-
15. Re: HTTPS on JBoss AS 7 - truststore configuration
Hi,
I'm trying to set up a similar thing, with the following constraint in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<!-- All access to this area will be SSL protected -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
And, in standalone.xml :
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" enabled="true" enable-lookups="false" redirect-port="8443"/>
Now accessing, to http://127.0.0.1:8080/myapp/login/ redirect me, but redirect me to http://127.0.0.1:443/myapp/login/
Where should I configure to redirect to port 8443 ?
Many thanks.
-
16. Re: HTTPS on JBoss AS 7 - truststore configuration
Don't use CLIENT-CERT auth-method in war/WEB-INF/web.xml unless to import all the client certificates into the server side. In standalone.xml and <ssl> configuration under <connector>, "verify-client" attribute should set to "false" to avoid client certificate validation. Now, HTTP and HTTPs work properly as "http://[server-ip]/app-name" and "https://[server-ip]/app-name".
-
17. Re: HTTPS on JBoss AS 7 - truststore configuration
Guinotphil,
Port 443 is normally used for HTTPS.
In my standalone.xml configuration:
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
<ssl name="ssl" password="your_password" certificate-key-file="/path/to/keystore" protocol="TLSv1" verify-client="false"/>
</connector>
...
<socket-binding name="http" port="80"/>
<socket-binding name="https" port="443"/>
Now, "http://[server-ip]/app-name" and "https://[server-ip]/app-name" are working propler.
-
18. Re: HTTPS on JBoss AS 7 - truststore configuration
Hi,
Thank you for your help.
My client-auth is actually well-configured. I use the right truststore, and I've tested it with HTTPS under ports 443 or 8443.
My problem is that for test purpose I want to use JBoss AS listening on ports 8080 and 8443. Then my question is: how do I use "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" in web.xml to redirect me to the redirect port I specified in standalone.xml's http redirect-port, here 8443 ?
Thanks
-
19. Re: HTTPS on JBoss AS 7 - truststore configuration
My problem is that for test purpose I want to use JBoss AS listening on ports 8080 and 8443
You should set these ports in standalone.xml:
<socket-binding-group name="standard-sockets" default-interface="public">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
...
</socket-binding-group>
Then my question is: how do I use "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" in web.xml to redirect me to the redirect port I specified in standalone.xml's http redirect-port, here 8443
transport-guarantee element in web.xml stands for: All user data must be encrypted by the transport (typically using SSL/TLS) (from http://java.sun.com/javaee/6/docs/api/javax/servlet/annotation/ServletSecurity.TransportGuarantee.html).
It only says that your app wants application server encrypt the data on the wire.
In order to be redirected to your https port defined in socket-binding-group, you shuold define the right attribute in http connector element:
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>.
I hope this will help you.
Regards
-
-
21. Re: HTTPS on JBoss AS 7 - truststore configuration
> With native installed, it uses OpenSSL, so the certificate config needs to be adapted.
Since JBoss AS 7.1 Final-SNAPSHOT is shipped with JBoss Web 7.0.7 and its native library, I can no longer use a jks keystore, except if I remove the modules/org/jboss/as/web/main/lib directory.
Is there a way to disable OpenSSL to use jks kyestore without un-installing the native libraries ?
Thank you very much.
-
22. Re: HTTPS on JBoss AS 7 - truststore configuration
Is this still an issue?
unless i remove the modules/org/jboss/as/web/main/lib i cannot use a jks keystore.
i could not find any reference for this in the documentation...
-
23. Re: HTTPS on JBoss AS 7 - truststore configuration
Hi,
I've got the same problem...
As an alternative: Is the a complete guide how to generate a working certificate and keystore from scratch using OpenSSL??
I found a lot of tutorials on the web, but nothing really worked. I always run into an error like:
012.01.03 16:21:30 INFO [org.jboss.ws.common.management.AbstractServerConfig] JBoss Web Services - Stack CXF Server 4.0.0.GA 2012.01.03 16:21:30 ERROR [org.apache.coyote.http11.Http11AprProtocol] Error initializing endpoint: java.lang.Exception: Unable to load certificate key ../standalone/configuration/deva.keystore (error:0906D06C:PEM routines:PEM_read_bio:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.7.Final.jar:] at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638) [jbossweb-7.0.7.Final.jar:] at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.7.Final.jar:] at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.7.Final.jar:] at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:267) [jboss-as-web-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA] at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26] at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]
Thanks
Markus
-
24. Re: HTTPS on JBoss AS 7 - truststore configuration
By looking at jboss-as-web_1_1.xsd I expected the following to help:
<ssl keystore-type="JKS" truststore-type="JKS" ... />
But it did not, getting the same error:
error:0906D06C:PEM routines:PEM_read_bio:no start linejboss-as-7.1.0.CR1
-
25. Re: HTTPS on JBoss AS 7 - truststore configuration
This is an issue with jboss-as-7.1.0.CR1b as well.
-
26. Re: HTTPS on JBoss AS 7 - truststore configuration
In order to use JSSE and java keystores, I think you should remove APR libs from your O.S. If JbossWeb finds APR, it automatically uses its native libraries and OpenSSL, otherwise it uses JSSE.
Let me know.
Regards,
/Fabrizio
-
27. Re: HTTPS on JBoss AS 7 - truststore configuration
As a continuation, this still doesn't work, at least on Windows. I'm OK with not using JKS, but it doesn't work with PEM files either.
I generated new self-signed keys via
openssl genrsa -out jboss-key.pem 1024 openssl req -new -x509 -key jboss-key.pem -out jboss-cert.pem -days 3650
changed the connector to
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"> <ssl name="https" certificate-key-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/jboss-key.pem" ca-certificate-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/jboss-cert.pem"/> </connector>
All I get is the following exception:
15:16:54,182 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-7) Error initializing endpoint: java.lang.Exception: Unable to load certificate (null) (error:02001000:system library:fopen:system library)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.7.Final.jar:]
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638) [jbossweb-7.0.7.Final.jar:]
at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.7.Final.jar:]
at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.7.Final.jar:]
at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:267) [jboss-as-web-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_30]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_30]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]
It's possible I didn't create the cert right, but I've tried changing formats, putting in passwords, etc, to no avail.
I had no issues with this part of 7.0.2 using JKS
So, if JKS is out, what is the correct way to configure a certificate for a AS7 server running on Windows?
-
28. Re: HTTPS on JBoss AS 7 - truststore configuration
Hi,
in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.
go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.
by default it tries to use APR and if you have them on path it won't even consider JSE configuration...
hope this helps,
tomaz
-
29. Re: HTTPS on JBoss AS 7 - truststore configuration
Hi,
in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.
go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.
by default it tries to use APR and if you have them on path it won't even consider JSE configuration...
hope this helps,
tomaz