8 Replies Latest reply on Aug 14, 2012 5:42 PM by Tomaz Cerar

    Expansion of ${jboss.server.config.dir} in web subsystem

    Robert Baty Newbie

      Hello,

      I've been trying to configure SSL on my JBossAS 7.0.1 server and get it working with this configuration in the web subsystem:

       

      <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" secure="true">
          <ssl certificate-key-file="../standalone/configuration/server.keystore" password="myPass"/>
      </connector>
      

       

      I am wondering, through for the certification-key-file attribute I would like to use

       

      certification-key-file="${jboss.server.config.dir}/server.keystore"

       

      as JBoss system variable.  Are these not available to all subsystems on JBossAS 7?

       

      When I used this configuration:

       

      <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" secure="true">
          <ssl certificate-key-file="${jboss.server.config.dir}/server.keystore" password="myPass"/>
      </connector>
      

       

      The server ends up throwing exceptions from the org.apache.tomcat.util.net.jsse.JSSESocketFactory class as shown below.  It appears this class or subsystem does not expand the system property like other ones do.  Should I enter a JIRA feature request or is there some other reaons this is working as intended?

       

      10:49:19,868 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-3) Failed to load keystore type JKS with path ${jboss.server.config.dir}/server.keystore due to ${jboss.server.config.dir}\server.keystore (The system cannot find the path specified): java.io.FileNotFoundException: ${jboss.server.config.dir}\server.keystore (The system cannot find the path specified)
          at java.io.FileInputStream.open(Native Method) [:1.6.0_21]
          at java.io.FileInputStream.<init>(Unknown Source) [:1.6.0_21]
          at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:374)
          at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:299)
          at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:515)
          at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:452)
          at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:168)
          at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:999)
          at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:190)
          at org.apache.catalina.connector.Connector.init(Connector.java:976)
          at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351)
          at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121)
          at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223)
          at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1765)
          at org.jboss.msc.service.ServiceControllerImpl$ClearTCCLTask.run(ServiceControllerImpl.java:2291)
          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) [:1.6.0_21]
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [:1.6.0_21]
          at java.lang.Thread.run(Unknown Source) [:1.6.0_21]
      

       

      Thanks,

       

      Robert

        • 1. Re: Expansion of ${jboss.server.config.dir} in web subsystem
          Chris Lott Newbie

          Answered just three days earlier than this post:

           

          https://community.jboss.org/thread/169718

           

          In short, expansions don't work (dangit).   I hope you wrote that JIRA issue!  Now it's one year later, and in 7.1.1.final these expansions still don't work in the <ssl> element.  (THIS WAS BOGUS - SEE LATER POST BELOW!)

          • 2. Re: Expansion of ${jboss.server.config.dir} in web subsystem
            Tomaz Cerar Master

            Hi Chris,

             

            Most of this was fixed in 7.1.1.Final as part of AS7-3850

             

            what exactly does not work for you?

             

            --

            tomaz

            • 3. Re: Expansion of ${jboss.server.config.dir} in web subsystem
              Chris Lott Newbie

              Thank you for the very very quick reply.  I am using 7.1.1.Final with a SSL certificate configured in the <ssl> element.  It works fine if I enter a fully qualified pathname.  I tried to replace the leading portion of the pathname with ${jboss.server.config.dir}, like this:

               

              <ssl password="changeme" certificate-key-file="${jboss.server.config.dir}/server-cert.jks" verify-client="true" ca-certificate-file="${jboss.server.config.dir}/truststore.jks"/>

               

              And as reward for my efforts :-) received the following exception on startup.  It looks as though the variable is not expanded.  Am I missing something silly and obvious?

               

              Caused by: java.io.FileNotFoundException: ${jboss.server.config.dir}/server-cert.jks (No such file or directory)

                      at java.io.FileInputStream.open(Native Method) [rt.jar:1.7.0_02]

                      at java.io.FileInputStream.<init>(FileInputStream.java:138) [rt.jar:1.7.0_02]

                      at java.io.FileInputStream.<init>(FileInputStream.java:97) [rt.jar:1.7.0_02]

                      at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90) [rt.jar:1.7.0_02]

                      at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188) [rt.jar:1.7.0_02]

                      at java.net.URL.openStream(URL.java:1035) [rt.jar:1.7.0_02]

                      at org.jboss.security.JBossJSSESecurityDomain.loadKeyAndTrustStore(JBossJSSESecurityDomain.java:475) [picketbox-4.0.7.Final.jar:4.0.7.Final]

                      at org.jboss.security.JBossJSSESecurityDomain.reloadKeyAndTrustStore(JBossJSSESecurityDomain.java:339) [picketbox-4.0.7.Final.jar:4.0.7.Final]

                      at org.jboss.as.security.service.SecurityDomainService.start(SecurityDomainService.java:104) [jboss-as-security-7.1.1.Final.jar:7.1.1.Final]

              • 4. Re: Expansion of ${jboss.server.config.dir} in web subsystem
                Tomaz Cerar Master

                Hi,

                 

                that looks bit fishy, as the code was almost rewriten for 7.1.1. and we also have tests in place to check exacly this.

                if you check the code that defines how this attribute is handled in 7.1.1 https://github.com/jbossas/jboss-as/blob/1f0c1d8348752595441cc295d3d07f79f4cb8347/web/src/main/java/org/jboss/as/web/WebSSLDefinition.java

                you can se that certificate-key-file allows expressions and also honors them.

                 

                can you give me complete web subsystem configuration you have (just remove the passwords) as this should work.

                 

                 

                --

                tomaz

                • 5. Re: Expansion of ${jboss.server.config.dir} in web subsystem
                  Chris Lott Newbie

                  Here is the web subsystem element from my standalone.xml file.  I sure hope you spot something easy to fix!   Thanks again for your help.

                   

                          <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                              <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                              <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                                  <ssl password="deleted" certificate-key-file="${jboss.server.config.dir}/server-cert.jks" verify-client="true" ca-certificate-file="${jboss.server.config.dir}/truststore.jks"/>

                              </connector>

                              <virtual-server name="default-host" enable-welcome-root="true">

                                  <alias name="localhost"/>

                                  <alias name="example.com"/>

                              </virtual-server>

                          </subsystem>

                  • 6. Re: Expansion of ${jboss.server.config.dir} in web subsystem
                    Chris Lott Newbie

                    Ok since you said it looked fishy, I dug more.  I was all wet (very fishy :-)   Turns out you are right, the <ssl> element accepts ${jboss.server.config.dir} just fine!

                     

                    The problem was elsewhere.  I am also trying to use ${jboss.server.config.dir} in the <jsse> element in the security subsystem.  So far I have not yet found how to make that work.

                     

                    Here's my first attempt:

                     

                                        <jsse keystore-password="deleted" keystore-url="file:${jboss.server.config.dir}/server-cert.jks" truststore-password="deleted" truststore-url="${jboss.server.config.dir}/configuration/truststore.jks"/>

                    • 7. Re: Expansion of ${jboss.server.config.dir} in web subsystem
                      Chris Lott Newbie

                      One last post.  Here's the issue about JSSE element not interpolating/expanding variables over in the JBoss Jira.

                       

                      https://issues.jboss.org/browse/JBPAPP-8493

                       

                      This issue was fixed in the release that isn't called jboss-7.1.2.final, it's called EAP something-something.  If I read it right, the next community release that will have this fix will be called 7.2.x.something.

                      • 8. Re: Expansion of ${jboss.server.config.dir} in web subsystem
                        Tomaz Cerar Master

                        Yes that sounds about right

                         

                        web subsytem was working properly, you scared me there for a second

                         

                        if it is fixed for 7.1.2 you can build it your self by cloning the code from github and then checkout 7.1 branch or 7.1.2.Final tag. then just run mvn clean install -DskipTests (be sure to use jdk6)

                         

                        or you can just use nightly build of 7.2.0.Alpha1, which will be as you pointed out next community release, i hope that we will release Alpha1 pretty soon.

                         

                         

                        --

                        tomaz