CAC enable JBoss

I'm trying to enable a web application deployed on JBoss 4.2.3 for clie开发者_运维百科nt certificate authentication using a DOD issued CAC, ActivClient, and IE on the client machine. As a proof of concept, I was able to get client certificate authentication working for the JMX console using a soft certificate (generated self-signed certificate, converted to PKCS12 format, and imported into IE). I'm also able to use my sample (demo) CAC to authenticate to TriCare online, presumably to a demo user.

However, I tried exporting the certficate from the CAC, and importing it to my JKS truststore, using the CN entry as the alias (not sure that's necessary or not), and it just doesn't work at all. I get an error in the JBoss log saying "Null Certificate in Chain" and no prompt on the client to pick a certificate or to enter a PIN. My best theory is that I don't have the certificate in the truststore right, so it doesn't know what certificate to ask for from the client, but I don't know how to confirm this suspicion, or what might be wrong.

Would fronting JBoss with Apache make this process easier? (It's an internal app, so we've just been letting JBoss be the web server.)

Would upgrading to a less ancient version of JBoss help?

Are there debug statements I could enable somewhere that would give me a clearer view into what's happening?

Is there step-by-step documentation somewhere? How do I gain expertise on this? I've been cobbling together my solution based on the JBoss 4 online docs, "JBoss in Action", "Core Security Patterns" and some Q&A that touches on this issue here at SO.

Any help would be greatly appreciated!

Your best bet is to download the entire CA certificate chain for the DoD PKI. This would include the Root CA Certificate, as well as all of the subordinate CA certificates. You should place all of these in the JBoss trust store, starting with the Root CA certificate. From there, I'd take a look at the JBoss documentation for further info on configuring mutually-authenticated SSL for JBoss, if necessary. If everything is setup from a Truststore perspective, that should be all you need for the most basic case. When you connect via your web browser, it should prompt you to choose a certificate for authentication.

If that doesn't work, post the stack traces or errors you get. I'll take a look for you.