Intro
For enabling the authentication on the glasshfish server, the folowing steps are needed:
- Add the CA’s used by the portuguese state to sing the certificates on the card.
- Consfigure the Client-Cert authentication realm
- Define the security constrains on the web.xml, in order to make use of the previous created realm.
- Download all .cer from the http://pki.cartaodecidadao.pt/ to cc_cert directory
- Use the keytool to import all the certificates to the domain keychain (default password = changeit) always use a different name to the alias of the certificate, and choose for all trust this certificate: Yes.
keytool -import -trustcacerts -alias CC1 -file Cartao_de_Cidadao_001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_1 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_2 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0002.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_3 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0003.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_4 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0004.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_1 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_2 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0002.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_3 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0003.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_4 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0004.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
2 – Configure the certificate realm
- Go to the admin web console and on the certificate realm, assign the group pteid to the assigned groups on the realm certificate.
- If there’s is an error, insert directly the configuration on the file domain.xml on the domain1/config directory. Substitute the line where is the realm certificate (auth-realm name=”certificate”) by the following ones.
<auth-realm name="certificate"classname=”com.sun.enterprise.security.auth.realm.certificate.CertificateRealm”>
3 – Define the security constrains on the application
In file web.xml should be defined the security constrains to the application, should be inserted the following configuration:
<security-constraint>
<display-name>Portuguese EID authenticationdisplay-name>
<web-resource-collection>
<web-resource-name>Entire applicationweb-resource-name>
<url-pattern>/*url-pattern>
web-resource-collection>
<auth-constraint>
<role-name>pteid_id_rolerole-name>
auth-constraint>
<user-data-constraint>
<description />
<transport-guarantee>CONFIDENTIALtransport-guarantee>
user-data-constraint>
security-constraint>
<login-config>
<auth-method>CLIENT-CERTauth-method>
login-config>
<security-role>
<description>Certificate of portuguese id-cardsdescription>
<role-name>pteid_id_rolerole-name>
security-role>
In the file sun-web.xml is done the role mapping, it should be inserted the following configuration:
<security-role-mapping>
<role-name>pteid_id_rolerole-name>
<group-name>pteidgroup-name>
security-role-mapping>