2 Replies Latest reply on Mar 16, 2016 12:42 PM by Ali Bhagat

    SSL Certificate Import and configuration for JBoss

    Ali Bhagat Newbie

      Hello,

       

      I am fairly new to the JBoss configuration and I have been asked to import a certificate into the JBoss App server. Based on what I have read around on the forums I think I did what was necessary but we still keep seeing the "None of the TrustManagers allowed for trust of the SSL certificate(s) provided by the remote server to which this client attempted a connection" error message. We have hosted a Pega application on our JBoss server and the Pega application makes a 1-way outbound call to consume services from IBM Datapower. We are using Red Hat JBoss Middleware (EWS+EAP) on Red Hat Enterprise Linux 7.1 and have setup the JBoss in Domain mode.

       

      JBoss Enterprise Application Platform version 6.4 is installed under /opt/jboss folder owned by jboss system user configured running in Domain mode only. The environment is pre-configured with one Domain controller and one or more Host controllers. All host controllers can be managed by the domain controller. The environment is also tailored to operate in full-HA profile exclusively.

       

      2016-03-15 20_32_07-README.png

      We have a SGWSGateway-sscert.pem certificate for Datapower that I was asked to import into JBoss. The steps I took were. If I can get any help on what I have setup incorrectly or what I need to change, I will be greatly obliged.

       

      1) Import it into the jbossTrust.jks in /host-controller/configuration/keystores using an alias -sgwsgateway. 

           2016-03-15 21_24_33-root@lvappi00139__usr_java_jdk1.7.0_79_bin.png

      2) The domain.xml configuration is:

               

                 <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
                      <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                      <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
                            <ssl/>
                      </connector>
                      <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
                      <virtual-server name="default-host" enable-welcome-root="true">
                          <alias name="localhost"/>
                      </virtual-server>
                  </subsystem>
      


        <interfaces>
              <interface name="management"/>
              <interface name="public"/>
              <interface name="unsecure"/>
          </interfaces>
      
      
          <socket-binding-groups>
              <socket-binding-group name="full-ha-sockets" default-interface="public">
                  <socket-binding name="ajp" port="8009"/>
                  <socket-binding name="http" port="8080"/>
                  <socket-binding name="https" port="8443"/>
                  <socket-binding name="jacorb" interface="unsecure" port="3528"/>
                  <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
                  <socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
                  <socket-binding name="jgroups-tcp" port="7600"/>
                  <socket-binding name="jgroups-tcp-fd" port="57600"/>
                  <socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
                  <socket-binding name="jgroups-udp-fd" port="54200"/>
                  <socket-binding name="messaging" port="5445"/>
                  <socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
                  <socket-binding name="messaging-throughput" port="5455"/>
                  <socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
                  <socket-binding name="remoting" port="4447"/>
                  <socket-binding name="txn-recovery-environment" port="4712"/>
                  <socket-binding name="txn-status-manager" port="4713"/>
                  <outbound-socket-binding name="mail-smtp">
                      <remote-destination host="localhost" port="25"/>
                  </outbound-socket-binding>
              </socket-binding-group>
          </socket-binding-groups>
      


          <server-groups>
              <server-group name="jboss-server-group" profile="full-ha">
                  <jvm name="pega_default">
                      <heap size="4096m" max-size="8192m"/>
                      <permgen size="768m" max-size="1536m"/>
                      <jvm-options>
                          <option value="-Xms8192m"/>
                          <option value="-Xmx8192m"/>
                          <option value="-XX:NewSize=1536m"/>
                          <option value="-XX:MaxNewSize=1536m"/>
                          <option value="-XX:PermSize=768m"/>
                          <option value="-XX:MaxPermSize=1536m"/>
                          <option value="-Djboss.as.management.blocking.timeout=60000"/>
                          <option value="-Djava.net.preferIPv4Stack=true"/>
                          <option value="-XX:TargetSurvivorRatio=90"/>
                          <option value="-XX:+UseParNewGC"/>
                          <option value="-XX:+UseConcMarkSweepGC"/>
                          <option value="-XX:+UseCMSInitiatingOccupancyOnly"/>
                          <option value="-XX:CMSInitiatingOccupancyFraction=80"/>
                          <option value="-XX:+CMSClassUnloadingEnabled"/>
                          <option value="-XX:ReservedCodeCacheSize=768m"/>
                          <option value="-XX:+UseCodeCacheFlushing"/>
                          <option value="-XX:+DisableExplicitGC"/>
                          <option value="-XX:+PrintGCDetails"/>
                          <option value="-verbose:gc"/>
                          <option value="-Xloggc:/opt/jboss/host-controller/log/gc.%t.%p.log"/>
                          <option value="-XX:+UseGCLogFileRotation"/>
                          <option value="-XX:NumberOfGCLogFiles=10"/>
                          <option value="-XX:GCLogFileSize=1M"/>
                          <option value="-Djava.awt.headless=true"/>
                          <option value="-Djboss.modules.policy-permissions=true"/>
                      </jvm-options>
                  </jvm>
                  <socket-binding-group ref="full-ha-sockets"/>
                  <deployments>
                      <deployment name="example.war" runtime-name="example.war"/>
                      <deployment name="prhelp.war" runtime-name="prhelp.war"/>
                      <deployment name="prsysmgmt_jboss.war" runtime-name="prsysmgmt_jboss.war"/>
                      <deployment name="prpc_j2ee14_jboss61JBM.ear" runtime-name="prpc_j2ee14_jboss61JBM.ear"/>
                  </deployments>
              </server-group>
          </server-groups>
      


      3) The host-master.xml configuration is:


              <security-realms>
                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl protocol="TLSv1">
                              <keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::dc_ident_keystore_password::1}" alias="jboss_domain"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                      </authorization>
                  </security-realm>
      
      


          <domain-controller>
              <local/>
          </domain-controller>
      
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
              </interface>
          </interfaces>
      
      
          <jvms>
              <jvm name="default">
                  <heap size="4096m" max-size="8192m"/>
                  <permgen size="768m" max-size="1536m"/>
                  <jvm-options>
                      <option value="-server"/>
                  </jvm-options>
              </jvm>
          </jvms>
      


      4) The host-slave.xml configuration is:


              <security-realms>
                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl protocol="TLSv1">
                              <keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_identity_keystore_password::1}" alias="jboss_host"/>
                          </ssl>
                          <secret value="U2NvdGlhYmFua0Ax"/>
                      </server-identities>
                      <authentication>
                          <truststore path="keystores/jbossTrust.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_trust_keystore_password::1}"/>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                      </authorization>
                  </security-realm>
      


          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
              </interface>
              <interface name="public">
                  <inet-address value="${jboss.bind.address:127.0.0.1}"/>
              </interface>
              <interface name="unsecure">
                  <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
              </interface>
          </interfaces>
      
      
          <servers>
              <server name="jboss-server-one" group="jboss-server-group" auto-start="true">
                  <jvm name="pega_default"/>
                  <socket-bindings port-offset="100"/>
              </server>
        </servers>
      


      Regards

      Ali.