Skip to content

JBossWithSSL

Jump to bottom
Hylke van der Schaaf edited this page Feb 13, 2015 · 5 revisions

==Configuring JBoss==

Here we assume that JBoss AS7 is used in standalone mode. By $jboss-home we refer to JBoss AS7 directory.

'''Enabling SSL in JBoss'''

Assume that you store the required SSL files in a path YOUR_SSL_DIR_PATH (e.g., $jboss-home/standalone/configuration/ssl).

If the directory structure does not exist, run mkdir -p YOUR_SSL_DIR_PATH

Run cd YOUR_SSL_DIR_PATH

Run keytool -genkey -alias jbosskey -keypass [password] -keyalg RSA -keystore server.keystore

Use "localhost" as Common Name [as answer to "What is your first and last name?"].

If you are deploying on a server, use the DNS name of the server instead of "localhost".

If you are deploying on a server with public IP (no DNS), use ip address as Common Name [as answer to "What is your first and last name?"]. Also add the following option to the keytool command -genkey -ext san=ip:10.0.0.1

Run keytool -export -alias jbosskey -keypass [password] -file server.crt -keystore server.keystore

Run keytool -import -alias jbosscert -keypass [password] -file server.crt -keystore server.keystore

Ignore the warning!

In $jboss-home/standalone/configuration/standalone.xml add the following connector in <subsystem xmlns="urn:jboss:domain:web:1.1" ..> 

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
  <ssl name="https" key-alias="jbosskey" password="[password]" certificate-key-file="YOUR_SSL_DIR_PATH/server.keystore" >
</connector>

Restart JBoss and go to https://localhost:8443 to see if SSL is enabled and works correctly.

Next, you'll have to import this certificate into the java trust-store with the command keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file server.cert -alias incommon . In Linux you will have to do this as root. The default keystore password is changeit

'''JBOSS SSL Troubleshooting'''

If you encounter the error, ''unable to load the key'' (as documented by a bug report here https://issues.apache.org/bugzilla/show_bug.cgi?id=38217) follow the below steps

In step 3, 4, and 5 ensure the [password] parameter for keypass and the security store password (requested during command execution in the terminal) are identical.

To remove the previously registered key use the command

keytool -delete -noprompt -alias jbosskey -keystore server.keystore

'''SSL Troubleshooting'''

If you encounter the following error, follow the steps suggested [http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target here].

''SunCertPathBuilderException: Unable To Find Valid Certification Path To Requested Target''

Also you might find the solution for your ssl-related issues [https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide here].

footer

Main

Learn

Users

Developers

Community

##Roadmap

Other

Clone this wiki locally