Version 4
Created by mmoyses on Jul 12, 2010 3:14 PM. Last modified by anil.saldhana on Jul 26, 2010 11:51 AM.

    The scenario

    Many services in JBoss allow usage of SSL for secure communication. To configure SSL, these services require a KeyStore for the certificate and private key and possibly a TrustStore with the trusted client certificates. Those attributes can be configured using the JDK system properties (javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword) or by a service specific set of attributes.

    There can be situations when the AS as a whole should be using just one  keystore and truststore for all the services, essentially ignoring all the system properties and service's specific configurations.

     

    JIRA

    https://jira.jboss.org/browse/JBAS-8144

     

    The solution

    Starting in AS 6.0 M4 there is a new service that can be installed at bootstrap that can override all the configuration for the KeyStore and TrustStore, provided that the service uses the default algorithm for the KeyManagerFactory (SunX509 for Sun, JRockit and OpenJDK and IbmX509 for IBM) and TrustManagerFactory (PKIX for Sun, JRockit, OpenJDK and IBM).

    Here is an example configuration for the service in conf/bootstrap/security.xml:

     

    <?xml version="1.0" encoding="UTF-8"?>
<!--
    Security bootstrap configuration
-->
<deployment xmlns="urn:jboss:bean-deployer:2.0">

  ...

   <bean name="JBossSSLConfiguration" class="org.jboss.security.ssl.JBossSSLConfiguration">
      <property name="keyStoreURL">/home/mmoyses/my.keystore</property>
      <property name="keyStorePassword">changeit</property>
   </bean>
</deployment>

    With this service in place, the keystoreFile and keystorePass attributes of a HTTPS connector in deploy/jbossweb.sar/server.xml would be overridden for example.

    These are the properties the JBossSSLConfiguration bean accepts:

    • keyStoreURL
    • keyStorePassword
    • keyStoreAlias
    • keyStoreProvider
    • keyStoreProviderArgument
    • trustStoreURL
    • trustStorePassword
    • trustStoreProvider
    • trustStoreProviderArgument

    The password properties can be set using the same methods as the JaasSecurityDomain bean (i.e. clear text, {EXT} and {CLASS}).

     

    NOTE: There is still no support for using the Password annotation to mask those passwords as the PasswordMaskManagement bean is started much later in the boot process.