2 Replies Latest reply on Dec 9, 2015 10:19 AM by peter_jaxy

    JBoss eap 6.4 mutual (two way) ssl configuration

    peter_jaxy
    peter_jaxy Dec 9, 2015 7:41 AM

      What I have to do to configure mutual (two way) ssl in JBoss eap 6.4?

      • 12569 Views
      • Categories: Configure, Secure
      • Tags:
        • 1. Re: JBoss eap 6.4 mutual (two way) ssl configuration
          abhijithumbe
          abhijithumbe Dec 9, 2015 8:33 AM (in response to peter_jaxy)

          Configuring $JBOSS_HOME/[standalone|domain]/configuration/[standalone.xml|domain.xml]:

            - Place the created keystore.jks file under $JBOSS_HOME/[standalone|domain]/configuration/ directory

            - Place the created truststore.jks file under $JBOSS_HOME/[standalone|domain]/configuration/ directory

          Configure connector in web system, like as:

          ~~~

          <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https">

                  <ssl name="ssl" key-alias="jboss" password="password" ca-certificate-password="password"

                       certificate-key-file="${jboss.server.config.dir}/keystore.jks"

                       ca-certificate-file="${jboss.server.config.dir}/truststore.jks"

                       protocol="TLSv1" verify-client="true"/>

              </connector>

          ~~~

          For a domain install you will need to replace ${jboss.server.config.dir} with ${jboss.domain.config.dir} and the connector should be added to the profile configured in the server-group.

           

           

          Keep in mind that you may need to import the certificate in the browser, which may mean that it needs to be converted to a PKCS12 file.

           

          ~~~

          keytool -importkeystore -srckeystore identity.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore browser_key.p12

           

              Enter destination keystore password: 

              Re-enter new password:

              Enter source keystore password: 

              Entry for alias mykey successfully imported.

              Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

          ~~~

          Your browser may ask to add an exception, and then it should take you to your JBoss server.

           

          If you are testing the SSL configuration using a stand alone java client having the trust store specified as

          -Djavax.net.ssl.trustStore=/certs/identity.jks -Djavax.net.ssl.trustStorePassword=password for the java client.

            • Actions
          • 2. Re: JBoss eap 6.4 mutual (two way) ssl configuration
            peter_jaxy
            peter_jaxy Dec 9, 2015 10:19 AM (in response to abhijithumbe)

            If keystore.jks = server.keystore, generated by:

             

                 keytool -genkey -keyalg RSA -keystore server.keystore -storepass keypassword_1 -validity 365

             

            If identitiy.jks = client.keystore, generated by:

                

                 keytool -genkey -keystore client.keystore -storepass keypassword_2 - validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12

             

            If truststore.jks = client.truststore, generated by:

             

                 keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass keypassword_3 -keypass keypassword_4 -file client.crt

                 keytool -import -file client.crt -keystore client.truststore

             

            What kind of rules are applied for keypassword_1, keypassword_2, keypassword_3 and keypassword_4?

            It is necessary:

                 keypassword_1 != keypassword_2 != keypassword_3 != keypassword_4 ?

              • Actions