Geronimo
  1. Geronimo
  2. GERONIMO-2413

Add a Certification Authority (CA) portlet to Geronimo console

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2
    • Component/s: console, security
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      A Certification Authority portlet will be very useful. A full fledged CA may be a long way to go. But what ever minimum function is required to process CSR's etc. is not hard and the users can issue their own digital certificates instead of getting trial certificates from some CA.

      1. 02.ca-initialization-enter-details.JPG
        130 kB
        Vamsavardhana Reddy
      2. 07.issue-certificate-show-csr-details.JPG
        142 kB
        Vamsavardhana Reddy
      3. 09.issue-certificate-successful.JPG
        190 kB
        Vamsavardhana Reddy
      4. G-2413-v1.2-revised.patch
        304 kB
        Vamsavardhana Reddy
      5. GERONIMO-2413.patch
        252 kB
        Vamsavardhana Reddy
      6. GERONIMO-2413-revised.patch
        139 kB
        Vamsavardhana Reddy
      7. GERONIMO-2413-v1.1.x.patch
        318 kB
        Vamsavardhana Reddy
      8. GERONIMO-2413-v1.2.patch
        307 kB
        Vamsavardhana Reddy
      9. GeronimoCA.zip
        1.48 MB
        Vamsavardhana Reddy

        Issue Links

          Activity

          Vamsavardhana Reddy created issue -
          Hide
          Vamsavardhana Reddy added a comment -

          GERONIMO-2413.patch:

          Certification Authority portlet with the following functions:
          1. Setup Certification Authority: Lets the user input CA details and initialize the CA. CA's keys are stored and accessed using KeystoreGBean.

          2. Lock and Unlock CA

          3. View CA Details: Shows the details of the CA's certificate etc.

          3. Issue New Certificate: Processes a CSR and issues a certificate

          4. View Issued Certificate: Previously issued certificates can be viewed by providing the serial number.

          Show
          Vamsavardhana Reddy added a comment - GERONIMO-2413 .patch: Certification Authority portlet with the following functions: 1. Setup Certification Authority: Lets the user input CA details and initialize the CA. CA's keys are stored and accessed using KeystoreGBean. 2. Lock and Unlock CA 3. View CA Details: Shows the details of the CA's certificate etc. 3. Issue New Certificate: Processes a CSR and issues a certificate 4. View Issued Certificate: Previously issued certificates can be viewed by providing the serial number.
          Vamsavardhana Reddy made changes -
          Field Original Value New Value
          Attachment GERONIMO-2413.patch [ 12341867 ]
          Vamsavardhana Reddy made changes -
          Link This issue is blocked by GERONIMO-2436 [ GERONIMO-2436 ]
          Hide
          Vamsavardhana Reddy added a comment -

          Setup CA step creates a new keystore and calls generateKeyPair() which results in NullPointerException since create keystore step does not load the newly created keystore automatically.

          Show
          Vamsavardhana Reddy added a comment - Setup CA step creates a new keystore and calls generateKeyPair() which results in NullPointerException since create keystore step does not load the newly created keystore automatically.
          Vamsavardhana Reddy made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Hide
          Vamsavardhana Reddy added a comment -

          Don't forget to apply GERONIMO-2436-v1.2.patch before trying the CA portlet.

          Show
          Vamsavardhana Reddy added a comment - Don't forget to apply GERONIMO-2436 -v1.2.patch before trying the CA portlet.
          Hide
          Vamsavardhana Reddy added a comment -

          Unassigning so that a committer can pickup.

          Show
          Vamsavardhana Reddy added a comment - Unassigning so that a committer can pickup.
          Vamsavardhana Reddy made changes -
          Assignee Vamsavardhana Reddy [ vamsic ]
          Hide
          Vamsavardhana Reddy added a comment -

          GERONIMO-2413-revised.patch: Please use GERONIMO-2413-revised.patch instead of GERONIMO-2413.patch . TortoiseSVN has duplicated the newly added files in GERONIMO-2413.patch

          Show
          Vamsavardhana Reddy added a comment - GERONIMO-2413 -revised.patch: Please use GERONIMO-2413 -revised.patch instead of GERONIMO-2413 .patch . TortoiseSVN has duplicated the newly added files in GERONIMO-2413 .patch
          Vamsavardhana Reddy made changes -
          Attachment GERONIMO-2413-revised.patch [ 12342008 ]
          Hide
          Vamsavardhana Reddy added a comment -

          Screenshots attached.

          Show
          Vamsavardhana Reddy added a comment - Screenshots attached.
          Vamsavardhana Reddy made changes -
          Attachment 02.ca-initialization-enter-details.JPG [ 12342156 ]
          Attachment 07.issue-certificate-show-csr-details.JPG [ 12342157 ]
          Attachment 09.issue-certificate-successful.JPG [ 12342158 ]
          Hide
          Vamsavardhana Reddy added a comment -

          GeronimoCA.zip: More screenshots.

          Show
          Vamsavardhana Reddy added a comment - GeronimoCA.zip: More screenshots.
          Vamsavardhana Reddy made changes -
          Attachment GeronimoCA.zip [ 12342160 ]
          Hide
          Vamsavardhana Reddy added a comment -

          Excerpt from my first comment:

          Certification Authority portlet with the following functions:
          1.
          2.
          3.
          another 3.
          4 ...

          I seem to have "counting problems" :o(. But, you can definitely count on me :o)

          Show
          Vamsavardhana Reddy added a comment - Excerpt from my first comment: Certification Authority portlet with the following functions: 1. 2. 3. another 3. 4 ... I seem to have "counting problems" :o(. But, you can definitely count on me :o)
          Hide
          Hernan Cunico added a comment -

          I am almost done testing with Tomcat on trunk (1.2).

          How do you remove/edit CA info once configured?

          Show
          Hernan Cunico added a comment - I am almost done testing with Tomcat on trunk (1.2). How do you remove/edit CA info once configured?
          Hide
          Vamsavardhana Reddy added a comment -

          I will be submitting a patch with more functionality. Additional functions include:
          o Processing a certificate request based on SignedPublicKeyAndChallenge
          o Portlet screens to view certificate requests stored in a "Certificate Request Store"
          o A CA helper application that will enable submitting certificate requests from web browser, download issued certificates into web browser, etc.

          Show
          Vamsavardhana Reddy added a comment - I will be submitting a patch with more functionality. Additional functions include: o Processing a certificate request based on SignedPublicKeyAndChallenge o Portlet screens to view certificate requests stored in a "Certificate Request Store" o A CA helper application that will enable submitting certificate requests from web browser, download issued certificates into web browser, etc.
          Vamsavardhana Reddy made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Hide
          Vamsavardhana Reddy added a comment -

          GERONIMO-2413-v1.2.patch: Includes CA portlet and CA Helper application.

          Show
          Vamsavardhana Reddy added a comment - GERONIMO-2413 -v1.2.patch: Includes CA portlet and CA Helper application.
          Vamsavardhana Reddy made changes -
          Attachment GERONIMO-2413-v1.2.patch [ 12343078 ]
          Hide
          Vamsavardhana Reddy added a comment -

          Here is a scenario I have tested.
          Step 1. Setup CA by entering CA Name details etc.
          Step 2. Generate a CSR from geronimo-default keystore and process the server certificate request using "Issue New Certificate" link in CA portlet.
          Step 3. Import CA's certificate as trusted and the CA reply.
          Step 4. Setup an HTTPS Connector configured for client authentication.
          Step 5. Start the CA Helper application from "Web App WARs" portlet

          In a second browser window,
          Step 6. Access the CA Helper Application at http://localhost:8080/CAHelper through a web browser that supports KEYGEN tag. Internet Explorer does not support KEYGEN tag.
          Step 7. Submit a Certificate Request through web brower using "Request Certificate" link. Upon submission the request shows up in "Requests to be verified" page in CA portlet. NOTE: Make a note of the request id as it will be required to download the cerfiticate issued by the CA.

          In CA portlet,
          Step 8. Approve the request through CA portllet using "Requests to be verified" link. Approved requests showup in "Requests to be fulfilled" page.
          Step 9. Process the request from "Requests to be fulfilled" page and issue certificate.

          In the CA Helper window,
          Step 10. Import CA's certificate into web browser suing "Download CA certificate" link.
          Step 11. Install personal certificate using the "Download Certificate" link and request id from Step 7 above.
          Step 12. Access the verify certificate link to verify that the certificate is downloaded and installed.

          Summary of the scenario: CA is setup; a certificate request is submitted through web browser and issued certificate is downloaded into the web browser.

          Show
          Vamsavardhana Reddy added a comment - Here is a scenario I have tested. Step 1. Setup CA by entering CA Name details etc. Step 2. Generate a CSR from geronimo-default keystore and process the server certificate request using "Issue New Certificate" link in CA portlet. Step 3. Import CA's certificate as trusted and the CA reply. Step 4. Setup an HTTPS Connector configured for client authentication. Step 5. Start the CA Helper application from "Web App WARs" portlet In a second browser window, Step 6. Access the CA Helper Application at http://localhost:8080/CAHelper through a web browser that supports KEYGEN tag. Internet Explorer does not support KEYGEN tag. Step 7. Submit a Certificate Request through web brower using "Request Certificate" link. Upon submission the request shows up in "Requests to be verified" page in CA portlet. NOTE: Make a note of the request id as it will be required to download the cerfiticate issued by the CA. In CA portlet, Step 8. Approve the request through CA portllet using "Requests to be verified" link. Approved requests showup in "Requests to be fulfilled" page. Step 9. Process the request from "Requests to be fulfilled" page and issue certificate. In the CA Helper window, Step 10. Import CA's certificate into web browser suing "Download CA certificate" link. Step 11. Install personal certificate using the "Download Certificate" link and request id from Step 7 above. Step 12. Access the verify certificate link to verify that the certificate is downloaded and installed. Summary of the scenario: CA is setup; a certificate request is submitted through web browser and issued certificate is downloaded into the web browser.
          Vamsavardhana Reddy made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Hide
          Vamsavardhana Reddy added a comment -

          How do you remove/edit CA info once configured?

          During the setup, CA (let me call it Geronimo CA) uses a self-signed certificate. If Geronimo CA decides to get certified by another CA, Geronimo CA can import its certificate into 'ca-keystore' using the keystore portlet. If Geronimo CA's certificate changes, it should be published again using the "Publish CA Certificate" link in CA Portlet.

          Show
          Vamsavardhana Reddy added a comment - How do you remove/edit CA info once configured? During the setup, CA (let me call it Geronimo CA) uses a self-signed certificate. If Geronimo CA decides to get certified by another CA, Geronimo CA can import its certificate into 'ca-keystore' using the keystore portlet. If Geronimo CA's certificate changes, it should be published again using the "Publish CA Certificate" link in CA Portlet.
          Hide
          Vamsavardhana Reddy added a comment -

          GERONIMO-2413-v1.1.x.patch: For those who want to try out the CA portlet on 1.1.x codebase.

          Show
          Vamsavardhana Reddy added a comment - GERONIMO-2413 -v1.1.x.patch: For those who want to try out the CA portlet on 1.1.x codebase.
          Vamsavardhana Reddy made changes -
          Attachment GERONIMO-2413-v1.1.x.patch [ 12343231 ]
          Hide
          Paul McMahan added a comment -

          Vamsi, Sorry it has taken me a while to look at this patch. I'm ready to look now but using GERONIMO-2413-v1.2.patch against trunk I get several HUNK failures. Can you generate a new patch?

          patching file applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/util/ManagementHelper.java
          Hunk #2 FAILED at 124.

          patching file configs/pom.xml
          Hunk #1 FAILED at 175.

          patching file modules/geronimo-management/src/main/java/org/apache/geronimo/management/geronimo/KeystoreInstance.java
          Hunk #1 FAILED at 18.
          Hunk #2 FAILED at 178.

          patching file modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreInstance.java
          Hunk #1 FAILED at 64.
          Hunk #2 FAILED at 452.

          Show
          Paul McMahan added a comment - Vamsi, Sorry it has taken me a while to look at this patch. I'm ready to look now but using GERONIMO-2413 -v1.2.patch against trunk I get several HUNK failures. Can you generate a new patch? patching file applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/util/ManagementHelper.java Hunk #2 FAILED at 124. patching file configs/pom.xml Hunk #1 FAILED at 175. patching file modules/geronimo-management/src/main/java/org/apache/geronimo/management/geronimo/KeystoreInstance.java Hunk #1 FAILED at 18. Hunk #2 FAILED at 178. patching file modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreInstance.java Hunk #1 FAILED at 64. Hunk #2 FAILED at 452.
          Hide
          Vamsavardhana Reddy added a comment -

          G-2413-v1.2-revised.patch:

          There had been some updates to the related code. Please use this patch with trunk.

          Show
          Vamsavardhana Reddy added a comment - G-2413-v1.2-revised.patch: There had been some updates to the related code. Please use this patch with trunk.
          Vamsavardhana Reddy made changes -
          Attachment G-2413-v1.2-revised.patch [ 12344907 ]
          Hide
          Vamsavardhana Reddy added a comment -

          Hi Paul,

          I have uploaded a new patch G-2413-v1.2-revised.patch.

          Thanks,
          Vamsi

          Show
          Vamsavardhana Reddy added a comment - Hi Paul, I have uploaded a new patch G-2413-v1.2-revised.patch. Thanks, Vamsi
          Hide
          Vamsavardhana Reddy added a comment -

          I would like this portlet to be in 1.2 release. Thanks to all who have reviewed the patch and voted. If others do not have any concerns/issues, I will commit this before 1.2 branch is created or in 48 hours, which ever is earlier.

          Show
          Vamsavardhana Reddy added a comment - I would like this portlet to be in 1.2 release. Thanks to all who have reviewed the patch and voted. If others do not have any concerns/issues, I will commit this before 1.2 branch is created or in 48 hours, which ever is earlier.
          Hide
          Vamsavardhana Reddy added a comment -

          At rev 476229 (trunk).

          Show
          Vamsavardhana Reddy added a comment - At rev 476229 (trunk).
          Vamsavardhana Reddy made changes -
          Fix Version/s 1.x [ 12310618 ]
          Status Patch Available [ 10002 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Davanum Srinivas made changes -
          Workflow RTC Workflow [ 12383996 ] jira [ 12396960 ]

            People

            • Assignee:
              Unassigned
              Reporter:
              Vamsavardhana Reddy
            • Votes:
              4 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development