How to enable HTTPS certificate client auth with Karaf
I received many times messages from users asking how we can “trust” HTTP clients in Karaf.
The purpose is to exchange certificates and allow only “trusted” clients to use the Karaf HTTP service.
Enable HTTP client auth
First of all, we have to enable the HTTP client auth support in Karaf.
When you install the HTTP feature, Karaf leverages Pax-Web to provide HTTP OSGi service:
karaf@root> features:install http
Now, we have to add a custom etc/org.ops4j.pax.web.cfg file:
NB: clientauthwanted and clientauthneeded properties are valid for Karaf 2.2.x which use Pax Web 1.0.x.
Thanks to the clientauthneeded property, we “force” the client to be trusted.
Create the trusted client certificate
We are going to use keytool (provided with the JDK) to manipulate the keys and certificates.
The first step is to create two key pairs:
- one for the server side (use for SSL)
- one as a example of client side (use for “trust”, should be performed for each client, on the client side)
mkdir -p etc/keystores
keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks
keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks
NB: these key are self-signed. In a production system, you should use a Certificate Authority (CA).
Now, we can export the client certificate to be imported in the server keystore:
keytool -export -rfc -keystore client.jks -storepass password -alias clientkey -file client.cer
keytool -import -trustcacerts -keystore keystore.jks -storepass password -alias clientkey -file client.cer
We can now check that the client certificate is trusted in our keystore:
keytool -list -v -keystore keystore.jks
Alias name: clientkey
Creation date: Dec 12, 2012
Entry type: trustedCertEntry
and we can now remove the client.cer certificate.
Start Karaf and test with WebConsole
Now we can start Karaf:
and install the WebConsole feature:
karaf@root> features:install webconsole
If we try to access to the WebConsole (using a simple browser) using https://localhost:8443/system/console, we have:
An error occurred during a connection to localhost:8443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
which is normal as the browser doesn’t have any trusted certificate.
Now, we can add the client certificate in the browser.
Firefox supports the import of PKCS12 keystore. So, we are going to “transform” the JKS keystore into a PKCS12 keystore:
keytool -importkeystore -srckeystore client.jks -srcstoretype JKS -destkeystore client.pfx -deststoretype PKCS12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias clientkey successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Now, we can import the client certificate in Firefox. To do so, open the Preferences window (in Edit menu), and click on the Advanced tab.
You can go in Encryption tab and click on “View Certificates” button.
In “Your Certificates” tab, you can click on the Import button and choose the client.pfx keystore file.
If you try to access to https://localhost:8443/system/console again, you will have access as a trusted client and use it.
It’s the same with any kind of HTTP client that try to use the HTTPs layer of Karaf.
Now, we can disable the HTTP support in Karaf (to force the usage of HTTPs), and we can allow only “trusted” clients to use the HTTPs layer of Karaf.
It’s a simple mechanism if you want to limit access to HTTP resources only for trusted clients.