5 Replies Latest reply on Feb 23, 2012 10:53 AM by ctomc

    7.1.0.CR1 SSL Connector ignores JSSE ssl attributes in domain mode

    fabrizio.benedetti
    fabrizio.benedetti Jan 12, 2012 3:24 AM

      I removed modules/org/jboss/as/web/main/lib in order to use JSSE, but if I put the following in domain.xml (web subsystem):

       

      ...
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" secure="true">
    <ssl name="myssl" 
        key-alias="myalias" 
        password="XXX" 
        certificate-key-file="/path/to/keystore.jks" 
        ca-certificate-file="/path/to/truststore.jks"
        verify-client="want"/>
</connector>
...

       

      it throws this Exception:

      [Server:server-one] 13:35:45,777 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-1) Failed to load keystore type JKS with path /home/fabrizio/.keystore due to /home/fabrizio/.keystore (File o directory non esistente): java.io.FileNotFoundException: /home/fabrizio/.keystore (File o directory non esistente)

       

      It seems to ignore certificate-key-file attribute and tries to load keystore from the user home. But if I put the keystore in /home/fabrizio/.keystore, it says that the password is wrong.

      I think it ignores all ssl attributes.

       

      In standalone mode all works fine.

      Also in 7.0.2 standalone/domain all works.

       

      Is it a bug in domain mode?

       

      Regards

      /Fabrizio

      • 1737 Views
      • Tags:
        • 1. Re: 7.1.0.CR1 SSL Connector ignores JSSE ssl attributes in domain mode
          ctomc
          ctomc Jan 12, 2012 8:36 AM (in response to fabrizio.benedetti)

          Hi,

           

          you are missing few parameters

           

          this is my config that works:

           

          <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
      <ssl name="megapos-service" 
               key-alias="alias" 
               password="password" 
               certificate-key-file="path/to/cert.p12" 
               verify-client="true" 
               ca-certificate-file="path/to/truststore.jks" 
               ca-certificate-password="trust-password" 
               keystore-type="PKCS12" 
               truststore-type="JKS"/>
</connector>

           

          fix the configuration according to this one and give it another try.

           

          cheers,

          tomaz

            • Actions
          • 2. Re: 7.1.0.CR1 SSL Connector ignores JSSE ssl attributes in domain mode
            fabrizio.benedetti
            fabrizio.benedetti Jan 12, 2012 6:36 AM (in response to ctomc)

            Thank you for your immediate reply Tomaz.

             

            I put exactly your snipped code in a standard domain.xml.

            It continues to throws

            [Server:server-one] 12:27:09,690 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-2) Failed to load keystore type JKS with path /home/fabrizio/.keystore due to /home/fabrizio/.keystore (No such file or directory): java.io.FileNotFoundException: /home/fabrizio/.keystore (No such file or directory)

             

            As you can see it ignores also keystore type (JKS, but we set PKCS12).

             

            Note that with standalone.xml all works fine.

             

            Are you using 7.1.0.CR1 and domain.xml?

             

            cheers,

            fabrizio

             


              • Actions
            • 3. Re: 7.1.0.CR1 SSL Connector ignores JSSE ssl attributes in domain mode
              ctomc
              ctomc Jan 12, 2012 8:39 AM (in response to fabrizio.benedetti)

              Hi,

               

              In this case I have  standalone.xml but configuration of subsystem does not behave any different, as subsystem configuration is handeled in single place in code.

              Domain and standalone are just ways how managament is done, configuration is the same.

               

              Did you set keystore-type and truststore-type? in your case both to JKS?

               

              cheers,

              tomaz

                • Actions
              • 4. Re: 7.1.0.CR1 SSL Connector ignores JSSE ssl attributes in domain mode
                fabrizio.benedetti
                fabrizio.benedetti Jan 12, 2012 8:52 AM (in response to ctomc)

                I set all attributes, also keystore-type and truststore-type to JKS, but it still throws same exception.

                 

                I know that standalone and domain subsystems configuration are the same, in fact it works in 7.0.x...

                 

                I suspect that in domain mode web susystem is managed wrongly by jboss, that is it does not send ssl attributes, and so web subsystem takes default values (keystores from user home, password "changeit", etc.).

                 

                It would be usefull if you could try your configuration in domain.

                 

                thank you,

                fabrizio

                  • Actions
                • 5. Re: 7.1.0.CR1 SSL Connector ignores JSSE ssl attributes in domain mode
                  ctomc
                  ctomc Feb 23, 2012 10:53 AM (in response to fabrizio.benedetti)

                  Fabrizio, i can confirm this is a bug and it is beeing addressed as we speak.

                    • Actions