JBoss SSL Configuration, How to enable https in JBoss 3.2.x, 4.2.x, 5.x


There are many blogs and of-course JBoss Communities official website forum has good articles from which I have learned How to implement SSL in JBoss without any application code changes. I am writing this to make those steps even clearer along with screen-shots of my implementations to make it very easy to understand.


So, there are few important steps (which will common to all JBoss versions almost)
1) Generate keystore using keytool utility which gets shipped with jdk folder.
2) Move this keystore to conf directory of JBoss
3) Enable/configure SSL port in server.xml/binding.xml
4) Restart JBoss and try to access any Jboss link with over https protocol


1) Generating Keystore using Keytool - 
Prerequisite - Make sure you have JDK downloaded. (if not download it)
Go to bin folder from this jdk directory, you will find keytool utility.


Through command prompt generate keystore using command like (red and bold part will have your values) -
>>keytool -genkey -keyalg RSA -alias serverkey -keystore server.keystore -storepass changeit -keypass changeit -dname "CN=MYNAME, OU=MYOU, O=MYORG, L=MYCITY,ST=MYST, C=MY"


If you want to include validity (for how many days this keystore will be valid e.g. 30), it would be like
>>keytool -genkey -keyalg RSA -alias serverkey -keystore server.keystore -validity 30 -storepass changeit -keypass changeit -dname "CN=MYNAME, OU=MYOU, O=MYORG, L=MYCITY,ST=MYST, C=MY"
Or this way - put only this part of command into command prompt


Possible Errors -
1) keytool unrecognized / unknown command - Either you have not added %JAVA_HOME%/bin path to windows path environment variable.
2) keytool error: java.lang.Exception: Key pair not generated, alias <serverkey> already exists -


For windows XP, make sure there is no same name or same alias named keystore file already exists in current directory from where you are generating keystore through command prompt.
If its there delete it and reexecute the command.


For windows Vista/7, your keystore files will be generated in directory "C:\Users\Home\AppData\Local\VirtualStore" Or if you have generated it from jboss bin directory then "C:\Users\Home\AppData\Local\VirtualStore\Program Files\Java\jdk1.5.0_22\bin", make sure there is no same name or same alias named keystore file, if yes delete it regenerate it.


Although there are many combinations for this command, important Commands related to Keystore generation can be found out from links like -
http://nl.globalsign.com/en/support/ssl+certificates/java/java+based+webserver/keytool+commands/
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
http://www.mobilefish.com/tutorials/java/java_quickguide_keytool.html (For mobile development)


Keytool - Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates.
Note - For more information on what is keystore, public key and private key, security certificates refer links -
http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
http://docs.oracle.com/javase/1.4.2/docs/tooldocs/solaris/keytool.html


2) Copy-paste / Move this keystore file to JBoss conf folder.
Go to "<your_jboss_directory>/server/default or <your_own_jboss_conf_directory>/conf"
Paste your keystore file here.


3) Enable SSL configuration - 
       a) In JBoss 4.2.x, go to "<JBoss_home>/server/default or
           <your_own_Jboss_conf_directory>/deploy/jboss-web.deployer/" and add these lines to "server.xml"
<Connector port="443" protocol="HTTP/1.1" 
 SSLEnabled="true" maxThreads="150" 
 scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 address="${jboss.bind.address}"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="changeit"  
 truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
 truststorePass="changeit">
</Connector>
        **Dont forget to add truststorefile and truststorepass entries in above tag.
        b) In JBoss 5.x, directory path would be like "jboss-5.0.0.CR2\server\default\deploy\jbossweb.sar\"
        c) In JBoss 3.2.x, directory path would be like "jboss-3.2.6\server\default\deploy\jbossweb-tomcat50.sar\"
Now restart the JBoss server. and open your link over https, it will show invalid security certificate notification, just click proceed/continue/add exception which would be different for different browsers.


"There is one more thing"
1) If you want to disable normal http access to your link after this https gets working, go to, same server.xml (at above mentioned path), and remove connector tag for http access.
e.g. it would look like - 
<!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->
    <Connector port="9080" address="${jboss.bind.address}"    
         maxThreads="250" maxHttpHeaderSize="8192"
         emptySessionPath="true" protocol="HTTP/1.1"
         enableLookups="false" redirectPort="8443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true" />
remove this connector tag, and restart the server.
So your application would be accessible over only SSL.


2) In case you want to have your application accessible over different SSL port other than 443.
By default, 443 is SSL access port. while accessing your link you don't have to put this port in your link e.g.consider my application link is "https://localhost/LogicProWeb/index.html" and "https://localhost:443/LogicProWeb/index.html", both are same links.
For 443 SSL port we don't need to include in URL.


But if you use other port e.g. 9080 then you must have to specify port in your application URL,
e.g. same link would become "https://localhost:9080/LogicProWeb/index.html"
So change that connector tag to like - 
<Connector port="9080" protocol="HTTP/1.1" 
 SSLEnabled="true" maxThreads="150" 
 scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 address="${jboss.bind.address}"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="changeit"  
 truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
 truststorePass="changeit">
</Connector>


3) Using multiple ports for same application, publishing application over multiple ports,
e.g. if you your application to work on many ports, e.g. 9080,9081,9082 (with or without SSL), then you should add these 3 corresponding connector tags in server.xml with these ports,
<Connector port="9080" protocol="HTTP/1.1" 
 SSLEnabled="true" maxThreads="150" 
 scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 address="${jboss.bind.address}"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="changeit"  
 truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
 truststorePass="changeit">
</Connector>
<Connector port="9081" protocol="HTTP/1.1" 
 SSLEnabled="true" maxThreads="150" 
 scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 address="${jboss.bind.address}"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="changeit"  
 truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
 truststorePass="changeit">
</Connector>
<Connector port="9082" protocol="HTTP/1.1" 
 SSLEnabled="true" maxThreads="150" 
 scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 address="${jboss.bind.address}"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="changeit"  
 truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
 truststorePass="changeit">
</Connector>

OR without SSL - 

<Connector port="9080" address="${jboss.bind.address}"    
 maxThreads="250" maxHttpHeaderSize="8192"
 emptySessionPath="true" protocol="HTTP/1.1"
 enableLookups="false" redirectPort="8443" acceptCount="100"
 connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="9081" address="${jboss.bind.address}"    
 maxThreads="250" maxHttpHeaderSize="8192"
 emptySessionPath="true" protocol="HTTP/1.1"
 enableLookups="false" redirectPort="8443" acceptCount="100"
 connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="9082" address="${jboss.bind.address}"    
 maxThreads="250" maxHttpHeaderSize="8192"
 emptySessionPath="true" protocol="HTTP/1.1"
 enableLookups="false" redirectPort="8443" acceptCount="100"
 connectionTimeout="20000" disableUploadTimeout="true" />

OR if mix of both SSL and non-SSL port connector tags.


Enjoy:-)


Here are some reference links - (for further reading)
(The Best Source) https://community.jboss.org/wiki/sslsetup
http://i-proving.ca/space/Technologies/JBoss/Configuring+JBoss+SSL
https://code.google.com/p/seaminaction/wiki/EnableSSLJBossAS
https://docs.jboss.org/jbportal/v2.2/user-guide/en/html/configuration.html
https://community.jboss.org/en/jbossas/config?view=tags#/?tags=ssl

Comments

Post a Comment

Popular posts from this blog

How to install / Configure Mantis For Apache-PHP-PostgreSQL combination

Image
How to install / Configure Mantis For Apache-PHP-PostgreSQL combination  → I wanted to write this blog a long back, but better late than never. Three years back I was working on a project where we had used Mantis Bug Tracker for managing our bugs list, for that, I had to install it on a server from where our teams could access it to log the software bugs and update the fixes. Important learnings - with new php versions, I faced few issues with postgresql configs, then while setting up database instance for mantis I faced few issues with postgres port configs and how to give it on mantis config files, database user grant problem. I had to set up everything from scratch so learned a lot. (Note - mantisbt  →  mantis bug tracker) Why I have written this post  →  at that time I could not find any resource on web which would give me good tutorial on how to install mantisbt on Apache and PostgreSQL. So I wanted to put it on web so others could some of thei...
Read more

Modified ExtJS LOVCombo (List of Values) ux plugin - with select all, deselect all, text filter, bubble up and bubble down of selection

Image
Here is one interesting modification to LOVCombo ux plugin in ExtJS 3.4. The original ExtJS ux Lovcombo i.e.Ext.ux.form.LovCombo plugin was developed by Jozef Sakáloš and can be still found at  http://lovcombo.extjs.eu/ . In Ext 4.x onwards, similar modifications can be applied to combo-box through plugin property. Following modification to Ext.ux.form.LovCombo, enables it to have "Select All", "Deselect All", "Text Filtering on values", "bubbling up and down of selection events". Its just a toolbar added in xtemplate of combo-box's dropdown list, and this toolbar has all these buttons, filter text-fields, etc. Here is how it looks like - It has five features - 1) Select All / Deselect All checkbox - to check/uncheck all values and its not part of your data, so selection / deselection logic is separate from user's data. 2) Text Filter - In case of long lists, this will be handy, to filter out values and select /deselec...
Read more

Randomized Probabilistic Bag of Objects Data-Structure using Map

"Probabilistic Bag data-structure" Recently I was working on a NLP problem, wherein I needed this (this data-structure is a pretty simple thing which is already being used in industry also, I am sure). So here few important features or requirements that I had : NOTE: Any randomized data-structure works well only when it uses random-number generators which generate uniformly distributed values over the range. A probabilistic, randomized bag of objects data-structure with - a) Each object having some weight, b) Selection from this structure should be random but should be influenced by their weights c) The weights are positive and multiple objects can have same weight (there is no upper bound on weights but a lower bound of 0). So I searched online and there were some real great responses - I am basically consolidating them - There are many ways you can build such structures  - 1)   Using Lists : There are 2 main approaches using list Storing unique objec...
Read more