How to configure Elytron for root certificate in truststore?

Question

Is it possible to configure WildFly 13 client-cert authentication with root-ca certificate in truststore? Clients would use certificates signed by this root.

Here's what's makes me wonder: in this documentation https://ctomc.github.io/docs-playground/WildFly_Elytron_Security.html they say that:

IMPORTANT: The decoded principal * MUST* must be the alias value you set in your server’s truststore for the client’s certificate.

That means that I can configure decoder to map attribute other than CN, which would point to the root-ca alias in my truststore, and all client certs would have this attribute pointing to the root-ca alias.
But, the question is, how would server know which user to map to this certificate since it is mapping this 'other' attribute to the same certificate in truststore?

Answer 1

I think what you are trying achieve is possible since https://issues.jboss.org/browse/ELY-1418, which means since WF14.

Since ELY-1418 you don't have to keep user certificates in keystore-realm.

Answer 2

No matter you use CLIENT_CERT mechanism or your own custom mechanism, the key for this to work is

1. Do not configure security-domain in your elytron/server-ssl-context.
2. In your elytron/security-domain, use a realm, like LDAP realm or any other realm to provide authorization. Do not use the following aggregate-realm in your elytron/security-domain: (aggregate-realm name="CustomRealm" authentication-realm="keystorebackedRealm" authorization-realm="...")
3. If you use CLIENT_CERT mechanism, follow the steps documented here at http://docs.wildfly.org/15/WildFly_Elytron_Security.html. But there's a bug in the above documentation. After you create the /subsystem=elytron/configurable-http-server-mechanism-factory=configured-cert:add(http-server-mechanism-factory=global, properties={org.wildfly.security.http.skip-certificate-verification=true}), you need to reference it in your elytron/http-authentication-factory. The command to create the elytron/http-authentication-factory is correct but the example output is still referencing the global factory.
4. If you use custom mechanism, make sure to skip the authentication check because this has been done by the ssl handshake.