1 2 3 4 Previous Next 56 Replies Latest reply on Apr 16, 2019 6:11 AM by vradhe Go to original post
      • 15. Re: HTTPS on JBoss AS 7 - truststore configuration
        guinotphil

        Hi,

         

        I'm trying to set up a similar thing, with the following constraint in web.xml:

            <security-constraint>

                <web-resource-collection>

                    <web-resource-name>Login</web-resource-name>

                    <url-pattern>/login/*</url-pattern>

                </web-resource-collection>

         

         

                <user-data-constraint>

                    <!-- All access to this area will be SSL protected -->

                    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                </user-data-constraint>

            </security-constraint>

         

        And, in standalone.xml :

        <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" enabled="true" enable-lookups="false" redirect-port="8443"/>

         

        Now accessing, to http://127.0.0.1:8080/myapp/login/ redirect me, but redirect me to http://127.0.0.1:443/myapp/login/

        Where should I configure to redirect to port 8443 ?

         

        Many thanks.

        • 16. Re: HTTPS on JBoss AS 7 - truststore configuration
          kevinwu

          Don't use CLIENT-CERT auth-method in war/WEB-INF/web.xml unless to import all the client certificates into the server side.  In standalone.xml and <ssl> configuration under <connector>, "verify-client" attribute should set to "false" to avoid client certificate validation. Now, HTTP and HTTPs work properly as "http://[server-ip]/app-name" and "https://[server-ip]/app-name".

          • 17. Re: HTTPS on JBoss AS 7 - truststore configuration
            kevinwu

            Guinotphil,

             

            Port 443 is normally used for HTTPS. 

             

            In my standalone.xml configuration:

                        <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>

                        <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">

                            <ssl name="ssl" password="your_password" certificate-key-file="/path/to/keystore" protocol="TLSv1" verify-client="false"/>

                        </connector>

            ...

            <socket-binding name="http" port="80"/>

            <socket-binding name="https" port="443"/>

             

            Now, "http://[server-ip]/app-name" and "https://[server-ip]/app-name" are working propler.

            • 18. Re: HTTPS on JBoss AS 7 - truststore configuration
              guinotphil

              Hi,

               

              Thank you for your help.

               

              My client-auth is actually well-configured. I use the right truststore, and I've tested it with HTTPS under ports 443 or 8443.

               

              My problem is that for test purpose I want to use JBoss AS listening on ports 8080 and 8443. Then my question is: how do I use "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" in web.xml to redirect me to the redirect port I specified in standalone.xml's http redirect-port, here 8443 ?

               

              Thanks

              • 19. Re: HTTPS on JBoss AS 7 - truststore configuration
                fabrizio.benedetti

                My problem is that for test purpose I want to use JBoss AS listening on ports 8080 and 8443

                You should set these ports in standalone.xml:

                <socket-binding-group name="standard-sockets" default-interface="public">

                    <socket-binding name="http" port="8080"/>

                    <socket-binding name="https" port="8443"/>

                    ...

                </socket-binding-group>

                Then my question is: how do I use "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" in web.xml to redirect me to the redirect port I specified in standalone.xml's http redirect-port, here 8443

                transport-guarantee element in web.xml stands for: All user data must be encrypted by the transport (typically using SSL/TLS) (from http://java.sun.com/javaee/6/docs/api/javax/servlet/annotation/ServletSecurity.TransportGuarantee.html).

                It only says that your app wants application server encrypt the data on the wire.

                 

                In order to be redirected to your https port defined in socket-binding-group, you shuold define the right attribute in http connector element:

                <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>.

                 

                I hope this will help you.

                 

                Regards

                • 20. Re: HTTPS on JBoss AS 7 - truststore configuration
                  guinotphil

                  Yeah, it's working now. Thank you.

                  • 21. Re: HTTPS on JBoss AS 7 - truststore configuration
                    guinotphil

                    > With native installed, it uses OpenSSL, so the certificate config needs to be adapted.

                     

                    Since JBoss AS 7.1 Final-SNAPSHOT is shipped with JBoss Web 7.0.7 and its native library, I can no longer use a jks keystore, except if I remove the modules/org/jboss/as/web/main/lib directory.

                     

                    Is there a way to disable OpenSSL to use jks kyestore without un-installing the native libraries ?

                     

                    Thank you very much.

                     


                    • 22. Re: HTTPS on JBoss AS 7 - truststore configuration
                      ranglust

                      Is this still an issue?

                      unless i remove the modules/org/jboss/as/web/main/lib i cannot use a jks keystore.

                      i could not find any reference for this in the documentation...

                      • 23. Re: HTTPS on JBoss AS 7 - truststore configuration
                        dahm

                        Hi,

                         

                        I've got the same problem...

                        As an alternative: Is the a complete guide how to generate a working certificate and keystore from scratch using OpenSSL??

                        I found a lot of tutorials on the web, but nothing really worked. I always run into an error like:

                         

                         

                        012.01.03 16:21:30 INFO  [org.jboss.ws.common.management.AbstractServerConfig] JBoss Web Services - Stack CXF Server 4.0.0.GA
                        2012.01.03 16:21:30 ERROR [org.apache.coyote.http11.Http11AprProtocol] Error initializing endpoint: java.lang.Exception: Unable to load certificate key ../standalone/configuration/deva.keystore (error:0906D06C:PEM routines:PEM_read_bio:no start line)
                            at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.7.Final.jar:]
                            at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638) [jbossweb-7.0.7.Final.jar:]
                            at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.7.Final.jar:]
                            at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.7.Final.jar:]
                            at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:267) [jboss-as-web-7.1.0.CR1b.jar:7.1.0.CR1b]
                            at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
                            at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
                            at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26]
                            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26]
                            at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]
                        
                        

                         

                         

                        Thanks

                           Markus

                        • 24. Re: HTTPS on JBoss AS 7 - truststore configuration
                          szhigunov

                          By looking at jboss-as-web_1_1.xsd I expected the following to help:

                          <ssl keystore-type="JKS" truststore-type="JKS" ... />

                           

                          But it did not, getting the same error:

                          error:0906D06C:PEM routines:PEM_read_bio:no start line

                           

                          jboss-as-7.1.0.CR1

                          • 25. Re: HTTPS on JBoss AS 7 - truststore configuration
                            pstackle

                            This is an issue with jboss-as-7.1.0.CR1b as well.

                            • 26. Re: HTTPS on JBoss AS 7 - truststore configuration
                              fabrizio.benedetti

                              In order to use JSSE and java keystores, I think you should remove APR libs from your O.S. If JbossWeb finds APR, it automatically uses its native libraries and OpenSSL, otherwise it uses JSSE.

                               

                              Let me know.

                               

                              Regards,

                              /Fabrizio

                              • 27. Re: HTTPS on JBoss AS 7 - truststore configuration
                                project_mercy

                                As a continuation, this still doesn't work, at least on Windows. I'm OK with not using JKS, but it doesn't work with PEM files either.

                                 

                                I generated new self-signed keys via

                                 

                                openssl genrsa -out jboss-key.pem 1024
                                openssl req -new -x509 -key jboss-key.pem -out jboss-cert.pem -days 3650
                                

                                 

                                changed the connector to

                                 

                                 <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                                     <ssl name="https"  certificate-key-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/jboss-key.pem" ca-certificate-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/jboss-cert.pem"/>
                                </connector>
                                

                                 

                                All I get is the following exception:

                                15:16:54,182 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-7) Error initializing endpoint: java.lang.Exception: Unable to load certificate (null) (error:02001000:system library:fopen:system library)

                                    at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.7.Final.jar:]

                                    at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638) [jbossweb-7.0.7.Final.jar:]

                                    at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.7.Final.jar:]

                                    at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.7.Final.jar:]

                                    at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:267) [jboss-as-web-7.1.0.CR1b.jar:7.1.0.CR1b]

                                    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

                                    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

                                    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_30]

                                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_30]

                                    at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]

                                 

                                It's possible I didn't create the cert right, but I've tried changing formats, putting in passwords, etc, to no avail.

                                 

                                I had no issues with this part of 7.0.2 using JKS

                                 

                                So, if JKS is out, what is the correct way to configure a certificate for a AS7 server running on Windows?

                                • 28. Re: HTTPS on JBoss AS 7 - truststore configuration
                                  ctomc

                                  Hi,

                                  in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.

                                   

                                  go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.

                                  by default it tries to use APR and if you have them on path it won't even consider JSE configuration...

                                   

                                   

                                  hope this helps,

                                  tomaz

                                  • 29. Re: HTTPS on JBoss AS 7 - truststore configuration
                                    ctomc

                                    Hi,

                                    in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.

                                     

                                    go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.

                                    by default it tries to use APR and if you have them on path it won't even consider JSE configuration...

                                     

                                     

                                    hope this helps,

                                    tomaz