2 Replies Latest reply on Mar 16, 2016 12:42 PM by bhagat.ali

    SSL Certificate Import and configuration for JBoss

    bhagat.ali

      Hello,

       

      I am fairly new to the JBoss configuration and I have been asked to import a certificate into the JBoss App server. Based on what I have read around on the forums I think I did what was necessary but we still keep seeing the "None of the TrustManagers allowed for trust of the SSL certificate(s) provided by the remote server to which this client attempted a connection" error message. We have hosted a Pega application on our JBoss server and the Pega application makes a 1-way outbound call to consume services from IBM Datapower. We are using Red Hat JBoss Middleware (EWS+EAP) on Red Hat Enterprise Linux 7.1 and have setup the JBoss in Domain mode.

       

      JBoss Enterprise Application Platform version 6.4 is installed under /opt/jboss folder owned by jboss system user configured running in Domain mode only. The environment is pre-configured with one Domain controller and one or more Host controllers. All host controllers can be managed by the domain controller. The environment is also tailored to operate in full-HA profile exclusively.

       

      2016-03-15 20_32_07-README.png

      We have a SGWSGateway-sscert.pem certificate for Datapower that I was asked to import into JBoss. The steps I took were. If I can get any help on what I have setup incorrectly or what I need to change, I will be greatly obliged.

       

      1) Import it into the jbossTrust.jks in /host-controller/configuration/keystores using an alias -sgwsgateway. 

           2016-03-15 21_24_33-root@lvappi00139__usr_java_jdk1.7.0_79_bin.png

      2) The domain.xml configuration is:

               

                 <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
                      <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                      <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
                            <ssl/>
                      </connector>
                      <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
                      <virtual-server name="default-host" enable-welcome-root="true">
                          <alias name="localhost"/>
                      </virtual-server>
                  </subsystem>
      


        <interfaces>
              <interface name="management"/>
              <interface name="public"/>
              <interface name="unsecure"/>
          </interfaces>
      
      
          <socket-binding-groups>
              <socket-binding-group name="full-ha-sockets" default-interface="public">
                  <socket-binding name="ajp" port="8009"/>
                  <socket-binding name="http" port="8080"/>
                  <socket-binding name="https" port="8443"/>
                  <socket-binding name="jacorb" interface="unsecure" port="3528"/>
                  <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
                  <socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
                  <socket-binding name="jgroups-tcp" port="7600"/>
                  <socket-binding name="jgroups-tcp-fd" port="57600"/>
                  <socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
                  <socket-binding name="jgroups-udp-fd" port="54200"/>
                  <socket-binding name="messaging" port="5445"/>
                  <socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
                  <socket-binding name="messaging-throughput" port="5455"/>
                  <socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
                  <socket-binding name="remoting" port="4447"/>
                  <socket-binding name="txn-recovery-environment" port="4712"/>
                  <socket-binding name="txn-status-manager" port="4713"/>
                  <outbound-socket-binding name="mail-smtp">
                      <remote-destination host="localhost" port="25"/>
                  </outbound-socket-binding>
              </socket-binding-group>
          </socket-binding-groups>
      


          <server-groups>
              <server-group name="jboss-server-group" profile="full-ha">
                  <jvm name="pega_default">
                      <heap size="4096m" max-size="8192m"/>
                      <permgen size="768m" max-size="1536m"/>
                      <jvm-options>
                          <option value="-Xms8192m"/>
                          <option value="-Xmx8192m"/>
                          <option value="-XX:NewSize=1536m"/>
                          <option value="-XX:MaxNewSize=1536m"/>
                          <option value="-XX:PermSize=768m"/>
                          <option value="-XX:MaxPermSize=1536m"/>
                          <option value="-Djboss.as.management.blocking.timeout=60000"/>
                          <option value="-Djava.net.preferIPv4Stack=true"/>
                          <option value="-XX:TargetSurvivorRatio=90"/>
                          <option value="-XX:+UseParNewGC"/>
                          <option value="-XX:+UseConcMarkSweepGC"/>
                          <option value="-XX:+UseCMSInitiatingOccupancyOnly"/>
                          <option value="-XX:CMSInitiatingOccupancyFraction=80"/>
                          <option value="-XX:+CMSClassUnloadingEnabled"/>
                          <option value="-XX:ReservedCodeCacheSize=768m"/>
                          <option value="-XX:+UseCodeCacheFlushing"/>
                          <option value="-XX:+DisableExplicitGC"/>
                          <option value="-XX:+PrintGCDetails"/>
                          <option value="-verbose:gc"/>
                          <option value="-Xloggc:/opt/jboss/host-controller/log/gc.%t.%p.log"/>
                          <option value="-XX:+UseGCLogFileRotation"/>
                          <option value="-XX:NumberOfGCLogFiles=10"/>
                          <option value="-XX:GCLogFileSize=1M"/>
                          <option value="-Djava.awt.headless=true"/>
                          <option value="-Djboss.modules.policy-permissions=true"/>
                      </jvm-options>
                  </jvm>
                  <socket-binding-group ref="full-ha-sockets"/>
                  <deployments>
                      <deployment name="example.war" runtime-name="example.war"/>
                      <deployment name="prhelp.war" runtime-name="prhelp.war"/>
                      <deployment name="prsysmgmt_jboss.war" runtime-name="prsysmgmt_jboss.war"/>
                      <deployment name="prpc_j2ee14_jboss61JBM.ear" runtime-name="prpc_j2ee14_jboss61JBM.ear"/>
                  </deployments>
              </server-group>
          </server-groups>
      


      3) The host-master.xml configuration is:


              <security-realms>
                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl protocol="TLSv1">
                              <keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::dc_ident_keystore_password::1}" alias="jboss_domain"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                      </authorization>
                  </security-realm>
      
      


          <domain-controller>
              <local/>
          </domain-controller>
      
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
              </interface>
          </interfaces>
      
      
          <jvms>
              <jvm name="default">
                  <heap size="4096m" max-size="8192m"/>
                  <permgen size="768m" max-size="1536m"/>
                  <jvm-options>
                      <option value="-server"/>
                  </jvm-options>
              </jvm>
          </jvms>
      


      4) The host-slave.xml configuration is:


              <security-realms>
                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl protocol="TLSv1">
                              <keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_identity_keystore_password::1}" alias="jboss_host"/>
                          </ssl>
                          <secret value="U2NvdGlhYmFua0Ax"/>
                      </server-identities>
                      <authentication>
                          <truststore path="keystores/jbossTrust.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_trust_keystore_password::1}"/>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                      </authorization>
                  </security-realm>
      


          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
              </interface>
              <interface name="public">
                  <inet-address value="${jboss.bind.address:127.0.0.1}"/>
              </interface>
              <interface name="unsecure">
                  <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
              </interface>
          </interfaces>
      
      
          <servers>
              <server name="jboss-server-one" group="jboss-server-group" auto-start="true">
                  <jvm name="pega_default"/>
                  <socket-bindings port-offset="100"/>
              </server>
        </servers>
      


      Regards

      Ali.


        • 1. Re: SSL Certificate Import and configuration for JBoss
          mchoma

          Setting truststore into ManagementRealm is not JBoss wide. It applies only where this realm is used. Still ApplicationRealm can be used for example. I suppose error comes from that pega application. So you should somehow set truststore on calling of webservice to use truststore. You can try to set javax.net.ssl.trustStore which is java wide.

          1 of 1 people found this helpful
          • 2. Re: SSL Certificate Import and configuration for JBoss
            bhagat.ali

            We resolved this by adding the certificate at the Java level. In my question scenario above we were importing the certificate into the JBoss keystore. That application was not finding the certificate because of the different JVM's we had setup. So instead, we imported the certificate into the Java cacerts keystore in the jre folder.