SSL Configuration

Create (or import) SSL certificates using keytool Java command-line utility Configure SSL connector in Tomcat Require SSL per application/context using <user-data-constraint>

Adding support for SSL (Secure Socket Layer) is only useful if JBoss AS acts as a stand-alone web server. If JBoss AS is fronted by another web server, like Apache HTTPD, then the security of the communication channel becomes the responsibility of that web server. In that case, JBoss AS communicates with the webserver over an unsecured channel (plain-text), but the webserver still informs JBoss about the security protocol it has negotiated with the end client.

 

To enrich your career and become a JBoss professional, visit Tekslate, the global online training platform:" JBoss Training". This course will help you achieve excellence in this field.

  1. Only JKS or PKCS12 formats are supported
  2. Use JDK’s keytool command-line tool
  3. Keystore password and certificate password have to be the same (default is "changeit")
  4. Certificate alias is "tomcat"
  5. Use RSA algorithm for broader support
  6. Use JBoss-specific keystore file
  7. Use site hostname for cert’s common name
  8. For example, run the following from within ${jboss.server.home.url} directory:

Creating SSL Certificates keytool -genkey -keystore conf/ssl.ks -storepass secret -alias tomcat -keyalg RSA -keypass secret What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: IT What is the name of your organization? [Unknown]: Secure Org What is the name of your City or Locality? [Unknown]: San Francisco What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=localhost, OU=IT, O=Secure Org, L=San Francisco, ST=CA, C=US correct? [no]: yes

Refer to http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for more info

Configure SSL Connector Add (uncomment) in ${jboss.server.home.dir}/deploy/jbossweb.sar/server.xml file:

  • <Connector protocol="HTTP/1.1" SSLEnabled="true"
  • port="8443" address="${jboss.bind.address}"
  • scheme="https" secure="true" clientAuth="false"
  • keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"

keystorePass="rmi+ssl" sslProtocol = "TLS" /> If you change the port to 443 (or any other port number), make sure that you also set redirectPort="443" in both the non-SSL HTTP and AJP connector elements. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html for additional <Connector> options. Testing SSL Configuration When starting up JBoss AS, the console should print the following lines: ... 14:41:01,002 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8080 14:41:02,195 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8443 ... When you point your browser to http://localhost:8443/status you will get a browser warning telling you that the SSL certificate has not been signed by a certification authority that you trust. This is expected, since we signed our own certificate. Skipping the warning should show the SSL-protected page (pad-lock).

For an in-depth understanding on JBoss click on: