5 Replies Latest reply on Mar 14, 2008 3:41 PM by dkc

    Unable to use WSRP over SSL for self producer

    dkc Newbie

      Hello:
      I'm trying to use SSL, in particular WSRP over SSL. I want JBoss to be a portlet provider and BEA AquaLogic to be the consumer of a portlet. I'm trying to demonstrate that SSL from AquaLogic through to JBoss will work. I've done nothing so far with AquaLogic, my question regards JBoss only. Without SSL, AquaLogic consumes the JBoss portlet without problems (on non-default port 9080), but SSL is what I'm after now.

      JBoss Portal Version: 2.6.2.GA, downloaded
      JBoss AS Version: 4.2.1
      OS Platform: RedHat Enterprise Linux 4, Update 5

      Describe the problem:
      SSL access into JBoss appears to work. I can get there by going to http://localhost:8443/portal. However, the self producer is always inactive, and validation on that producer fails. Furthermore, http://localhost:8443/jbossws/services reveals: "There are currently no endpoints deployed". I've read the documentation on using WSRP over SSL and followed the configuration steps:

      - I Used keytool to generate a server certificate: cn=localhost, o=bits, ou=bits, l=Dulles, st=VA, c=US

      - I copied the keystore to server/default/conf

      - I updated bin/run.conf with

      -Djavax.net.ssl.trustStore="<fully/qualified/path/to/keystore>" and
      -Djavax.net.ssl.trustStorePassword="<password>"


      - I configured an SSL/TLS connector in the tomcat server/default/deploy/jboss-web.deployer/server.xml, as follows:
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      keystoreFile="<fully/qualified/path/to/keystore>"
      keystorePass="<password>" />
      


      - The server certificate has been imported into my browser (FF 2.0.0.12) as an authority.

      - I've updated server/default/deploy/jboss-portal.sar/portal-wsrp.sar/WEB-INF/wsdl/ to use
      http://localhost:8443
      as the prefix for all 4 endpoints.

      - I've updated server/default/deploy/jboss-portal.sar/portal-wsrp.sar/default-wsrp to use
      http://localhost:8443
      as prefix for all 4 endpoints.

      - I added a JaasSecurityDomain mbean to server/default/conf/jboss-service.xml:
      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
       name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
       <constructor><arg type="java.lang.String" value="RMI+SSL"/></constructor>
       <attribute name="KeyStoreURL">fully/qualified/path/to/keystore</attribute>
       <attribute name="KeyStorePass">password</attribute>
      </mbean>


      - I added another JRMPInvoker to jboss-service.xml:
      <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
       name="jboss:service=invoker,type=jrmp,socketType=SSL">
       <attribute name="RMIObjectPort">14445</attribute>
       <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory</attribute>
       <attribute name="RMIServerSocketFactory">org.jboss.security.ssl.RMISSLServerSocketFactory</attribute>
       <attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>
       <depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>
      </mbean>


      - I added an <invoker-proxy-binding> to server/default/conf/standardjboss.xml
      <invoker-proxy-binding>
      <name>stateless-ssl-invoker</name>
      <invoker-mbean>jboss:service=invoker,type=jrmp,socketType=SSL</invoker-name>
      <proxy-factory>org.jboss.proxy.ejbProxyFactory</proxy-factory>
      <proxy-factory-config>
       <client-interceptors>
       <home>
       <interceptor>org.jboss.proxy.ejb.HomeInterceptor</interceptor>
       <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
       <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
       <interceptor call-by-value="false">org.jboss.invocation.InvokerInterceptor</interceptor>
       <interceptor call-by-value="true">org.jboss.invocation.MarshallingInvokerInterceptor</interceptor>
       </home>
       <bean>
       <interceptor>org.jboss.proxy.ejb.StatelessSessionInterceptor</interceptor>
       <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
       <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
       <interceptor call-by-value="false">org.jboss.invocation.InvokerInterceptor</interceptor>
       <interceptor call-by-value="true">org.jboss.invocation.MarshallingInvokerInterceptor</interceptor>
       </bean>
       </client-interceptors>
      </proxy-factory-config>
      </invoker-proxy-binding>


      - I added 2 lines to server/default/deploy/jbossws.sar/jbossws.beans/META-INF/jboss-beans.xml:
      <property name="webServiceSecurePort">8443</property>
      <property name="webServicePort">9080</property>

      within the ServiceEndpointManager" bean

      - The WSDLPortFixFilter is in place in server/default/deploy/jboss-portal.sar/portal-wsrp.sar/WEB-INF/web.xml:
      <filter>
       <filter-name>WSDLPortFixFilter</filter-name>
       <filter-class>org.jboss.portal.wsrp.servlet.WSDLPortFixFilter</filter-class>
      </filter>
      <filter-mapping>
       <filter-name>WSDLPortFixFilter</filter-name>
       <url-pattern>/*</url-pattern>
      </filter-mapping>


      I've restarted JBoss many times - no success - am I missing something?
      Thanks in advance for your help,
      Dan

        • 1. Re: Unable to use WSRP over SSL for self producer
          Chris Laprun Master

          I'm going to look at it. Thanks for the detailed information, should make it easier to replicate the issue.

          • 2. Re: Unable to use WSRP over SSL for self producer
            Chris Laprun Master

             

            "dkc" wrote:

            JBoss Portal Version: 2.6.2.GA, downloaded
            JBoss AS Version: 4.2.1
            OS Platform: RedHat Enterprise Linux 4, Update 5


            Any reason you're not using 2.6.4 and 4.2.2? :)

            "dkc" wrote:

            - I've updated server/default/deploy/jboss-portal.sar/portal-wsrp.sar/WEB-INF/wsdl/ to use
            http://localhost:8443
            as the prefix for all 4 endpoints.

            - I've updated server/default/deploy/jboss-portal.sar/portal-wsrp.sar/default-wsrp to use
            http://localhost:8443
            as prefix for all 4 endpoints.


            I think that's the root of your problem... It needs to be
            httpS://localhost:8443
            (note the extra 'S' after http).

            I have just tried with 2.6.4 on 4.2.2 and it works as expected...

            You do not need any of the rest of the configuration you did to run WSRP over SSL. I just created a keystore, activated the connector in JBoss Web (adding the path to my keystore and keystore password), added:
            -Djavax.net.ssl.trustStore=<path to keystore> -Dorg.jboss.security.ignoreHttpsHost=true
            to my java options in run.conf and changed the default-wsrp.xml consumer configuration to point to the proper URLs.

            I need to update the wiki as some of the steps are not needed anymore.
            In particular, you do not need the WSDLPortFixFilter with 2.6.3+

            Let me know how it goes.



            • 3. Re: Unable to use WSRP over SSL for self producer
              dkc Newbie

              Chris:
              Thanks for your help - I got it to work :-)

              My original post had a typo (my apologies) - I am actually using https://localhost:8443 in jboss-portal.sar/portal-wsrp.sar/default-wsrp.xml.

              I think the thing that fixed this for me was to add the following to the JAVA_OPTS in bin/run.conf:

              -Dorg.jboss.security.ignoreHttpsHost=true


              Also
              "chris.laprun@jboss.com" wrote:
              Any reason you're not using 2.6.4 and 4.2.2?

              I haven't upgraded to the recommended versions due to time constraints. I have seen some of the WSRP fixes that have occurred in recent versions, and I'll recommend the upgrade to my customer.

              Per your recommendations (and for the benefit of others) here's what I did to configure WSRP over SSL:
              - Create a keystore and a server certificate. It's important that the cn matches the hostname/domain of the JBoss Portal (for me it was localhost):
              keytool -alias serverCert -keyalg RSA -validity 730 -keystore server.keystore -dname cn=localhost,o=org,ou=orgunit,l=location,st=state,c=country -keypass password -storepass password

              keytool -export -alias serverCert -keystore server.keystore -storepass password -file server.cer


              - Copy server.keystore and server.cer to server/default/conf

              - Add the following to bin/run.conf:
              JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/fully/qualified/path/to/server.keystore
              -Djavax.net.ssl.trustStorePassword=password
              -Dorg.jboss.security.ignoreHttpsHost=true"


              - Configure another SSL/TLS connector in the Tomcat config file that is used by JBoss Web (at server/default/deploy/jboss-web.deployer/server.xml) We're adding a new connector - leave the existing connector in place:
              <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS"
              keystoreFile="/fully/qualified/path/to/server.keystore"
              keystorePass="password" />


              - Update server/default/deploy/jboss-portal.sar/portal-wsrp.sar/default-wsrp.xml. Comment-out the "self" wsrp-producer deployment on your non-SSL port, and add the following:
              <deployment>
               <wsrp-producer id="self" expiration-cache="300">
               <endpoint-config>
               <service-description-url>https://localhost:8443/portal-wsrp/ServiceDescriptionService</service-description-url>
               <markup-url>https://localhost:8443/portal-wsrp/MarkupService</markup-url>
               <registration-url>https://localhost:8443/portal-wsrp/RegistrationService</registration-url>
               <portlet-management-url>https://localhost:8443/portal-wsrp/PortletManagementService</portlet-management-url>
               </endpoint-config>
               <registration-data/>
               </wsrp-producer>
              </deployment>
              


              - If you need to turn on SSL debugging, add the following to bin/run.conf:
              JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"


              - (Re)start JBoss. You may have to save and refresh the settings for the "self" WSRP producer from the JBoss Admin WSRP tab.

              - Import the server.cer certificate into your browser's authorities to inform your browser that the server certificate is trusted.

              - You should be able to access JBoss over SSL at https://localhost:8443/portal

              Dan


              • 4. Re: Unable to use WSRP over SSL for self producer
                Chris Laprun Master

                 

                "dkc" wrote:

                Thanks for your help - I got it to work :-)


                Glad to hear you managed to get it to work!

                "dkc" wrote:

                - Update server/default/deploy/jboss-portal.sar/portal-wsrp.sar/default-wsrp.xml. Comment-out the "self" wsrp-producer deployment on your non-SSL port, and add the following:
                
                <deployment>
                 <wsrp-producer id="self" expiration-cache="300">
                 <endpoint-config>
                 <service-description-url>https://localhost:8443/portal-wsrp/ServiceDescriptionService</service-description-url>
                 <markup-url>https://localhost:8443/portal-wsrp/MarkupService</markup-url>
                 <registration-url>https://localhost:8443/portal-wsrp/RegistrationService</registration-url>
                 <portlet-management-url>https://localhost:8443/portal-wsrp/PortletManagementService</portlet-management-url>
                 </endpoint-config>
                 <registration-data/>
                 </wsrp-producer>
                </deployment>
                


                Note that you can do this modification using the WSRP admin interface as well. No need to modify the XML file if you don't want to.

                Thanks a lot for the detailed steps. I will update the Wiki so that it's clearer (unless you want to do it yourself to get justified credit for it ^_^).

                • 5. Re: Unable to use WSRP over SSL for self producer
                  dkc Newbie

                  Chris: I've updated the WSRPUseSSL wiki page - please take a look (and correct as necessary ;-)
                  Thanks again for your help,
                  - Dan