1 2 3 4 Previous Next 55 Replies Latest reply on Apr 23, 2013 1:11 PM by guillaume cornet Go to original post
      • 15. Re: HTTPS on JBoss AS 7 - truststore configuration
        guinotphil Apprentice

        Hi,

         

        I'm trying to set up a similar thing, with the following constraint in web.xml:

            <security-constraint>

                <web-resource-collection>

                    <web-resource-name>Login</web-resource-name>

                    <url-pattern>/login/*</url-pattern>

                </web-resource-collection>

         

         

                <user-data-constraint>

                    <!-- All access to this area will be SSL protected -->

                    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                </user-data-constraint>

            </security-constraint>

         

        And, in standalone.xml :

        <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" enabled="true" enable-lookups="false" redirect-port="8443"/>

         

        Now accessing, to http://127.0.0.1:8080/myapp/login/ redirect me, but redirect me to http://127.0.0.1:443/myapp/login/

        Where should I configure to redirect to port 8443 ?

         

        Many thanks.

        • 16. Re: HTTPS on JBoss AS 7 - truststore configuration
          Kevin Wu Newbie

          Don't use CLIENT-CERT auth-method in war/WEB-INF/web.xml unless to import all the client certificates into the server side.  In standalone.xml and <ssl> configuration under <connector>, "verify-client" attribute should set to "false" to avoid client certificate validation. Now, HTTP and HTTPs work properly as "http://[server-ip]/app-name" and "https://[server-ip]/app-name".

          • 17. Re: HTTPS on JBoss AS 7 - truststore configuration
            Kevin Wu Newbie

            Guinotphil,

             

            Port 443 is normally used for HTTPS. 

             

            In my standalone.xml configuration:

                        <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>

                        <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">

                            <ssl name="ssl" password="your_password" certificate-key-file="/path/to/keystore" protocol="TLSv1" verify-client="false"/>

                        </connector>

            ...

            <socket-binding name="http" port="80"/>

            <socket-binding name="https" port="443"/>

             

            Now, "http://[server-ip]/app-name" and "https://[server-ip]/app-name" are working propler.

            • 18. Re: HTTPS on JBoss AS 7 - truststore configuration
              guinotphil Apprentice

              Hi,

               

              Thank you for your help.

               

              My client-auth is actually well-configured. I use the right truststore, and I've tested it with HTTPS under ports 443 or 8443.

               

              My problem is that for test purpose I want to use JBoss AS listening on ports 8080 and 8443. Then my question is: how do I use "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" in web.xml to redirect me to the redirect port I specified in standalone.xml's http redirect-port, here 8443 ?

               

              Thanks

              • 19. Re: HTTPS on JBoss AS 7 - truststore configuration
                Fabrizio Benedetti Novice

                My problem is that for test purpose I want to use JBoss AS listening on ports 8080 and 8443

                You should set these ports in standalone.xml:

                <socket-binding-group name="standard-sockets" default-interface="public">

                    <socket-binding name="http" port="8080"/>

                    <socket-binding name="https" port="8443"/>

                    ...

                </socket-binding-group>

                Then my question is: how do I use "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" in web.xml to redirect me to the redirect port I specified in standalone.xml's http redirect-port, here 8443

                transport-guarantee element in web.xml stands for: All user data must be encrypted by the transport (typically using SSL/TLS) (from http://java.sun.com/javaee/6/docs/api/javax/servlet/annotation/ServletSecurity.TransportGuarantee.html).

                It only says that your app wants application server encrypt the data on the wire.

                 

                In order to be redirected to your https port defined in socket-binding-group, you shuold define the right attribute in http connector element:

                <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>.

                 

                I hope this will help you.

                 

                Regards

                • 21. Re: HTTPS on JBoss AS 7 - truststore configuration
                  guinotphil Apprentice

                  > With native installed, it uses OpenSSL, so the certificate config needs to be adapted.

                   

                  Since JBoss AS 7.1 Final-SNAPSHOT is shipped with JBoss Web 7.0.7 and its native library, I can no longer use a jks keystore, except if I remove the modules/org/jboss/as/web/main/lib directory.

                   

                  Is there a way to disable OpenSSL to use jks kyestore without un-installing the native libraries ?

                   

                  Thank you very much.

                   


                  • 22. Re: HTTPS on JBoss AS 7 - truststore configuration
                    Ronen Angluster Newbie

                    Is this still an issue?

                    unless i remove the modules/org/jboss/as/web/main/lib i cannot use a jks keystore.

                    i could not find any reference for this in the documentation...

                    • 23. Re: HTTPS on JBoss AS 7 - truststore configuration
                      Markus Dahm Novice

                      Hi,

                       

                      I've got the same problem...

                      As an alternative: Is the a complete guide how to generate a working certificate and keystore from scratch using OpenSSL??

                      I found a lot of tutorials on the web, but nothing really worked. I always run into an error like:

                       

                       

                      012.01.03 16:21:30 INFO  [org.jboss.ws.common.management.AbstractServerConfig] JBoss Web Services - Stack CXF Server 4.0.0.GA
                      2012.01.03 16:21:30 ERROR [org.apache.coyote.http11.Http11AprProtocol] Error initializing endpoint: java.lang.Exception: Unable to load certificate key ../standalone/configuration/deva.keystore (error:0906D06C:PEM routines:PEM_read_bio:no start line)
                          at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.7.Final.jar:]
                          at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638) [jbossweb-7.0.7.Final.jar:]
                          at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.7.Final.jar:]
                          at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.7.Final.jar:]
                          at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:267) [jboss-as-web-7.1.0.CR1b.jar:7.1.0.CR1b]
                          at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
                          at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
                          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26]
                          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26]
                          at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]
                      
                      

                       

                       

                      Thanks

                         Markus

                      • 24. Re: HTTPS on JBoss AS 7 - truststore configuration
                        Sergey Zhigunov Newbie

                        By looking at jboss-as-web_1_1.xsd I expected the following to help:

                        <ssl keystore-type="JKS" truststore-type="JKS" ... />

                         

                        But it did not, getting the same error:

                        error:0906D06C:PEM routines:PEM_read_bio:no start line

                         

                        jboss-as-7.1.0.CR1

                        • 25. Re: HTTPS on JBoss AS 7 - truststore configuration
                          pstackle Newbie

                          This is an issue with jboss-as-7.1.0.CR1b as well.

                          • 26. Re: HTTPS on JBoss AS 7 - truststore configuration
                            Fabrizio Benedetti Novice

                            In order to use JSSE and java keystores, I think you should remove APR libs from your O.S. If JbossWeb finds APR, it automatically uses its native libraries and OpenSSL, otherwise it uses JSSE.

                             

                            Let me know.

                             

                            Regards,

                            /Fabrizio

                            • 27. Re: HTTPS on JBoss AS 7 - truststore configuration
                              project_mercy Newbie

                              As a continuation, this still doesn't work, at least on Windows. I'm OK with not using JKS, but it doesn't work with PEM files either.

                               

                              I generated new self-signed keys via

                               

                              openssl genrsa -out jboss-key.pem 1024
                              openssl req -new -x509 -key jboss-key.pem -out jboss-cert.pem -days 3650
                              

                               

                              changed the connector to

                               

                               <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                                   <ssl name="https"  certificate-key-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/jboss-key.pem" ca-certificate-file="C:/jboss-as-7.1.0.CR1b/standalone/configuration/jboss-cert.pem"/>
                              </connector>
                              

                               

                              All I get is the following exception:

                              15:16:54,182 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-7) Error initializing endpoint: java.lang.Exception: Unable to load certificate (null) (error:02001000:system library:fopen:system library)

                                  at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.7.Final.jar:]

                                  at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638) [jbossweb-7.0.7.Final.jar:]

                                  at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.7.Final.jar:]

                                  at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.7.Final.jar:]

                                  at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:267) [jboss-as-web-7.1.0.CR1b.jar:7.1.0.CR1b]

                                  at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

                                  at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

                                  at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_30]

                                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_30]

                                  at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]

                               

                              It's possible I didn't create the cert right, but I've tried changing formats, putting in passwords, etc, to no avail.

                               

                              I had no issues with this part of 7.0.2 using JKS

                               

                              So, if JKS is out, what is the correct way to configure a certificate for a AS7 server running on Windows?

                              • 28. Re: HTTPS on JBoss AS 7 - truststore configuration
                                Tomaz Cerar Master

                                Hi,

                                in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.

                                 

                                go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.

                                by default it tries to use APR and if you have them on path it won't even consider JSE configuration...

                                 

                                 

                                hope this helps,

                                tomaz

                                • 29. Re: HTTPS on JBoss AS 7 - truststore configuration
                                  Tomaz Cerar Master

                                  Hi,

                                  in latest builds APR libs are bundled with AS, so if you want to use JSE you have to delete native libraries that are shipped with app server.

                                   

                                  go to JBOSS_HOME\modules\org\jboss\as\web\main\ and delete the "lib" folder and restart, this way it won't find apr native libs and JSE configuration will work.

                                  by default it tries to use APR and if you have them on path it won't even consider JSE configuration...

                                   

                                   

                                  hope this helps,

                                  tomaz