1 2 3 4 Previous Next 56 Replies Latest reply on Apr 16, 2019 6:11 AM by vradhe

HTTPS on JBoss AS 7 - truststore configuration

guinotphil Sep 8, 2011 10:26 AM

Hello,

I’m trying to port some settings from a JBoss AS 4 server to JBoss AS 7, especially the SSL configuration.

Formerly in JBoss AS 4's server.xml I has the following configuration:

<Connector port="443" protocol="HTTP/1.1"

maxThreads="100"

strategy="ms"

maxHttpHeaderSize="8192"

emptySessionPath="false"

clientAuth="true"

URIEncoding="UTF-8"

scheme="https"

secure="true"

SSLEnabled="true"

keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"

keystorePass="mypassword"

truststoreFile="${jboss.server.home.dir}/conf/truststore.jks"

truststorePass="mypassword"

sslProtocol="TLS"

According to the JBoss Web 7 documentation the configuration is quite different now…

http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html

In standalone.xml (subsystem urn:jboss:domain:web:1.0)

<connector name="https"

scheme="https"

protocol="HTTP/1.1"

socket-binding="https"

enable-lookups="false"

secure="true">

</connector>

I’m not really sure how to use a keystore, but I guess the key-alias refer to the keystore in the security subsystem: https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration

So, in <security-domain> :

<jsse server-alias="mykey"

keystore-url="C:/test/keystore.jks"

keystore-password="mypassword"

truststore-url="C:/test/truststore_test.jks"

truststore-password="mypassword"

protocols="TLS" />

But, when I start the server, I got the following exception :

10:32:26,224 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-2) Failed to load keystore type JKS with path C:\Users\me/.keystore due to C:\Users\me\.keystore (Le fichier spécifié est introuvable): java.io.FileNotFoundException: C:\Users\me\.keystore (Le fichier spécifié est introuvable)

at java.io.FileInputStream.open(Native Method) [:1.6.0_22]

at java.io.FileInputStream.<init>(FileInputStream.java:106) [:1.6.0_22]

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:374) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:299) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:515) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:452) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:168) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:999) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:190) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.catalina.connector.Connector.init(Connector.java:976) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121) [jboss-as-web-7.1.0.Alpha1-SNAPSHOT.jar:7.1.0.Alpha1-SNAPSHOT]

at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223) [jboss-as-web-7.1.0.Alpha1-SNAPSHOT.jar:7.1.0.Alpha1-SNAPSHOT]

at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_22]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_22]

at java.lang.Thread.run(Thread.java:662) [:1.6.0_22]

A breakpoint in jbossweb-7.0.1.Final.jar’s org.apache.tomcat.util.net.jsse.JSSESocketFactory tells me that it looks for the keystore from the keystore attribute of the… <ssl> tag!

this.attribute : Hastable {keyAlias=mykey, protocols=TLSv1, enableLookups=false}

I could try to add those tomcat parameters (keystore, keystorePass, truststoreFile, truststorePass) as coded in JSSESocketFactory.java in the <ssl> tag but then the server won’t start because the standalone.xml validation fails!

Any idea then on how to configure JBoss web to use SSL with standalone.xml?

Thank you very much

1. Re: HTTPS on JBoss AS 7

emuckenhuber Sep 8, 2011 8:43 AM (in response to guinotphil)

You would need to configure ssl for jboss-web as part of the web subsystem. Look at the 'jboss-as-web_1_0.xsd' in "$JBOSS_HOME/docs/schema" which should be the correct schema definition.
1 of 1 people found this helpful
Actions
2. Re: HTTPS on JBoss AS 7

guinotphil Sep 8, 2011 10:25 AM (in response to emuckenhuber)

You're right: I can actually use the certificate-key-file to refers a keystore. For some reason I thought I could only use pem certificate and not keystore.

And then it passes the right attributes in the tomcat configuration, I understand now...

But, how do I set a truststore ? The ca-certificate-file param doens't seem to be passed in the Tomcat configuration.

Thanks for your help !
Actions
3. Re: HTTPS on JBoss AS 7

fabrizio.benedetti Sep 12, 2011 10:56 AM (in response to guinotphil)

You're right, the ca-certificate-file is not passed to Tomcat configuration. I reported this one on Jira (https://issues.jboss.org/browse/AS7-1680). I don't know if it will be solved in 7.0.2.

In the meantime you have to set the system property javax.net.ssl.trustStore in standalone.xml or domain.xml:
<system-properties>
<property name="javax.net.ssl.trustStore" value="/path/to/truststore.jks"/>
</system-properties>
1 of 1 people found this helpful
Actions
4. Re: HTTPS on JBoss AS 7

guinotphil Sep 13, 2011 3:39 AM (in response to fabrizio.benedetti)

Thank you for your concern !

I'll try the system property. Where should I put the system-properties in standalone.xml ? I thought they were supposed to be in /bin/sandaline.conf instead ?

Thanks for your help.
Actions
5. Re: HTTPS on JBoss AS 7

fabrizio.benedetti Sep 13, 2011 5:17 AM (in response to guinotphil)

Yes, in standalone.xml or standalone.conf, as you like.

Bye,
Fabrizio
Actions
6. Re: HTTPS on JBoss AS 7 - truststore configuration

guinotphil Sep 23, 2011 6:23 AM (in response to guinotphil)

Hello,

I've been upgrading yesterday to the latest JBoss AS 7 nightly build jboss-as-7.1.0.Alpha2-SNAPSHOT.

Since, that, I now got the following error when starting the server:

12:06:02,015 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-8) Error initializing endpoint: java.lang.Exception: Unable to load certificate key C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/server_test.jks (error:0906D06C:PEM routines:PEM_read_bio:no start line)
          at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:660) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.apache.catalina.connector.Connector.init(Connector.java:976) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121) [jboss-as-web-7.1.0.Alpha2-SNAPSHOT.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223) [jboss-as-web-7.1.0.Alpha2-SNAPSHOT.jar:7.1.0.Alpha2-SNAPSHOT]
          at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
          at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_27]
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_27]
          at java.lang.Thread.run(Thread.java:662) [:1.6.0_27]

And in my standalone.xml

            <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
                <ssl name="https" password="ricserver" certificate-key-file="C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/server_test.jks" protocol="TLSv1" ca-certificate-file="C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/truststore_test.jks"/>
            </connector>

Are the keystore jks file no longer supported with this new version ? It really looks like it handles only pem certificate nowaward.

Thanks for your help.
Actions
7. Re: HTTPS on JBoss AS 7 - truststore configuration

rmaucher Sep 23, 2011 12:46 PM (in response to guinotphil)

With native installed, it uses OpenSSL, so the certificate config needs to be adapted.
Actions
8. Re: HTTPS on JBoss AS 7 - truststore configuration

guinotphil Sep 26, 2011 5:20 AM (in response to rmaucher)

Thank you.

I've uninstalled native and now it works..

However, I still can't make use of a truststore, the system property javax.net.ssl.trustStore does not seem to be used...

Thanks for your help.
Actions
9. Re: HTTPS on JBoss AS 7 - truststore configuration

fabrizio.benedetti Sep 26, 2011 5:37 AM (in response to guinotphil)

What do you mean for "does not seem to be used"? Do you want to make client authentication? If so you have to set verify-client attribute to "want" or "true".
Actions
10. Re: HTTPS on JBoss AS 7 - truststore configuration

guinotphil Sep 26, 2011 11:35 AM (in response to fabrizio.benedetti)

Yes, client authentication. It's working fine now, thank you !
Actions
11. Re: HTTPS on JBoss AS 7 - truststore configuration

kevinwu Sep 27, 2011 2:45 PM (in response to guinotphil)

Hi

I am trying to porting our Jboss 4.2.3 apps to AS 7 (currently on AS 7.0.1.final). I am facing two issues to configure SSL.

1. Default system property does not recognize (in standalone.xml).

<connector name="https"
                       scheme="https"
                       protocol="HTTP/1.1"
                       socket-binding="https"
                       enable-lookups="false"
                       secure="true">
                <ssl name="ssl"
                     protocol="TLSv1"
                     password="changeit"
                     certificate-key-file="${jboss.server.config.dir}/jbossHttps.keystore"
                     ca-certificate-file="${jboss.server.config.dir}/jbossHttps.keystore"
                     verify-client="true" />
            </connector>

14:29:03,078 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC serv
ice thread 1-4) Failed to load keystore type JKS with path ${jboss.server.config
.dir}/jbossHttps.keystore due to ${jboss.server.config.dir}\jbossHttps.keystore
(The system cannot find the path specified): java.io.FileNotFoundException: ${jb
oss.server.config.dir}\jbossHttps.keystore (The system cannot find the path spec
ified)
        at java.io.FileInputStream.open(Native Method) [:1.6.0_21]

2. After changed to absolute path, jboss started without error. But, when I accessed to http://127.0.01:8080, it did not redirect to my defined secured port 443.

<standalone.xml>

     <subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
        
            <connector name="http"
                       scheme="http"
                       protocol="HTTP/1.1"
                       socket-binding="http"
                       redirect-port="443" />
            <connector name="https"
                       scheme="https"
                       protocol="HTTP/1.1"
                       socket-binding="https"
                       enable-lookups="false"
                       secure="true">
                <ssl name="ssl"
                     protocol="TLSv1"
                     password="changeit"
                     certificate-key-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"
                     ca-certificate-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"
                     verify-client="true" />
            </connector>

            <virtual-server name="default-host" enable-welcome-root="true">
               <alias name="localhost" />
               <alias name="example.com" />
            </virtual-server>
        </subsystem>

    <interfaces>
        <interface name="management">
            <inet-address value="127.0.0.1"/>
            
        </interface>
        <interface name="public">
           <inet-address value="47.11.50.59"/>
               
        </interface>
    </interfaces>

    <socket-binding-group name="standard-sockets" default-interface="public">
        <socket-binding name="http" port="8080"/>
        <socket-binding name="https" port="443"/>
        <socket-binding name="jmx-connector-registry" port="1090"/>
        <socket-binding name="jmx-connector-server" port="1091"/>
....

Did I miss configure anything?

Thanks for all the help,

Kevin
Actions

12. Re: HTTPS on JBoss AS 7 - truststore configuration

fabrizio.benedetti Sep 28, 2011 3:40 AM (in response to kevinwu)

1. Default system property does not recognize (in standalone.xml).

Yes, ssl element doesn't seem to support system properties substitution.

2. After changed to absolute path, jboss started without error. But, when I accessed to http://127.0.01:8080, it did not redirect to my defined secured port 443.

Why should it redirect you to port 443?

To be redirected you have to deploy an application with at least a security-constraint in web.xml. For example:

{code}<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Secured resources</web-resource-name> 
        <url-pattern>/secured/*</url-pattern> 
    </web-resource-collection> 
    <auth-constraint> 
        <role-name>admins</role-name> 
    </auth-constraint> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>
<login-config> 
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>MyRealm</realm-name> 
</login-config> 
<security-role> 
    <role-name>admins</role-name> 
</security-role>{code}

and then access http://127.0.0.1:8080/myapp/secured/

13. Re: HTTPS on JBoss AS 7 - truststore configuration

kevinwu Sep 28, 2011 9:02 AM (in response to fabrizio.benedetti)

Thanks for you help
Actions
14. Re: HTTPS on JBoss AS 7 - truststore configuration

kevinwu Sep 29, 2011 10:41 AM (in response to fabrizio.benedetti)

Hi Fabrizio,

I got further issue on this topic.

Configuration in standalone.xml

<system-properties>
        <property name="javax.net.ssl.trustStore" value="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"/>
        <property name="javax.net.ssl.trustStorePassword" value="mypassword"/>
    </system-properties>

<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
            <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>
            <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
                <ssl name="ssl" password="mypassword" certificate-key-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore" protocol="TLSv1" verify-client="true"/>
            </connector>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>

Configuration in web.xml (sample.war)

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured resources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admins</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>MyRealm</realm-name>
</login-config>
<security-role>
    <role-name>admins</role-name>
</security-rol

Issue

When I tried to access "http://[server-ip]/sample/", I got "Untrusted connection" > "understand the risk" > "add exception" (pointed to "https://[server-ip]/sample/" > "Confirm Security Exception". All those steps were expected. After that, I got following error in Firefox:

Secure Connection Failed

An error occurred during a connection to 47.11.50.59.

SSL peer cannot verify your certificate.

(Error code: ssl_error_bad_cert_alert)

I have verified the keystore which contained correct info. Do I miss any configuration?

Thanks for all your help,
Actions

1 2 3 4 Previous Next

Go to original post