9 Replies Latest reply on Jan 25, 2018 8:43 AM by sreekanth.munarai

How to enable TLS1.2 in JBoss7.1 and using Apache Web server

sreekanth.munarai Jan 16, 2018 3:18 AM

Hi,

I have to enable JBoss 7.1 to use only tls1.2 protocol and disable all the lower protocols.

SSL certificates are installed in Apache web server.

All the requests are redirected from Apache to Jboss server.

Have seen articles re upgrading tls1.2 , but all were ssl certificates installed in JBoss.

In my case, Jboss dont have any certificates, how can proceed further?

Thanks in advance

1. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

andey Jan 17, 2018 1:54 AM (in response to sreekanth.munarai)

In JBoss EAP 6.4, you can specify the enabled protocols for security-realms with the following configuration:

<server-identities>
   <ssl>
      <engine enabled-protocols="TLSv1.1 TLSv1.2" />
      <keystore ... />
   </ssl>

In JBoss EAP 7.x it can be achieved by defining configuration under security realm, below is the CLI command for the same :

/core-service=management/security-realm=RealmName/server-identity=ssl/:write-attribute(name=enabled-protocols,value=["TLSv1.2"])
Note: for TLS1.2 you need JDK7 or newer as support for it was added in 7
Actions
2. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

sreekanth.munarai Jan 18, 2018 7:59 AM (in response to sreekanth.munarai)

I don't have any ssl certificates installed in JBoss. Can i still add SSL tag mentioned as above in configuration to support TLS1.2 without certificates? For information, am using JBoss 7.1AS(community)
suggest pls!
Actions
3. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

sshashan Jan 23, 2018 11:04 PM (in response to sreekanth.munarai)

Hello,

Without enabling SSL or without having certificates , TLS has no meaning. TLS is for implementing security.
Actions
4. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

paramjindal Jan 25, 2018 2:44 AM (in response to sreekanth.munarai)

Use the below simple command to create a keystore with self signed certificate and then enable SSL :

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Now configure this keystore (created above) in a JBoss connector to enable SSL :

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" > <ssl name="ssl" key-alias="mydomain" password="password" certificate-key-file="path-to-keystore/keystore.jks" protocol="TLSv1.2" verify-client="false"/> </connector>
Actions
5. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

sreekanth.munarai Jan 25, 2018 3:10 AM (in response to sreekanth.munarai)

Hi All,
Thanks for your suggestions. Am aware of the commands to be used and necessary of ssl certificates.
have already enabled TLS1.2 protocol at Apache level, so all the requests poke to JBoss using 1.2. But there are some other internal services which connect JBoss directly without Apache. For this, I have to make changes at JBoss level. Would it possible at JBoss without SSL to enable TLS 1.2 as it runs on JDK1.7. My concern if I create new SSL certs for JBoss may interrupt other services.Any suggestions, please.
Actions
6. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

paramjindal Jan 25, 2018 5:02 AM (in response to sreekanth.munarai)

Hi,

Looks like you have SSL enabled from browser to Apache but not for Apache to JBoss EAP.

Now your Apache to EAP communication is working on http not https and if you will enable HTTPS connector in EAP then I don't believe anything should break unless you remove the already working http connector.
So don't make any change in working HTTP connector (not even redirection to https) and start a new HTTPS connector on JBoss EAP and configure your internal services who intend to connect to JBoss EAP directly to use this new https connector/port.

Regards,
Param
Actions
7. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

paramjindal Jan 25, 2018 5:04 AM (in response to sreekanth.munarai)

Also it is not possible to set any TLS protocol or TLS communication without providing SSL certificate.
Actions
8. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

sshashan Jan 25, 2018 5:53 AM (in response to sreekanth.munarai)

>> For this, I have to make changes at JBoss level. Would it possible at JBoss without SSL to enable TLS 1.2 as it runs on JDK1.7. My concern if I create new SSL certs for JBoss may interrupt other services.Any suggestions, please.

No, it won't be possible. You need to have ssl enabled at jboss level. If you enable one way SSL at jboss level as well , I don't think it will impact anything. You just need to access the services over https.
Actions
9. Re: How to enable TLS1.2 in JBoss7.1 and using Apache Web server

sreekanth.munarai Jan 25, 2018 8:43 AM (in response to sreekanth.munarai)

Thanks!!
Will work on it and would update re SSL certs.
Actions

Go to original post