I'm trying to enable a web application deployed on JBoss 4.2.3 for client certificate authentication using a DOD issued CAC, ActivClient, and IE on the client machine. As a proof of concept, I was able to get client certificate authentication working for the JMX console using a soft certificate (generated self-signed certificate, converted to PKCS12 format, and imported into IE). I'm also able to use my sample (demo) CAC to authenticate to TriCare online, presumably to a demo user.
However, I tried exporting the certficate from the CAC, and importing it to my JKS truststore, using the CN entry as the alias (not sure that's necessary or not), and it just doesn't work at all. I get an error in the JBoss log saying "Null Certificate in Chain" and no prompt on the client to pick a certificate or to enter a PIN. My best theory is that I don't have the certificate in the truststore right, so it doesn't know what certificate to ask for from the client, but I don't know how to confirm this suspicion, or what might be wrong.
Would fronting JBoss with Apache make this process easier? (It's an internal app, so we've just been letting JBoss be the web server.)
Would upgrading to a less ancient version of JBoss help?
Are there debug statements I could enable somewhere that would give me a clearer view into what's happening?
Is there step-by-step documentation somewhere? How do I gain expertise on this? I've been cobbling together my solution based on the JBoss 4 online docs, "JBoss in Action", "Core Security Patterns" and some Q&A that touches on this issue here at SO.
Any help would be greatly appreciated!
