First, the server will need a keystore with a self-signed certificate. Use keytool, and an alias of "tomcat". I'll gloss over some of these general certificate steps because they are well covered in other places.
keytool -genkey -alias tomcat -keyalg RSA -keystore somekeyfile -validity 9999
In the first question, for first and last name, use the name that this server will be refereed to as, in client calls; "localhost", a hostname or an IP address. Use "changeit" for the passwords.
Next, extract the certificate just created from this file and set it aside.
keytool -export -keystore mykey -storepass changeit -alias tomcat -file tomcat.crt
I'm going to ultimately use this same store as both the key store and the trust store, so I re-import this certificate with the alias that the machine will be referred to. For example:
keytool -import -alias 192.168.0.8 -file tomcat.crt -keystore somekeyfile -storepass changeit
Now the file has the self-signed certificate, which the server will hand to clients making requests, and the same certificate, with the different alias, that clients will compare the server's certificate to, when making calls to this host.
Edit the follow file to enable the use of this keystore.
[server directory]/server/default/deploy/jbossweb.sar/server.xml
You can set the SSL port here too, like this.
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --
port="8643" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/somekeyfile"
keystorePass="changeit"
truststoreFile="${jboss.server.home.dir}/conf/somekeyfile"
truststorePass="changeit"
sslProtocol = "TLS" />
As an aside, I am using a port set that is supposed to add 200 to all my puts. This did not work for the SSL port, so I set it to the normal port + 200 as above, is server.xml.
Note that "truststore" properties are specified above, and some documentation indicates that this works. It does not. The keystore specification works however. The server will use the "tomacat" aliased certificate in the given file as it's own. I don't believe setting "truststoreFile" in server.xml has any impact.
For the truststore, clients will actually use the JRE's system trust store file. If nothing else is done but the above, to continue this example, then when this server attempts to access https://192.168.0.8:8643/something/ an exception will be thrown.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This happens because the server certificate, the "tomcat" certificate provided by the server on the initial handshake, can't be found in the JRE truststore file. I added it to the somekeyfile above, but this file it not being checked. Options...
1. Add the certificate to the Jave truststore file, with the proper alias.
keytool -import -alias iws03qa5 -file tomcat.crt -keystore /opt/jdk1.6.0_30/jre/lib/security/cacerts -storepass changeit
2. Use properties set at the Java command line to specify a truststore location.
-Djavax.net.ssl.trustStore=[path and filename]
-Djavax.net.ssl.trustStorePassword=changeit
3. Set the truststore in jBoss's SSL support properties. To do this, edit:
[server directory]server/default/conf/bootstrap/security.xml
Add this, at the bottom, inside the "deployment" block:
Change [path] to your server path of course.
Interestingly, keystore properties must be given here also, even though they also appear in the other file. Otherwise, the security system will not initialize and it's a big mess.
With this setup, and the server bounced of course, the certificate is found and HTTPS works.
No comments:
Post a Comment