1 Reply Latest reply on Jul 24, 2011 1:19 AM by jaime.chavarriaga

public key and Jboss

davidraines Jul 14, 2011 6:37 PM

Hey -

This may be a dumb question. I'm trying to find the public key for JBoss 5.1, but I can't. Is the key available somewhere? I'm using the free version of JBoss, is this (and the signed JARs) something that would only be available with the commercial version?

According to the documentation, its supposed to be in a file called JBossPublicKey.RSA, but I can't find that file. I'm trying to set up the Java Security Manager in JBoss, and want to grant some permissions only to code that was signed by "jboss", but don't seem to have the public key.

Thanks,

David

1. Re: public key and Jboss

jaime.chavarriaga Jul 24, 2011 1:19 AM (in response to davidraines)
To export a certificate of your web server, you must first determine which key-store is the server using. In Java, the keys and certificates are stored in special files. You can define which store file must be used by JBoss using arguments in the script starting the server and/or the configuration of the JBoss Web.

Locating the Key Store File
If you have configured the SSL in your server, possible the configuration is defined by the JBoss Web (embedded tomcat) configuration
<jboss-home>/server/default/deploy/jbossweb.sar/server.xml

The connector for SSL defines which store file must be used for the server (the keystore) and which store must be used to validate certificates from other servers (the truststore). The default connector configuration uses a store file called "chap8.keystore", but don't define a truststore.
      <Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
           keystorePass="rmi+ssl" sslProtocol = "TLS" />

You can modify the default configuration, and include differente store files. You can define which key alias must be used for the server.
      <Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="/opt/pki/server.keystore"
           keystorePass="changeit"
           truststoreFile="/opt/pki/cacerts.jks"
           truststorePass="changeit"
           keyAlias="myServer"
           sslProtocol = "TLS" />

In some configurations, the store files are specified in the startup script of the JBoss server.
# run -Djavax.net.ssl.keyStore=/opt/pki/server.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/opt/pki/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit

Exporting the certificate
If you have determined your keystore file, you can use the keytool java utility to list and extract the certificates.

to list the keys/certirficates in the file, you can use
# keytool -list -keystore /opt/pki/server.keystore -storepass changeit

Each pair of key and certificate has an alias. You can export the certificate usng this alias. To export the certificate with the alias myServer into the file server.crt, you can use
# keytool -exportcert -alias myServer -keystore /opt/pki/server.keystore -storepass changeit -file server.crt

Limiting access to authorized clients
To limit the access to all the applications to users with browsers with the proper certificate, you can configure the SSL connector setting the parameter for client authentication (clientAuth) to "true"
     <Connector protocol="HTTP/1.1" SSLEnabled="true"
          port="8443" address="${jboss.bind.address}"
          scheme="https" secure="true" clientAuth="false"
          ...

If you are configuring the secutiry just for an application, you must use the CLIENT-CERT authentication type in your web application.

SSL configuration
To learn more about the configuration of SSL in JBoss, you can review the documentation
http://community.jboss.org/wiki/SSLSetup
http://docs.jboss.org/jbossweb/3.0.x/ssl-howto.html
Actions