JBoss 3.2.5 SSL Configuration on Sun Solaris 2.9 09/04 relea
puddle Oct 17, 2004 5:05 PMHello, I'm trying to setup and configure JBoss 3.2.5 to run over SSL and NOT standard port 8080.
I've looked all over the net and have found a 'few' guides, only to be kinda off from what I"m doing. Also, all the research shows that Tomcat 4.0 is in 2.3.5. However, I "believe" mine's got TomCat 5.0 (downloaded from jboss.com).
Here's what I did and what not. However, no such luck. Any advice would be GREATLY appricated. The "actual" values are left out for company reasons. However, the exacty 'step' was performed.
Okay the steps performed were the ones located at:
http://www.theserverside.com/discussions/thread.tss?thread_id=22243
Steps included:
Step 1)
First of all, we are going to make a keystore. This is the place we are
going to store the keys in on the serverside. We will use the Java-tool
keytool for this. The algorithm used here is RSA.
The value alias name was replaced with "company"
At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore
Fill in all the information that is asked.
A keystore with the name name.keystore is generated.
Step 2)
Then we have to make a Certificate Signing Request (CSR) for the
Certificate Authority. We can get this signed by a certifying authority
like verisign or thwate
keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR
file name>.csr
Enter the keystore password.
A < CSR file name>.csr file is generated.
If you are getting the CSR signed by a certifying authority, then skip the
next step.
Step 3)
If you are using going to sign using your own CSR by using, for example,
OpenSSL, then the steps are:
(This assumes that you are working on a Linux machine with OpenSSL, which
can be obtained from www.openssl.org. Follow the procedure to install
OpenSSL)
To Sign the certificate:
Make a new directory:
cd usr/local/
mkdir newCA
Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/
Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (... Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (... Specifies current directory where everything is kept)
Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh .newca
ls -l
Send the < CSR file name>.csr file to Certification authority and Creating
Server Certificate
cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA
Create the certificate
openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA
cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM
Optionally convert the server certificate from PEM encoding to DER for
distributing to Clients:
openssl x509 -inform pem -outform der < cacert.pem > cacert.cer
We receive two files, cacert.der, containing the CA's public key and a
file <pem file name>.pem, containing the public key signed by the CA using
the CA's private key. I will now import these two files into my keystore
(the order is important!):
****This is where shit gets interesting****
Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore
./name.keystore
The file name "cacert.der" isn't created from ANY of the above commands.
Not sure what crack pipe they smoke from.
However, it 'does' create the file "cacert.cer". Thinking this is a
possible typo I did the above command with
cacert.cer instead of cacert.der. Volia it worked!
Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore
./name.keystore
Okay, I did this and it complained that the "alias name" has already been
added. So, I went ahead and made a "company2" alias which added fine.
It asks you to move the following files:
jcert.jar
jnet.jar
jsse.jar
Into the $JAVA_HOME/jre/lib/ext directory.
Now, there's 'three' versions of these files all which reside in the :
$JBOSS_HOME/server/all/lib/*.jar
$JBOSS_HOME/default/lib/*jar
$JBOSS_HOME/client/lib/*.jar
All of which are the same size. So, I decided to use the 'default' one to
copy over.
Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few
changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of
JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
org.jboss.security.plugins.JaasSecurityDomain
2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml
jboss.security:service=JaasSecurityManager
put the path to your name.keystore file
here
put your name.keystore password
here
3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080
and replace it by one that listens on port 8443
Which DOES NOT exist that's a bogus deal.
I *believe* /opt/jboss-3.2.5/server/default/deploy/jbossweb-tomcat50.sar
is the directory you want to look at and the file: server.xml
Now this is what "the guide" has:
After:
<!-- A HTTP Connector on port 8080 -->
Which looks different then what was in the actual file. Which is:
<!-- A HTTP/1.1 Connector on port 8080 -->
<!-- A AJP 1.3 Connector on port 8009 -->
<!-- SSL/TLS Connector configuration using the admin devl guide
keystore
-->
When I start it I get the following errors:
14:03:11,314 WARN [JaasSecurityManagerService] Failed to locate auth CachePolicy at: java:/timedCacheFactory for securityDoma
in=TomcatSSL
It's accessable via http://:8080 just not via https at either 8080 or 8443.
Thanks for any help on this!
-Puddle
rotaecho@yahoo.com