();3 System.out.println ("\nSSL Default SSLContext is: " + sslContext); } catch (NoSuchAlgorithmException | IOException | InterruptedException e) { e.printStackTrace(); } System.exit(0); } }- 1
- Defines the JBoss EAP home page URL.
- 2
- Register the security provider.
1defines the priority for this provider. To statically register the provider, you can instead add the provider in thejava.securityfile as:security.provider.1=org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider <PATH>/<TO>/wildfly-config-two-way-tls.xml - 3
- Obtain the default SSL context.
Create the client configuration file called "wildfly-config-two-way-tls.xml" in the
<application_home>/srcdirectory.<?xml version="1.0" encoding="UTF-8"?> <configuration> <authentication-client xmlns="urn:elytron:client:1.7"> <key-stores> <key-store name="truststore" type="PKCS12"> <file name="${path_to_client_truststore}/client.truststore.p12"/> <key-store-clear-password password="secret"/> </key-store> <key-store name="keystore" type="PKCS12"> <file name="${path_to_client_keystore}/exampleclient.keystore.pkcs12"/> <key-store-clear-password password="secret"/> </key-store> </key-stores> <ssl-contexts> <ssl-context name="client-context"> <trust-store key-store-name="truststore"/> <key-store-ssl-certificate key-store-name="keystore" alias="exampleclientkeystore"> <key-store-clear-password password="secret"/> </key-store-ssl-certificate> </ssl-context> </ssl-contexts> <ssl-context-rules> <rule use-ssl-context="client-context"/> </ssl-context-rules> </authentication-client> </configuration>Replace the following place holder values with actual paths:
- ${path_to_client_truststore}
- ${path_to_client_keystore}
Verification
- Navigate to the <application_home> directory.
Run the application.
$ mvn compile exec:javaExample output
INFO: ELY00001: WildFly Elytron version 2.0.0.Final-redhat-00001 SSL Default SSLContext is: WildFlyElytronClientDefaultSSLContextProvider
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}