Wednesday, August 08, 2012

HTTPS in jBoss 6

In setting up a jBoss 6 server for SSL, I found quite a bit of information was not readily available and there were several unexpected issues.  Here's the long and short...

First, the server will need a keystore with a self-signed certificate.  Use keytool, and an alias of "tomcat".  I'll gloss over some of these general certificate steps because they are well covered in other places.

keytool -genkey -alias tomcat -keyalg RSA -keystore somekeyfile -validity 9999

In the first question, for first and last name, use the name that this server will be refereed to as, in client calls; "localhost", a hostname or an IP address.  Use "changeit" for the passwords.

Next, extract the certificate just created from this file and set it aside.

keytool -export -keystore mykey -storepass changeit -alias tomcat -file tomcat.crt

I'm going to ultimately use this same store as both the key store and the trust store, so I re-import this certificate with the alias that the machine will be referred to.  For example:

keytool -import -alias 192.168.0.8 -file tomcat.crt -keystore somekeyfile -storepass changeit

Now the file has the self-signed certificate, which the server will hand to clients making requests, and the same certificate, with the different alias, that clients will compare the server's certificate to, when making calls to this host.

Edit the follow file to enable the use of this keystore.

[server directory]/server/default/deploy/jbossweb.sar/server.xml

You can set the SSL port here too, like this.

<!-- SSL/TLS Connector configuration using the admin devl guide keystore --   
           port="8643" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false" 
           keystoreFile="${jboss.server.home.dir}/conf/somekeyfile"
           keystorePass="changeit" 
           truststoreFile="${jboss.server.home.dir}/conf/somekeyfile"
           truststorePass="changeit" 
           sslProtocol = "TLS" />

As an aside, I am using a port set that is supposed to add 200 to all my puts.  This did not work for the SSL port, so I set it to the normal port + 200 as above, is server.xml.

Note that "truststore" properties are specified above, and some documentation indicates that this works.  It does not.  The keystore specification works however.  The server will use the "tomacat" aliased certificate in the given file as it's own.  I don't believe setting "truststoreFile" in server.xml has any impact.

For the truststore, clients will actually use the JRE's system trust store file.  If nothing else is done but the above, to continue this example, then when this server attempts to access https://192.168.0.8:8643/something/ an exception will be thrown.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This happens because the server certificate, the "tomcat" certificate provided by the server on the initial handshake, can't be found in the JRE truststore file.  I added it to the somekeyfile above, but this file it not being checked.  Options...

1. Add the certificate to the Jave truststore file, with the proper alias.

keytool -import -alias iws03qa5 -file tomcat.crt -keystore /opt/jdk1.6.0_30/jre/lib/security/cacerts -storepass changeit

2.  Use properties set at the Java command line to specify a truststore location.

-Djavax.net.ssl.trustStore=[path and filename]
-Djavax.net.ssl.trustStorePassword=changeit


3. Set the truststore in jBoss's SSL support properties.  To do this, edit:

[server directory]server/default/conf/bootstrap/security.xml

Add this, at the bottom, inside the "deployment" block:


[path]/server/default/conf/somekeyfile
 changeit
 [path]/server/default/conf/somekeyfile
 changeit


Change [path] to your server path of course.

Interestingly, keystore properties must be given here also, even though they also appear in the other file.  Otherwise, the security system will not initialize and it's a big mess.

With this setup, and the server bounced of course, the certificate is found and HTTPS works.

No comments:

Jeff Sexton

007 1:144 Scale 1:350 Enterprise 10 Barrel Brewing 14 1856 2001 A Space Odyssey 3D modeling 40and20 4th of July 78 RPM Abyss Adam West Advertising Agora Models Air Canada Airline Airways Brewing Alan Bennett Alaska Alberta Alberta Street Pub Alfa Romeo Spider Touring Gran Sport Amati Amazon Amnesia Brewing AMT Analog signal Android Anomalies and Alternative Science Antiques Apache Apollo Apple Apple Stores Art Artisanal Beer Works Assembly Brewing Aston Martin Astoria Asus Atlas Audrey Augmented reality Aurora Famous Fighters auto-awesome Automobile Autos Aviary Aviation Backups Baelic Brewing Bale Breaker Brewing Bandai Barack Obama Barley Brown's Beer Bars Base Camp Brewing Batman Battery Beards Beer Beer Bar Bell System Bellwether Berkshire Hathaway Betty White Beyond the Fringe Bigfoot Bikes Bill Clinton Bird Food Bird Toys Birds Birthdays Bleriot Bleriot XI Block 15 Brewing Blogger Bojack Horseman Bolton Landing Brewing Boltons Boneyard Brewing Books Boxer Ramen Boxer Ramon Breakside Brewing Brian Eno Build Management Buoy Brewing Burger King Business and Economy Business Process Execution Language Bye & Bye Byte-order mark Canadian Carrot Cats Chex Mix Chihuly Chipmonk Christmas Civil Defense Clinton Clocks Closet Doors CNN Cockatiels Cocktails Collections Columbia Grafonola Columbia River George Columbia River Gorge Corners Corvallis County Cork Crooked Stave Brewing Crows Crux Brewing Cuisinart Culmination Brewing David Byne DB5 Dear Jane Debian Deschutes Brewing DFW C.V Diabetes Dick Curtis Digital Living Network Alliance Digital television Dinosaurs Disney Doll House Don the Beachcomber Double Mountain Brewing Dow Jones Industrial Average Dragons Dudley Moore Duesenburg SJ Roadster Durham University DVD E-mail address E9 Eagle Eagle Creek Fire Eaglemoss Easter ebauche Ecliptic Economics Ed Ed and Olive Eels EJB Elgin Elysian Brewing Energy development Enterprise Enterprise JavaBean ESP Evergreen Air Museum Everybody's Brewing Ex Novo Brewing F-84G Thunderjet Facebook Family Photos Fathers Day Fearless Brewing Fedora Ferment Brewing Ferns Festival of The Dark Arts Filesharing Finance Finger Firesign Theater Fireworks Flowers Flying Sub Food Ford Fort George Brewing Fossil fuel Free House Garfield James Abram Garfield Minus Garfield Gateway Brewing Gene Sexton Gene Wilder George Carlin Gigantic Brewing Gilgamesh Brewing Glass Glassfish Global warming Golden Arches Goldfinger Goofy Google Google Assistant Google Buzz Google Docs Google Home Google Lively Google Photos Google Reader Google Wave Google+ Goose Graffiti Grammar Gravy Great Divide Brewing Great Notion Brewing Greek Festival Greenhouse gas Gruen GT40 H. G. Wells Half-Life 2 Halloween Harlan Hawaii Helbros High-definition television Hilo Hilo Brewing History Ho 229 Hollywood Theater Hopworks Urban Brewery Horizon Models HP Hybrid electric vehicle IBM Impala Inner city Instagram Insulin Investing IPMS Iris Irony J.C. Penny James Bond Jane Austen Java Java Architecture for XML Binding JC Penny JDBC Jeannine Stahltaube Jeff's! Jim Davis joe the plumber John McCain Jonathan Miller Jubelale Kapaau Karma Kauai Kay Thompson Kermit the Frog Keys Keys Lounge Kids and Teens Kona LA Auto Show Labrewtory Larry King Laser Laserdisc Leavenworth Wenatchee River Level Brewing Lilly Tomlin linux Little Beast Brewing Lloyd Center Logging Lowry Sexton LPs Lucky Lab Magnets Mark Cuban Market trends Martin Mull Maytag McDonald Mediatomb Meier and Frank Mel Brooks Mercury Microsoft Microsoft Windows Migration Brewing Mobius Models modern Times Brewing Money Monkey monsters Moon MOUNT HOOD Mount Tabor Movie Reviews Multnomah Falls Music Music industry Muxtape MySQL NetBeans Netflix Nikon Nikon Z50 Ninkasi Brewing Nintendo Nissan Cube Norm Coleman North Bar Nuclear fallout Nuclear warfare Nuggest Nuts OBF Office Depot Offshoot Beer Co Oktoberfest Ola Brewing Old Town Brewing Olive Open ESB Oracle Corporation Orca Oregon Orion Space Clipper Otto Owls Pacific Ocean Packard Boattail Pam American Parrots Patio Sale PDX Pearl District Pearl District Portland Oregon Peppers Performance Review Peter Cook Peter Iredale Pets Pfriem Brewing Philip K Dick Phone Book photography Pizza Plank Town Brewing Play Station PlayStation 3 pluspora Pocher Podcast Poke Pokémon HeartGold and SoulSilver Polar Lights Politics Pono Brewing Portal Portland Portland Development Commission Presidents Pride and Prejudice Programming Projects PS3 PS4 Pumpkins Quotation Marks Rad Power Radio Radio Room Ramen Ramon Recipes Recording Industry Association of America Renewable energy Reservoir Reuben's Brewing Reubens Brewing RIAA Richmond Pub Robot Chicken Rock-paper-scissors Rogue Brewing Round 2 Sales San Francisco Santa Sarcasm Sasquatch Brewing SATA Science fiction film Sea Quake Brewing Seattle Selfie Serbia Service-oriented architecture Seward Shelby Cobra Shipwreck Shopping Signs Silver Moon Brewing Slide Rule Snow Soap Soap Cutter Social Security Social Studies Society6 Sony Sopwith F.1 Camel BR.1 Soviet Space 1999 Space Race Spad XIII Speaker Repair Spirit of St. Louis Spitfire SQL Squirrel's St Patricks Day Stanford Hospital Star Trek Star Wars Starbucks Stock market Storm Breaker Strip search Stripes Studebaker Studellac Sun Microsystems Supernatural T-Mobile Tablet Tamiya Tamiya Spitfire Taube TechCrunch Technical Television Terminal Gravity Thanksgiving The Producers ThinkGeek Three Creeks Brewing Thunder Island Brewing Tiki Time Bandits Toaster Tom Peterson Tools Top Ferment Total Recall Transportation Security Administration Trumpeter Tubboat Tyco UFOs Unicode United States United States Department of Homeland Security Universal Plug and Play Unknown Primates USB USS Yorktown Valcom Van Gilder Hotel Vegetable garden VHS Victoria Video Video game Vintage Images Vintage Vintage! Virtual world Volcano Hawaii Volvo C70 Voyage to the Bottom of the Sea Wall Street War of the Worlds Warren Buffett Warrenton watches Watercolor Wayfinder Brewing We Can Remember It for You Wholesale Web service Web Services Description Language Whiskey Wii Windows 7 Windows Phone 7 Windows Vista Windows XP Windy Wingnut Wings Wood Worthy Brewing WWI WWII X-Files X-ray vision XML XML Schema Y2K Yeti YouTube Yugo Zero Mostel Zima Zoom H2n