Skip to content

JBossWithSSL

Jump to bottom
Nikos Kefalakis edited this page Jul 23, 2015 · 5 revisions

Configuring JBoss#

Here we assume that JBoss AS7 is used in standalone mode. By $jboss-home we refer to JBoss AS7 directory.

Enabling SSL in JBoss

Assume that you store the required SSL files in a path YOUR_SSL_DIR_PATH (e.g., $jboss-home/standalone/configuration/ssl).

  • If the directory structure does not exist, run mkdir -p YOUR_SSL_DIR_PATH

  • Run cd YOUR_SSL_DIR_PATH

  • Run keytool -genkey -alias jbosskey -keypass [password] -keyalg RSA -keystore server.keystore ** Use "localhost" as Common Name [as answer to "What is your first and last name?"]. ** If you are deploying on a server, use the DNS name of the server instead of "localhost". ** If you are deploying on a server with public IP (no DNS), use ip address as Common Name [as answer to "What is your first and last name?"]. Also add the following option to the keytool command -genkey -ext san=ip:10.0.0.1

  • Run keytool -export -alias jbosskey -keypass [password] -file server.crt -keystore server.keystore

  • Run keytool -import -alias jbosscert -keypass [password] -file server.crt -keystore server.keystore ** Ignore the warning!

  • In $jboss-home/standalone/configuration/standalone.xml add the following connector in <subsystem xmlns="urn:jboss:domain:web:1.1" ..>

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
   <ssl name="https" key-alias="jbosskey" password="YOUR_PASSWORD_HERE" certificate-key-         file="YOUR_SSL_DIR_PATH/server.keystore" />
 </connector> 
 ```   
**Note**: at the YOUR_SSL_DIR_PATH use the full path of your SSL folder    "JBOSS_HOME/standalone/configuration/ssl/server.keystore"

  • Restart JBoss and go to https://localhost:8443 to see if SSL is enabled and works correctly.

  • Next, you'll have to import this certificate into the java trust-store with the command keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file server.cert -alias incommon . In Linux you will have to do this as root. The default keystore password is changeit

JBOSS SSL Troubleshooting

If you encounter the error, ''unable to load the key'' (as documented by a bug report here https://issues.apache.org/bugzilla/show_bug.cgi?id=38217) follow the below steps

In step 3, 4, and 5 ensure the [password] parameter for keypass and the security store password (requested during command execution in the terminal) are identical.

To remove the previously registered key use the command

keytool -delete -noprompt -alias jbosskey -keystore server.keystore

SSL Troubleshooting

If you encounter the following error, follow the steps suggested in: http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target

SunCertPathBuilderException: Unable To Find Valid Certification Path To Requested Target

Also you might find the solution for your ssl-related issues in: https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide

footer

Main

Learn

Users

Developers

Community

##Roadmap

Other

Clone this wiki locally