Discussions

General J2EE: Enabling SSL on JBoss

  1. Enabling SSL on JBoss (4 messages)

    Step 1)
    First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.

    At the selected directory:
    keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore

    Fill in all the information that is asked.
    A keystore with the name name.keystore is generated.

    Step 2)
    Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate

    keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr

    Enter the keystore password.
    A < CSR file name>.csr file is generated.

    If you are getting the CSR signed by a certifying authority, then skip the next step.
    Step 3)
    If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:

    (This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
    To Sign the certificate:
    Make a new directory:

    cd usr/local/
    mkdir newCA

    Copy openssl.cnf and CA.sh
    from the OpenSSL apps directory to your new directory (newCA)
    cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
    cp ../../openssl-0.9.6a/apps/CA.sh newCA/

    Edit your new copy of openssl.cnf and CA.sh:
    Set the dir variable to the current directory
    dir . # (“.” Specifies current directory where everything is kept)
    Set the CATOP variable to the current directory:
    CATOP=. # (“.” Specifies current directory where everything is kept)

    Create the certificates for Certification Authority:
    cd newCA
    chmod 744 CA.sh (only if necessary)
    CA.sh –newca
    ls -l



    Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate

    cp < CSR file name>.csr /usr/local/newCA
    or ftp the < CSR file name>.csr file to the m/c acting as CA.
    cd /usr/local/newCA

    Create the certificate

    openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM

    Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:

    openssl x509 -inform pem -outform der < cacert.pem > cacert.cer

    We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):

    Step 4)
    keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore

    Step 5)
    keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore


    Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
    #
    # List of providers and their preference orders (see above):
    #
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider
    security.provider.3=com.sun.rsajca.Provider
    security.provider.4=com.sun.crypto.provider.SunJCE
    security.provider.5=sun.security.jgss.SunProvider


    And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.

    Tomcat over SSL (HTTPS)
    If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
    1. $JBOSS_DIST/server/default/conf/jboss-service.xml
    We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
    <!-- JAAS security manager and realm mapping -->
    <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
        name="jboss.security:service=JaasSecurityManager">
        <attribute name="SecurityManagerClassName">
            org.jboss.security.plugins.JaasSecurityDomain
        </attribute>
    </mbean>

    2. $JBOSS_DIST/server/default/conf/jboss-service.xml
    Add the below lines after the paragraph mentioned above in jboss-service.xml

     <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
        name="Security:service=JaasSecurityDomain,domain=TomcatSSL">
        <depends>jboss.security:service=JaasSecurityManager</depends>
        <constructor>
            <arg type="java.lang.String" value="TomcatSSL" />
        </constructor>

        <attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
        <attribute name="KeyStorePass">put your name.keystore password here</attribute>
    </mbean>

    3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
    This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443

    Add the following lines:

    <Connector className="org.apache.catalina.connector.http.HttpConnector"
                  port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
                    <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
                             keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>
                </Connector>

    After:

    <!-- A HTTP Connector on port 8080 -->
               <Connector className = "org.apache.catalina.connector.http.HttpConnector"
                   port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
                   acceptCount = "10" debug = "0" connectionTimeout = "60000"/>


    When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.
  2. Hello,

    Does anyone have updated instructions for enabling SSL on JBoss 4.01 and Tomcat 5?

    Thanks,
  3. If you just want ordinary tomcat SSL fuctionality simply configure tomcat normally (jboss4 uses a farly standard tomcat in deploy/jbossweb-tomcat50.sar edit server.xml to enable the SSL connector (with desired keystore) and restart jboss.

    As for the fancier features like SSL client authentication, they are best handled as per application configuration via the application's security domain.
  4. Caused by: org.jboss.soa.esb.ConfigurationException: Failed to locate keystore '/keystore' The keystore is in /server/default/conf and the SSL connector entry on /server/default/deploy/jboss-web.deployer/server.xml has been modified with the keystore path and password. The error occurs when the JBoss ESB tries to look up a wsdl under ssl self signed certificate. Do you have any suggestions?
  5. Hi Ilardo, Did you get any soluion to this, I'm having the same issue? Ant ideas would be highly appreciated.