The management console is served by an embedded instance of Jetty [1]. Therefore, if you want to configure the management console for certificate based authentication you'll need to find out if Jetty itself supports this functionality. I tend to doubt that Jetty supports certificate based authentication because I have looked for this myself and I've not found anything. Looking at their JAAS code[2] I see no evidence that they are even attempting to handle this use-case. Google searches have only turned up SSL/TLS configuration information, not actual JAAS auth details.
Justin [1] https://www.eclipse.org/jetty/ [2] https://github.com/eclipse/jetty.project/tree/jetty-9.4.x/jetty-jaas/src/main/java/org/eclipse/jetty/jaas On Wed, Apr 18, 2018 at 3:45 AM, Stefaniuk, Marcin < [email protected]> wrote: > I'm struggling to configure Artemis 2.4.0 management console to use the > same client certificate based JAAS realm. > > CertLogin { > > org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule > required > debug=true > org.apache.activemq.jaas.textfiledn.user="certificate- > users.properties" > org.apache.activemq.jaas.textfiledn.role="certificate- > roles.properties" > reload=true; > }; > > I've reached point where users that are not listed in > certificate-users.properties are rejected but those that are listed here > are prompted for user / password on default console form: > > 08:42:58,720 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:42:59,010 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for plugin > 08:42:59,924 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled > is set to value false > 08:42:59,925 INFO [io.hawt.web.keycloak.KeycloakServlet] Keycloak > integration is disabled > 08:42:59,925 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for keycloak > 08:43:00,012 DEBUG [io.hawt.system.ConfigManager] Property > authenticationEnabled is set to value true > 08:43:00,013 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled > is set to value false > 08:43:00,013 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for user > 08:43:00,157 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:00,204 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:01,730 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for refresh > 08:43:02,784 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for img > 08:43:02,853 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:03,068 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:11,646 DEBUG [io.hawt.web.RedirectFilter] Accessing /console/login, > which isn't valid, returning index.html > 08:43:12,448 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:12,669 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for plugin > 08:43:13,717 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for keycloak > 08:43:13,861 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for user > 08:43:13,863 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:13,931 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:15,215 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, but allowing request for img > 08:43:15,418 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > 08:43:15,420 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication > enabled, denying request for jolokia > > Configuration of console seems ok with clientAuth enabled: > > <web keyStorePath="/tmp/host.net.jks" keyStorePassword="host.net" > clientAuth="true" bind="https://host.net:8443"; path="web" > trustStorePath="/opt/truststore.jks" trustStorePassword="truststore"> > <app url="activemq-branding" war="activemq-branding.war"/> > <app url="artemis-plugin" war="artemis-plugin.war"/> > <app url="console" war="console.war"/> > </web> > > Hawt.io is logging out actual configuration and proper realm is mentioned > here: > > 08:27:06,502 DEBUG [io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] > Realm explicit configured CertLogin. Apache Tomcat userdata authentication > integration not in use. > 08:27:06,502 INFO [io.hawt.web.AuthenticationFilter] Starting hawtio > authentication filter, JAAS realm: "CertLogin" authorized role(s): "amq" > role principal classes: "org.apache.activemq.artemis. > spi.core.security.jaas.RolePrincipal" > > User that I'm testing has a amq role attached. User certificate is > provided by default to each request. > > To verify if JAAS configuration is ok I've connected to a broker using > technical certificate also listed in the same configuration file and it was > successful. > 09:31:06,061 DEBUG [io.netty.handler.ssl.SslHandler] [id: 0x484ffd99, L:/ > 10.205.36.164:61617 - R:/10.195.113.9:52093] HANDSHAKEN: > TLS_RSA_WITH_AES_128_CBC_SHA256 > 09:31:06,153 DEBUG > [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader] > Initialized debug > 09:31:06,154 DEBUG > [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] > Certificate for user: S113635 > 09:31:06,154 DEBUG > [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] > commit > 09:31:06,188 DEBUG > [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader] > Initialized debug > 09:31:06,188 DEBUG > [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] > Certificate for user: S113635 > 09:31:06,188 DEBUG > [org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule] > commit > 09:31:06,441 DEBUG > [org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl] > RemotingServiceImpl::removing connection ID 484ffd99 > > Is there a way to use certificate based user login to management console? > If yes what I should look into to fix? > > Kind regards > Marcin Stefaniuk > CREDIT SUISSE (POLAND) SP. Z O.O > Solution Architect | Messaging Engineering Warsaw, MITM 47 > Atrium 2 | 00-849 Warsaw | Poland > [email protected]<mailto:marcin. > [email protected]> | www.credit-suisse.com<http:// > www.credit-suisse.com/> > > =============================================================================== > > Please access the attached hyperlink for an important electronic > communications disclaimer: > http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html > =============================================================================== > >
