12 Replies Latest reply on Jan 24, 2012 2:14 PM by gregcharles

    Configuring https on JBoss 7 -- impossible?

    gregcharles

      I have what seems like it should be a simple job. I have to: a) Enable https connections into a web application, and b) Encrypt or otherwise mask the password of the certficate file in standalone.xml.

       

      When I tried to do this in 7.02, I found that protecting passwords was different in JBoss 7, and would utilize a "Password Vault" not available until JBoss 7.1. (Article here: https://community.jboss.org/wiki/JBossAS7SecuringPasswords) I've been waiting for that release, all the time reassuring our customers that everything was going to be fine and we wouldn't have to "reverse" our port of their application back to JBoss 4.2.3.

       

      Now that I've got the CR release of JBoss 7.1, I'm if anything, farther from a solution. Here's the issues I'm facing:

       

      1. The above example for the Vault shows how to protect the password into a database, not into the certificate file. It's unclear if I can use a vault password in the configuration of the https connector.

       

      2. The script used in the example is only in Bourne shell. It hasn't been ported to Windows for whatever reason. Not a blocker, but a confusing omission.

       

      3. When I tried to start up my application on JBoss 7.1, it choked on my JKS type keystore, where the certficate is. Some research showed that 7.1 ships with native OpenSSL support, and expects certificates to be in that form now, though only a cryptic error message informs you of this.

       

      4. All documentation for configuring https tells you to use JKS. There's no direction for configuring and using OpenSSL. In response, some people are saying just to delete the OpenSSL DLL and that should work. I don't know if I can trust those people.

       

      5. The Password Vault itself, as documented, relies on using a Java keystore file. Will that even work now?

       

      I need someone to talk me down of the ledge. The JBoss developers have done an amazing job with JBoss 7, but making SSL so hard to enable doesn't make sense to me. Is there a magic document somewhere that explains how this all works?

        • 1. Re: Configuring https on JBoss 7 -- impossible?
          jaikiran

          Gregory Charles wrote:

           

           

          2. The script used in the example is only in Bourne shell. It hasn't been ported to Windows for whatever reason. Not a blocker, but a confusing omission.

           

          https://issues.jboss.org/browse/AS7-2154

          • 2. Re: Configuring https on JBoss 7 -- impossible?
            jaikiran

            Gregory Charles wrote:

             

             

            3. When I tried to start up my application on JBoss 7.1, it choked on my JKS type keystore, where the certficate is. Some research showed that 7.1 ships with native OpenSSL support, and expects certificates to be in that form now, though only a cryptic error message informs you of this.

            I think there was a change in the way the native libraries were loaded which might have resulted in the OpenSSL ones being picked up by default. Now I'm not sure whether it was intentional to make OpenSSL the default or whether there's a better way to switch to JKS (instead of removing those files from the module). I'll have to check with someone from the JBossWeb team

            • 3. Re: Configuring https on JBoss 7 -- impossible?
              gregcharles

              Thanks Jaikiran, I can always rely on you to reply to these questions. I'm frustrated right now, because I'm an application programmer and I'm used to solving issues by analyzing code and running it through a debugger. Stuff like that. I hate configuration tasks because when I hit issues I have to scour the web hoping that someone has hit the same problem, figured out how to solve, and bothered to describe clearly what they did.

               

              I'm still a big fan of the JBoss development team, but a few things are boggling my mind at the moment. How does a CR release get made that breaks any https configuration that follows the current JBoss 7 documentation? Is configuring https through JBoss so uncommon they didn't think to test it out before the release? I can understand that masking the keystore password might be less common, but it was possible in JBoss 4, and also the VaultTool sees fit to mask the password into the keystore it's using, so that acknowledges some need.

              • 4. Re: Configuring https on JBoss 7 -- impossible?
                anil.saldhana

                I have been working on an article that you may find useful. https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb

                • 5. Re: Configuring https on JBoss 7 -- impossible?
                  gregcharles

                  Thanks Anil, that is very helpful as regards OpenSSL. It doesn't, however, answer my main question of how to encrypt the keystore password. In JBoss 4.2.3, we had

                   

                  server.xml (snippet)

                  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

                              scheme="https" secure="true" sslProtocol="TLS"

                              maxThreads="250" maxHttpHeaderSize="8192"

                              clientAuth="false"

                              securityDomain="java:/jaas/encrypt-keystore-password"

                              SSLImplementation="org.jboss.net.ssl.JBossImplementation"

                  />

                   

                  security-service.xml:

                  <mbean code="org.jboss.security.plugins.JaasSecurityDomain"

                        name="jboss.security:service=PBESecurityDomain">

                      <constructor>

                         <arg type="java.lang.String" value="encrypt-keystore-password"></arg>

                      </constructor>

                      <attribute name="KeyStoreType">jks</attribute>

                      <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>

                      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>

                      <attribute name="Salt">abcdefgh</attribute>

                      <attribute name="IterationCount">27</attribute>

                  </mbean>

                   

                  The encrypted password for localhost.keystore was stored in keystore.password. The configuration is bit cryptic, but it did work. For the life of me, I cannot figure out how to do the same thing in JBoss 7. Again, this is a fatal flaw for my customer and would mean we could not use JBoss 7.

                  • 6. Re: Configuring https on JBoss 7 -- impossible?
                    anil.saldhana

                    Prior to AS7, each subsystem used a different mechanism to mask the passwords.  So for an user, this meant that they had to follow each subsystem guide to mask the passwords. Even though all the subsystems are part of JBoss AS, the masking of passwords is done very differently.

                     

                    Starting AS7, we want to provide to the users one unified approach to securing passwords. This is what we document in https://community.jboss.org/wiki/JBossAS7SecuringPasswords

                    All the subsystem developers are supposed to follow this approach to mask sensitive attributes.

                     

                    Now this goes to the masking of connector passwords also.  They are supposed to follow this.  Let me verify this with the JBossWeb devs.

                    • 7. Re: Configuring https on JBoss 7 -- impossible?
                      jaikiran

                      The other thing that I checked with the JBossWeb team was the ability to switch back from OpenSSL to JKS. Thanks to Jean-Frederic:

                       

                      jaikiran wrote:

                       

                      Some recent threads in the AS7 forum indicate that in AS 7.1 the OpenSSL

                      native libraries are picked by default (I guess due to the change

                      related to the way we load them). But for users who want to switch to

                      JKS, the suggested way to do that currently appears to be to delete the

                      native libs https://community.jboss.org/message/646156#646156. Is that

                      the right way for this or is there some other better way of dealing with

                      it?

                       

                       

                      native="false" in the web subsystem.

                       

                      The right way would be to export the key/cert from keystore and convert it to pem format http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format

                       

                      So if you want to switch back to JKS instead of the default OpenSSL, set native=false on the web subsystem. On the other hand, if you want to convert the keystore to a pem, then follow that stackoverflow thread.

                      1 of 1 people found this helpful
                      • 8. Re: Configuring https on JBoss 7 -- impossible?
                        n0n3
                        • 9. Re: Configuring https on JBoss 7 -- impossible?
                          anil.saldhana

                          Currently,  it seems we have not worked on masking the passwords for the ssl element in the connector configuration.  It should be done this week.  We are going to basically use the vault in AS7. 

                          • 10. Re: Configuring https on JBoss 7 -- impossible?
                            anil.saldhana

                            jaikiran pai wrote:

                             

                            Gregory Charles wrote:

                             

                             

                            2. The script used in the example is only in Bourne shell. It hasn't been ported to Windows for whatever reason. Not a blocker, but a confusing omission.

                             

                            https://issues.jboss.org/browse/AS7-2154

                            Haa Gregory.  Be a kind OSS citizen and contribute a vault.bat for us.  It is a simple port.

                            • 11. Re: Configuring https on JBoss 7 -- impossible?
                              gregcharles

                              @Anil

                               

                              Yes, I will make a vault.bat if I can get a couple of spare hours. I'm having a brutal few weeks here.

                               

                              Awesome news on masking passwords in the SSL element. Do you think that will make it into the 7.1 final release for next month?

                               

                               

                               

                              @"None" -- thanks for that example! However, I don't really get it. You have:

                               

                              <ssl name="ssl"

                              certificate-key-file="/home/n0n3/server/jboss-as-7.1.0.CR1b/standalone/configuration/localhost.key"

                              certificate-file="/home/n0n3/server/jboss-as-7.1.0.CR1b/standalone/configuration/localhost.crt"

                              protocol="TLSv1"

                              verify-client="true"/

                               

                              So you don't even have an attribute for the password into the certificate file? How does that work? Did you not put a password on that file? Is that even possible?

                               

                               

                               

                              @Jaikiran

                               

                              Thanks for the info on that native="false" message. That solved that part of my problem. I really appreciate it!

                              • 12. Re: Configuring https on JBoss 7 -- impossible?
                                gregcharles

                                I finished the port to vault.bat and posted it to https://issues.jboss.org/browse/AS7-2154