-
1. Re: JBoss with SSL
marcos_aps Dec 15, 2008 6:29 AM (in response to marcos_aps)To use SSL in my web application do I have to purchase a Certificate from a well known Certificate Authority, like Verisign or Thawte, or can I get one for free? Is there any tool that generates Certificates?
Thank you.
Marcos -
2. Re: JBoss with SSL
aamonten Dec 15, 2008 7:09 AM (in response to marcos_aps)you can make your own, please check the wiki
-
3. Re: JBoss with SSL
marcos_aps Dec 15, 2008 7:16 AM (in response to marcos_aps)"aamonten" wrote:
you can make your own, please check the wiki
Thank you for your reply, Alejandro.
I've checked this wiki:
http://www.jboss.org/community/docs/DOC-11989
but I didn't see (or didn't understand) how to make my own Certificate. Is this the right wiki? If not, can you please provide the link for the right one? If this is the right wiki, where is this information?
Marcos -
4. Re: JBoss with SSL
aamonten Dec 15, 2008 8:16 AM (in response to marcos_aps)"Marcos_APS" wrote:
I've checked this wiki:
http://www.jboss.org/community/docs/DOC-11989
but I didn't see (or didn't understand) how to make my own Certificate. Is this the right wiki? If not, can you please provide the link for the right one? If this is the right wiki, where is this information?
Marcos
In section 2 of the wiki that you mention you can find:
Create the client certificatekeytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer
the keytool command is provided with Sun's java sdk -
5. Re: JBoss with SSL
marcos_aps Dec 15, 2008 8:42 AM (in response to marcos_aps)"aamonten" wrote:
In section 2 of the wiki that you mention you can find:
Create the client certificatekeytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer
the keytool command is provided with Sun's java sdk
So, with this command line the keytool is generating a Certificate (a free one) for me that would be generated by a Certificate Authority, right?
Marcos -
6. Re: JBoss with SSL
marcos_aps Dec 16, 2008 6:49 AM (in response to marcos_aps)- JBoss 4.2.3.GA
- Java 5 Update 17
- Windows Server 2003 SP2
Hello, everybody!
Since my first post, I've done some research on how to enable SSL in JBoss. Two articles were very helpful to me:
- An article that teaches how to configure SSL on Tomcat (I thought that
it was good to start from this article because this configuration is
very similar to what I was going to find on JBoss relating to SSL):
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
- An article that teaches how to configure SSL on JBoss:
http://www.jboss.org/community/docs/DOC-11989
After reading these articles I decided that my SSL configuration would be based on this:
- Use JSSE (Java Secure Socket Extension)
- Use a self-signed Certificate.
So, according to all this, I decided to take the steps listed below to configure SSL. I'm just listing these steps here in the case that I missed something or did something wrong, so you can tell me where the mistake is.
1. Create the self-signed Certificate
- %JAVA_HOME%\bin\keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore
- Enter keystore password:
password
- What's your first and last name?
www.mydomain.com
- What is the name of your organizational unit?
Centro de Processamento de Dados - CPD
- What is the name of your organization?
Universidade Regional do Cariri - URCA
- What is the name of your City or Locality?
Crato
- What is the name of your State or Province?
CE
- What is the two-letter country code for this unit?
BR
- Enter key password for
2. Move the keystore "server.keystore" created in C:\Documents and Settings\USER_NAME to %JBOSS_HOME%\server\default\conf.
3. Configure JBoss
- In the file %JBOSS_HOME%\server\default\deploy\jboss-web.deployer\server.xml
- Change this configuration:<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
- To this:<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="password" />
My doubts are:
At this point, I'm lost. I don't know if I'm already done or if I have to do something else. I believe that I still need to complete the SSL configuration for use in JBoss, but the second article mentioned above, http://www.jboss.org/community/docs/DOC-11989, doesn't explain very well what it is doing, so I'm confused. For example, it shows four authentication scenarios:
1. SSL enabled on the server - the common case
2. SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client
3. SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client
4. SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert
I suppose that I should use the first one or the second one, but I'm not sure how. Could you tell me which one I should use? Just to remind you, I want to use a self-signed Certificate and to generate my own Certificate, not to purchase one from a well known Certificate Authority.
Also, some steps in scenario 1 and 2 need more explanation to me. For example, in both scenarios there's one step called Run the client:
In the first option:
java -Djavax.net.ssl.trustStore=client.truststore
-Djavax.net.ssl.trustStorePassword=123456
acme/ReadHttpsURL2 https://localhost:8443
In the second option:
java -Djavax.net.ssl.keyStore=client.keystore
-Djavax.net.ssl.keyStorePassword=123456
-Djavax.net.ssl.trustStore=client.truststore
-Djavax.net.ssl.trustStorePassword=123456
acme/ReadHttpsURL2 https://localhost:8443
Which client is this? What happens with this command line?
In the second option, SSL enabled on the server with self-signed client certs, there's a step Create the client certificate:
keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer
Is this command creating the Certificate that I will be using instead of the Certificate provided by a Certificate Authority?
As you can see, I have a lot of doubts. I would be very thankful if you could answer my questions and tell me what I should do to fully enable SSL.
Thank you.
Marcos