-
Notifications
You must be signed in to change notification settings - Fork 189
JBossWithSSL
==Configuring JBoss==
Here we assume that JBoss AS7 is used in standalone mode. By $jboss-home
we refer to JBoss AS7 directory.
'''Enabling SSL in JBoss'''
Assume that you store the required SSL files in a path YOUR_SSL_DIR_PATH
(e.g., $jboss-home/standalone/configuration/ssl
).
-
If the directory structure does not exist, run
mkdir -p YOUR_SSL_DIR_PATH
-
Run
cd YOUR_SSL_DIR_PATH
-
Run
keytool -genkey -alias jbosskey -keypass [password] -keyalg RSA -keystore server.keystore
** Use "localhost" as Common Name [as answer to "What is your first and last name?"]. ** If you are deploying on a server, use the DNS name of the server instead of "localhost". ** If you are deploying on a server with public IP (no DNS), use ip address as Common Name [as answer to "What is your first and last name?"]. Also add the following option to the keytool command-genkey -ext san=ip:10.0.0.1
-
Run
keytool -export -alias jbosskey -keypass [password] -file server.crt -keystore server.keystore
-
Run
keytool -import -alias jbosscert -keypass [password] -file server.crt -keystore server.keystore
** Ignore the warning! -
In
$jboss-home/standalone/configuration/standalone.xml
add the following connector in<subsystem xmlns="urn:jboss:domain:web:1.1" ..>
-
Restart JBoss and go to
https://localhost:8443
to see if SSL is enabled and works correctly. -
Next, you'll have to import this certificate into the java trust-store with the command
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file server.cert -alias incommon
. In Linux you will have to do this as root. The default keystore password ischangeit
'''JBOSS SSL Troubleshooting'''
If you encounter the error, ''unable to load the key'' (as documented by a bug report here https://issues.apache.org/bugzilla/show_bug.cgi?id=38217) follow the below steps
In step 3, 4, and 5 ensure the [password] parameter for keypass and the security store password (requested during command execution in the terminal) are identical.
To remove the previously registered key use the command
keytool -delete -noprompt -alias jbosskey -keystore server.keystore
'''SSL Troubleshooting'''
If you encounter the following error, follow the steps suggested [http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target here].
''SunCertPathBuilderException: Unable To Find Valid Certification Path To Requested Target''
Also you might find the solution for your ssl-related issues [https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide here].