Jeff Sexton

Wednesday, August 08, 2012

HTTPS in jBoss 6

In setting up a jBoss 6 server for SSL, I found quite a bit of information was not readily available and there were several unexpected issues.  Here's the long and short...

First, the server will need a keystore with a self-signed certificate.  Use keytool, and an alias of "tomcat".  I'll gloss over some of these general certificate steps because they are well covered in other places.

keytool -genkey -alias tomcat -keyalg RSA -keystore somekeyfile -validity 9999

In the first question, for first and last name, use the name that this server will be refereed to as, in client calls; "localhost", a hostname or an IP address.  Use "changeit" for the passwords.

Next, extract the certificate just created from this file and set it aside.

keytool -export -keystore mykey -storepass changeit -alias tomcat -file tomcat.crt

I'm going to ultimately use this same store as both the key store and the trust store, so I re-import this certificate with the alias that the machine will be referred to.  For example:

keytool -import -alias 192.168.0.8 -file tomcat.crt -keystore somekeyfile -storepass changeit

Now the file has the self-signed certificate, which the server will hand to clients making requests, and the same certificate, with the different alias, that clients will compare the server's certificate to, when making calls to this host.

Edit the follow file to enable the use of this keystore.

[server directory]/server/default/deploy/jbossweb.sar/server.xml

You can set the SSL port here too, like this.

<!-- SSL/TLS Connector configuration using the admin devl guide keystore --   
           port="8643" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false" 
           keystoreFile="${jboss.server.home.dir}/conf/somekeyfile"
           keystorePass="changeit" 
           truststoreFile="${jboss.server.home.dir}/conf/somekeyfile"
           truststorePass="changeit" 
           sslProtocol = "TLS" />

As an aside, I am using a port set that is supposed to add 200 to all my puts.  This did not work for the SSL port, so I set it to the normal port + 200 as above, is server.xml.

Note that "truststore" properties are specified above, and some documentation indicates that this works.  It does not.  The keystore specification works however.  The server will use the "tomacat" aliased certificate in the given file as it's own.  I don't believe setting "truststoreFile" in server.xml has any impact.

For the truststore, clients will actually use the JRE's system trust store file.  If nothing else is done but the above, to continue this example, then when this server attempts to access https://192.168.0.8:8643/something/ an exception will be thrown.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This happens because the server certificate, the "tomcat" certificate provided by the server on the initial handshake, can't be found in the JRE truststore file.  I added it to the somekeyfile above, but this file it not being checked.  Options...

1. Add the certificate to the Jave truststore file, with the proper alias.

keytool -import -alias iws03qa5 -file tomcat.crt -keystore /opt/jdk1.6.0_30/jre/lib/security/cacerts -storepass changeit

2.  Use properties set at the Java command line to specify a truststore location.

-Djavax.net.ssl.trustStore=[path and filename]
-Djavax.net.ssl.trustStorePassword=changeit


3. Set the truststore in jBoss's SSL support properties.  To do this, edit:

[server directory]server/default/conf/bootstrap/security.xml

Add this, at the bottom, inside the "deployment" block:


[path]/server/default/conf/somekeyfile
 changeit
 [path]/server/default/conf/somekeyfile
 changeit


Change [path] to your server path of course.

Interestingly, keystore properties must be given here also, even though they also appear in the other file.  Otherwise, the security system will not initialize and it's a big mess.

With this setup, and the server bounced of course, the certificate is found and HTTPS works.

Post a Comment
3D modeling Advertising Air Canada Airline Alfa Romeo Spider Touring Gran Sport Analog signal Android Anomalies and Alternative Science Apache Apollo Astoria Augmented reality Aurora Famous Fighters auto-awesome Automobile Autos Barack Obama Batman Beards Beer Bell System Berkshire Hathaway Bigfoot Bird Toys Birds Blogger Books Build Management Business and Economy Business Process Execution Language Byte-order mark Canadian Carrot Cats Christmas Civil Defense CNN Cockatiels Collections Crows Dear Jane Debian Diabetes Digital Living Network Alliance Digital television Disney Doll House Dow Jones Industrial Average Duesenburg SJ Roadster Durham University E-mail address ebauche Economics EJB Energy development Enterprise JavaBean ESP Facebook Fedora Filesharing Finance Ford Fossil fuel Garfield James Abram Garfield Minus Garfield Glassfish Global warming Golden Arches Goofy Google Google Buzz Google Docs Google Lively Google Photos Google Reader Google Wave Google+ Greenhouse gas Half-Life 2 Helbros High-definition television History Hybrid electric vehicle IBM Inner city Instagram Insulin Investing Irony J.C. Penny Jane Austen Java Java Architecture for XML Binding JDBC Jeff's! Jim Davis joe the plumber John McCain Karma Kay Thompson Kermit the Frog Kids and Teens LA Auto Show Larry King Laser Logging Lowry Sexton Mark Cuban Market trends McDonald Meier and Frank Microsoft Microsoft Windows Models Monkey monsters Moon MOUNT HOOD Music Music industry Muxtape MySQL NetBeans Netflix Nintendo Nissan Cube Norm Coleman Nuclear fallout Nuclear warfare Office Depot Open ESB Oracle Corporation Pacific Ocean Packard Boattail Pearl District Pearl District Portland Oregon Philip K Dick photography PlayStation 3 Pocher Pokémon HeartGold and SoulSilver Politics Portal Portland Portland Development Commission Presidents Pride and Prejudice Programming Projects Radio Recording Industry Association of America Renewable energy RIAA Robot Chicken Rock-paper-scissors Sarcasm Science fiction film Serbia Service-oriented architecture Shopping Slide Rule Social Security Social Studies Society6 Spirit of St. Louis SQL Stanford Hospital Star Wars Starbucks Stock market Strip search Sun Microsystems T-Mobile TechCrunch Technical ThinkGeek Toaster Total Recall Transportation Security Administration Unicode United States United States Department of Homeland Security Universal Plug and Play Unknown Primates Vegetable garden Video game Vintage Images Vintage Vintage! Virtual world Volvo C70 Wall Street Warren Buffett watches We Can Remember It for You Wholesale Web service Web Services Description Language Wii Windows 7 Windows Phone 7 Windows Vista Windows XP X-Files X-ray vision XML XML Schema YouTube Yugo Zima