SSL Configuration

Create (or import) SSL certificates using keytool Java command-line utility

Configure SSL connector in Tomcat

Require SSL per application/context using <user-data-constraint>

Adding support for SSL (Secure Socket Layer) is only useful if JBoss AS acts as a stand-alone web server. If JBoss AS is fronted by another web server, like Apache HTTPD, then the security of the communication channel becomes the responsibility of that web server. In that case, JBoss AS communicates with the web server over an unsecured channel (plain-text), but the web server still informs JBoss about the security protocol it has negotiated with the end client.

  1. Only JKS or PKCS12 formats are supported
  2. Use JDK’s keytool command-line tool
  3. Keystore password and certificate password have to be the same (default is "changeit")
  4. Certificate alias is "tomcat"
  5. Use RSA algorithm for broader support
  6. Use JBoss-specific keystore file
  7. Use site hostname for cert’s common name
  8. For example, run the following from within ${jboss.server.home.url} directory:

Creating SSL Certificates

keytool -genkey -keystore conf/ssl.ks -storepass secret

-alias tomcat -keyalg RSA -keypass secret

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]: IT

What is the name of your organization?

[Unknown]: Secure Org

What is the name of your City or Locality?

[Unknown]: San Francisco

What is the name of your State or Province?

[Unknown]: CA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=localhost, OU=IT, O=Secure Org, L=San Francisco, ST=CA, C=US correct?

[no]: yes

Interested in mastering JBOSS Training? Enroll now for FREE demo on JBOSS Training.

Refer to for more info

Configure SSL Connector

Add (uncomment) in ${jboss.server.home.dir}/deploy/jbossweb.sar/server.xml file:

  • <Connector protocol="HTTP/1.1" SSLEnabled="true"
  • port="8443" address="${jboss.bind.address}"
  • scheme="https" secure="true" clientAuth="false"
  • keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"

keystorePass="rmi+ssl" sslProtocol = "TLS" />

If you change the port to 443 (or any other port number), make sure that you also set redirectPort="443" in both the non-SSL HTTP and AJP connector elements.

See for additional <Connector> options.

Testing SSL Configuration

When starting up JBoss AS, the console should print the following lines:


14:41:01,002 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-

14:41:02,195 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-


When you point your browser to http://localhost:8443/status you will get a browser warning telling you that the SSL certificate has not been signed by a certification authority that you trust. This is expected, since we signed our own certificate. Skipping the warning should show the SSL-protected page (pad-lock).

For indepth understanding on JBoss click on: