2 Replies Latest reply: May 23, 2011 12:28 PM by Remy Maucherat RSS

    AS7:  Web Subsystem: JSSE/OpenSSL Settings

    Anil Saldhana Master

      This thread is to capture the effort to derive a common configuration that can be used for both JSSE and OpenSSL. This is currently evident in the web subsystem  (File: org.jboss.as.web.WebConnectorService)

       

      Background

      JFClere did background work on finding the settings for both jsse and openssl for the web subsystem. But since this is cross-cutting, we need the same for security subsystem also.


      https://github.com/jbossas/jboss-as/blob/master/web/src/main/resources/schema/jboss-web.xsd

       

      sslType covers both JSSE and OpenSSL

       

      Open SSL Settings:

       

      PASSWORD:setSSLPassword
      
      CERTIFICATE_KEY_FILE:setSSLCertificateKeyFile
      
      CIPHER_SUITE:setSSLCipherSuite
      
      PROTOCOL:setSSLProtocol
      
      VERIFY_CLIENT:setSSLVerifyClient
      
      VERIFY_DEPTH:setSSLVerifyDepth
      
      CERTIFICATE_FILE:setSSLCertificateFile
      
      CA_CERTIFICATE_FILE:setSSLCACertificateFile
      
      CA_REVOCATION_URL:setSSLCARevocationFile"
      

       

      JSSE Settings:

       

       

      KEY_ALIAS:setKeyAlias
      
      PASSWORD:setKeypass
      
      CERTIFICATE_KEY_FILE:setKeystore
      
      CIPHER_SUITE:setCiphers
      
      PROTOCOL:setProtocols
      
      VERIFY_CLIENT:setClientauth
      
      SESSION_CACHE_SIZE:setAttribute
      
      SESSION_TIMEOUT:setAttribute
      

       

       

      What is common between these two settings?

      • Password
      • Certificate Key File
      • Cipher Suite
      • Protocol
      • Verify Client

       

      Proposal (to be Finalized)

       

      Proposal 1:  The common settings are typed as elements. Rest are placed as properties. 

       

      <ssl binding="jsse">
       <password></password>
       <certKeyFile/>
       <cipherSuite/>
       <protocol/>
       <verifyClient/>
       <property name="x" value="y"/>
       <property name="a" value="b"/>
      </ssl>
      
      <ssl binding="openssl">
       <password></password>
       <certKeyFile/>
       <cipherSuite/>
       <protocol/>
       <verifyClient/>
       <property name="x" value="y"/>
       <property name="a" value="b"/>
      </ssl>
      

       

      NOTE:  the binding of jsse will be made the default. So no need to specify it if you are using jsse.

       

       

      Proposal 2:  For the non-common set of elements, we use xsd:choice between jsse and openssl settings which each get a xsd:sequence of elements.

       

      Proposal 3:   Copy the sslType from the web xsd into the security xsd.   Then introduce the concept of reference in sslType to refer to sslType defined in another subsystem (namely security). That way, the subsystem can define the settings inline if it chooses to.