5 Replies Latest reply on Nov 16, 2005 11:57 AM by javahollic

    SSL in 4.0.3, server seems to be only listeneng with HTTP on

    javahollic Nov 14, 2005 12:42 PM

      Firstly, yes, I have read the wiki SSL page, and no it doesnt appear to work out of the box with my configuration http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup.

      I notice that the wiki page is written for 3.2.x? and is quite old, some things may now not work according to the 'documentation'?

      I'm migrating a webapp written for Websphere onto Jboss, and all the tweaks have now been done, bar SSL and later, FORM authentication. I'm currently stumbling with SSL...

      Now, following the wiki, Im attempting to set up the simple case of a SSL Server on port 8443 with a self-cert cert. Im running 4.03 under IBMs 1.5VM, I've added the JSSE 1.03_03 jars into my JRE/lib/ext folder, (and yes, I did the tweaks to java.security:

      JRE/lib/security/java.security exerpt:

      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=sun.security.provider.Sun Added
security.provider.7=com.sun.net.ssl.internal.ssl.Provider Added


      I'll go through the stages the wiki describes:

      * Create a test keystore in the server/default/conf directory: Done
      * Edit jbossweb-tomcat41.sar/META-INF/jboss-service.xml Now called service.xml, Done
      * Start the server and browse to: https://localhost:8443/jmx-console/index.jsp This just doesnt work, and is where the I start trying other things

      The socket factory in question seems to create a standard http server socket listener on 8443, as http://localhost:8443 yields the the jboss main page, and https://localhost:8443 just hangs. Ive seen various other factories suggested http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html, and have tried them but to no avail

      I really don;t understand why I get a PLAIN HTTP/1.1 on port 8443. Nothing bad listed in the boot.log, nothing bad in the server.log.

      Stdout: 
      16:50:19,920 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8080
16:50:20,354 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
16:50:20,393 INFO [JkMain] Jk running ID=0 time=0/54 config=null
16:50:20,429 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-8443


      My server.xml connector config: 
      <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
 port="8443" scheme="https" secure="true" >
 <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
 keystoreFile="${jboss.server.home.dir}/certs/server.keystore"
 keystorePass="pass"
 clientAuth="false"
 protocol="TLS"/>
</Connector>


      Just for giggles I ran 4.03 under SUNs 1.6ea, no difference, so I guess discount JSSE related configurations etc.

      Either I can't read (possible!) or the wiki is leaving something import out. I t should just work but doesnt.

      Clues? helpful ridicule? both equally sought!

      Andy.

      • 12080 Views
      • Tags:
        • 1. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
          adrian.brock Nov 15, 2005 8:43 PM (in response to javahollic)

          http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossHelp
          You guys amaze me. You don't even read the questions on the same page,
          so there is obviously not attempt to help somebody else.

            • Actions
          • 2. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
            javahollic Nov 16, 2005 4:27 AM (in response to javahollic)

            Hey Adrian, of all the comments I thought I'd get, yours amazed me also!

            FYI, I did actuall read the other members post, but I have 0 knowledge of AIX or peculiarities to its variant of IBM VM (Im on AMD64) and as I dont actually have SSL working with a SUN VM or an IBM VM how could I possibly assist this person, I have proved nothing!?

            I've spent two days reading, searching jboss site, old wiki docs and old google hits. Posting here is a last resort.

            By posting relavent information I'd like to think that even if I couldn't answer another users question directly, I might provide enough context for others to figure out their own solutions.

            Hopefully Ill get to the bottom of this and post the result to benefit anyone else who happens accross this thread.

              • Actions
            • 3. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
              anders.hedstrom
              anders.hedstrom Nov 16, 2005 6:26 AM (in response to javahollic)

              I don't know what your problem is, but I can tell you that I run JBoss 4.0.3 on Win2K win Sun JDK5. All I need to do to enable SSL is to uncomment this section in %JBOSS_HOME%/server/<your_config>/deploy/jbossweb-tomcat55.sar/server.xml

               <!-- SSL/TLS Connector configuration using the admin devl guide keystore
 <Connector port="8443" address="${jboss.bind.address}"
 maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
 emptySessionPath="true"
 scheme="https" secure="true" clientAuth="false"
 keystoreFile="${jboss.server.home.dir}/conf/my.keystore"
 keystorePass="mypwd" sslProtocol = "TLS" />
 -->


              Then if I want to secure the jmx-console, I uncomment the security constraint section in the web.xml file for the jmx-console web application. I then needed to add the following to the web.xml file because it was missing: 
              <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBoss JMX Console</realm-name>
</login-config>


              I also uncomment the security-domain section in the jboss-web.xml file for the web application as well.

              Then if I direct my browser to the following URL https://localhost:8080/jmx-console I get prompted to accept my certificate and then for usr/pwd. It works just fine...

              Cheers
              //Anders


                • Actions
              • 4. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
                anders.hedstrom
                anders.hedstrom Nov 16, 2005 6:32 AM (in response to javahollic)

                 

                anders.hedstrom wrote:
                I run JBoss 4.0.3 on Win2K win Sun JDK5

                Should be WinXP

                anders.hedstrom wrote:
                https://localhost:8080/jmx-console

                Should be: https://localhost:8443/jmx-console

                  • Actions
                • 5. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
                  javahollic Nov 16, 2005 11:57 AM (in response to javahollic)

                  Thanks for that,

                  I just tried 4.0.3SP1, which seems to have solve my core problem. Using the wiki info I now have a basic auth protected and SSL secured jmx-console (thereby proving (to me!) it works).

                  The major issue was the use of IBM's 1.5 VM, Ive tussled this around a while an whislt Im not sure, I think that there is a hard coded reference somewhere to SUNs security implementation 'SunX509' in Tomcat. Which may be pluggable into IBM VM, but then again maybe not. I wonder if this is a 'bug' as it restricts the Tomcat web container to running under SUN VMs?

                  Anyhow, the additional tweak to push the jmx-console over SSL was useful to me, and it may be to others. After following the Basic auth and SSL config wiki's, all you have to do is add the following to the file: server/../deploy/jmx-console.war/WEB-INF/web.xml

                  ...
 <user-data-constraints>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraints>
</security-constraint>



                  If I figure out the issues around the IBM vm I'll post back.

                    • Actions