Configuring WSRP for use over SSL
NOTE: For users running Portal on JBoss AS prior to version 4.2.x: The following will only work if you download and activate the Servlet filter that was created specifically to bypass JBoss WS 1.0.3.SP1 and below limitations with respect to port rewriting.*
Chapter 13 of JBoss WS provides information on the subject but here's a more detailed version targeted at WSRP.
You will need to configure JBoss AS to activate SSL. This is detailed in Chapter 8.7 and Chapter 9.4 of the JBoss AS 4 Guide, the Tomcat documentation providing more details. In essence, you need to generate a self-signed certificate using the JDK-provided keytool utility and add a SSL/TLS connector in Tomcat's server.xml (usually, it is just commented out, you will need to adapt the configuration to your settings, in particular, path to the keystore and keystore password).
To create the server keystore , use the following command. It is important that the cn= value matches the hostname/domain of your JBoss Portal. Substitute org, orgunit, location, 2-letter-state, 2-letter-country, and password as appropriate:
keytool -alias serverCert -keyalg RSA -validity 730 -keystore server.keystore -dname cn=localhost,o=org,ou=orgunit,l=location,st=state,c=country -keypass password -storepass password
To extract the server certificate, do this:
keytool -export -alias serverCert -keystore server.keystore -storepass password -file server.cer
The server.keystore and server.cer files will be written to your home directory. Copy them to server/default/conf.
Create a new HTTPS SSL/TLS connector in the Tomcat configuration file for JBoss. This file is found at server/default/deploy/jboss-web.deployer/server.xml. As mentioned above, it is best to just un-comment the commented-out connector provided in the file, as it will typically have most of the correct settings already. You will need to add the keystoreFile and keystorePass attributes. You're adding a new connector - leave the existing connector in place. This example puts the HTTPS/SSL connector on port 8443 (pretty standard):
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
Configure the SSL client to accept the self-signed certificate. To tell JBoss AS where to find the truststore, just add the following to the JAVA_OPTS variable in bin/run.conf:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=</absolute/path/to/server.keystore>" (yes: pointing the trustStore attribute to your keystore is correct)
Use the correct URL in your -wsrp.xml configuration file (for the default, this is server/default/deploy/jboss-portal.sar/portal-wsrp.sar/default-wsrp.xml). This step is optional, you can accomplish the same thing by going to the JBoss Admin WSRP tab and saving the appropriate values to the database. For example, if you want to access Portal's 'self' WSRP producer over SSL (assuming you configured it to run over SSL as described above), the default-wsrp.xml should read:
<deployments> <deployment> <wsrp-producer> <producer-id>self</producer-id> <expiration-cache>120</expiration-cache> <!-- we need to use the individual endpoint configuration because the configuration via wsdl forces an immediate attempt to access the web service description which is not available yet at this point of deployment --> <endpoint-config> <service-description-url>https://localhost:8443/portal-wsrp/ServiceDescriptionService</service-description-url> <markup-url>https://localhost:8443/portal-wsrp/MarkupService</markup-url> <registration-url>https://localhost:8443/portal-wsrp/RegistrationService</registration-url> <portlet-management-url>https://localhost:8443/portal-wsrp/PortletManagementService</portlet-management-url> </endpoint-config> <registration-data></registration-data> </wsrp-producer> </deployment> </deployments>
You should be able to access JBoss over SSL at https://localhost:8443/portal, and WSRP should function on port 8443.
To inform your browser that the server's certificate is trusted, import the server.cer file into your browser as an authority.
If you need to turn on SSL debugging, set JAVA_OPTS as follows in bin/run.conf: