1 2 Previous Next 16 Replies Latest reply on Mar 12, 2004 12:02 PM by bigdaddy

    JBoss3.2-Tomcat4.1.24 Release - SSL Broken?

    sulfur

      Hi all,

      I am trying to migrate from JBoss 3.0.x to 3.2.x, but I can't seem to get SSL to work with the integrated Tomcat container.

      SSL worked fine in my old setup. I tried to configure jboss-service.xml the same way for 3.2:
      - added the "JaasSecurityDomain" mbean definition
      - added a connector for Port 443 (and I did change the config from HttpConnector to CoyoteConnector)

      Jboss 3.2 started fine without any errors, but when I try to hit it from a browser, it didn't even see any incoming requests on Port 443. And the browser will eventually time out.

      Anyone experiencing the same problem?

        • 1. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
          rxkaul

          I am having the same problem, although with JBoss-3.0.6_tomcat-4.1.18 release.

          • 2. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
            rxkaul

            I am curious. Which version of Jboss did you have the SSL working?

            • 3. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
              didi1976

              Hi,

              I have encountered the same problem. If you use the coyote connector of Tomcat, SSL does not work.

              If you use the "old style" HttpConnector everything works.

              Dietmar

              • 4. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                sulfur

                Hi all thanks for the responses.

                1) I was using Jboss_3.0.4-Tomcat_4.1.12 & it worked (probably because tomcat41-service.xml was configured to use HttpConnector by default! :P

                2) Yes I have also changed 3.2.0-4.1.24 to use HttpConnector instead of Coyote for now.

                3) I assume that means CoyoteConnector never worked in JBoss 3.x? Anyone know if there's a Bugzilla entry for it already?

                Cheers,

                Anthony.

                • 5. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                  jleech

                  I've got SSL working on 3.2/4.1.24 using the CoyoteConnector. In jboss-3.2.0_tomcat-4.1.24\server\default\deploy\jbossweb-tomcat.sar\META-INF\jboss-service.xml
                  I've got:


                  • 6. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                    rxkaul

                    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"...

                    was the key to this mystery.

                    Thank you so much!

                    • 7. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                      sulfur

                      This is awesome! Thanks!

                      Now my next question for being a perfectionist. Is there a way to not hardcode the keystoreFile?

                      Tomcat standalone allows paths relative to $CATALINA_BASE but I don't suppose we can use $JBOSS_HOME or something similar here?

                      • 8. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                        dcowan

                        From what I have managed to figure out the xml files use velocity like text replacement allowing you to use system properties. You can view all the system properties defined by jboss in the JMX console under System property viewer. Here is what I did so I could place my keystore in default/conf

                        For some reason the forums eats this so replace [ with {

                        keystore="$[jboss.server.home.dir]/conf/server.keystore"

                        • 9. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                          darrellvteague

                          I was also (finally) able to get it to work (thanks to the forum folks - paid for documentation is insufficient). The first problem is finding out where the configuration files are the need to be changed.

                          The first one was here:

                          [JBOSS_HOME]\[server e.g. "default"]\conf\jboss-service.xml

                          Create an mbean to identify the JAAS settings:

                          jboss.security:service=XMLLoginConfig


                          login-config.xml


                          <!-- JAAS security manager and realm mapping -->

                          org.jboss.security.plugins.JaasSecurityDomain



                          jboss.security:service=JaasSecurityManager



                          file://C:/Java/keystore
                          password


                          The second one was here (to set the SSL port and properties):

                          [JBOSS_HOME]\[server e.g. "default"]\deploy\jbossweb-tomcat.sar\META-INF\jboss-service.xml



                          true

                          <!--
                          *******************************************************
                          ****************** CLUSTERING *************************
                          *******************************************************
                          In order to activate HTTP Session clustering for Tomcat
                          make sure you run JBoss's "all" configuration i.e.
                          "run -c all"
                          (the default configuration doesn't contain clustering)

                          Furthermore, you may change SnapshotMode and
                          SnapshotInterval attributes below to indicate when to
                          synchronize changes with the other node(s).

                          If you use Apache+mod_jk(2) you will most probably use
                          the AJP1.3 connector below. Thus, if you so wish,
                          you may comment (i.e. deactivate) the HTTP connector
                          as it won't be used anymore.

                          *******************************************************
                          *******************************************************
                          *******************************************************
                          -->

                          <!--
                          If you are using clustering, the following two attributes
                          define when the sessions are replicated to the other nodes.
                          The default value, "instant", synchronously replicates changes
                          to the other nodes. In this case, the "SnapshotInterval" attribute
                          is not used.
                          The "interval" mode, in association with the "SnapshotInterval"
                          attribute, indicates that Tomcat will only replicates modified
                          sessions every "SnapshotInterval" miliseconds at most.
                          -->
                          instant <!-- you may switch to "interval" -->
                          2000








                          <!-- Access logger -->


                          <!-- Default context parameters -->





                          <!-- A HTTP/1.1 Connector on port 8080 -->


                          <!-- A AJP 1.3 Connector on port 8009 -->


                          <!-- SSL/TLS Connector configuration using the SSL domain keystore -->









                          Hope this helps others trying to get SSL to work. Note that in this configuration, both SSL and non-SSL are setup to work on the default ports (443/80; respectively).

                          • 10. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Broken?
                            raynix

                            Thanks a lot!

                            But when I modified as above, I got new problems:
                            If I enter https://localhost/jmx-console
                            (my ssl port is the default port 443)

                            the browser returns an error page immediately and an exception shown:

                            2003-06-03 10:36:41,921 DEBUG [org.apache.tomcat.util.threads.ThreadPool] Getting new thread data
                            2003-06-03 10:36:42,078 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed
                            javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
                            at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:290)
                            at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540)
                            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
                            at java.lang.Thread.run(Thread.java:536)
                            Caused by: java.io.EOFException: SSL peer shut down incorrectly
                            at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
                            ... 7 more


                            Has anybody else encountered this?

                            • 11. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Example
                              darrellvteague

                              My friend had a similar problem. I suspect I probably need to just include the entire configuration. Note that I am using the "all" server (as opposed to "default") since the default server does not support certain features. To validate this example, ensure you are using the "all" server.

                              Attached are the [JBOSS_HOME]/server/all/conf/jboss-service.xml, [JBOSS_HOME]/server/all/deploy/http-invoker.sar/META-INF/jboss-service.xml and the [JBOSS_HOME]/server/all/deploy/jboss-tomcat.sar/META-INF/jboss-service.xml files.

                              ... then all you have to do is generate a JKS keystore and self-signed cert (I have it pointing to C:\Java\keystore). See this URL if you need help:
                              http://java.sun.com/products/jdk/1.2/docs/tooldocs/solaris/keytool.html

                              This configuration (above) defintely works on the JBoss/Tomcat version referenced. Hope this saves people time in getting SSL working on JBoss...


                              • 12. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Certificates
                                darrellvteague

                                My friend had the same SSLHandshakeException problem. It turned out that they Certificate was improperly created in the keystore. Specifically, the certificate has be created with an RSA algorithm (apparently that is all Tomcat understands):

                                keytool -genkey -alias name -keyalg RSA -keystore keystoreURI

                                Hope this helps.

                                • 13. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Certificates
                                  raynix

                                  Thanks very much! This really helps!

                                  • 14. Re: JBoss3.2-Tomcat4.1.24 Release - SSL Certificates
                                    sujith

                                    Hello,

                                    I tried exactly what has explained above. But I am getting the following exception at server start up. What could be the reason... please help....

                                    ...
                                    17:33:43,108 INFO [TomcatSSL] Starting
                                    17:33:43,359 WARN [ServiceController] Problem starting service Security:service=JaasSecurityDomain,domain=TomcatSSL
                                    java.io.FileNotFoundException: \Java\keystore
                                    at org.jboss.net.protocol.file.FileURLConnection.connect(FileURLConnection.java:70)
                                    at org.jboss.net.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:79)
                                    at java.net.URL.openStream(URL.java:960)
                                    ...

                                    Thanks in advance

                                    1 2 Previous Next