In JBoss EAP 6.4, you can specify the enabled protocols for security-realms with the following configuration:
<engine enabled-protocols="TLSv1.1 TLSv1.2" />
<keystore ... />
In JBoss EAP 7.x it can be achieved by defining configuration under security realm, below is the CLI command for the same :
Note: for TLS1.2 you need JDK7 or newer as support for it was added in 7
I don't have any ssl certificates installed in JBoss. Can i still add SSL tag mentioned as above in configuration to support TLS1.2 without certificates? For information, am using JBoss 7.1AS(community)
Without enabling SSL or without having certificates , TLS has no meaning. TLS is for implementing security.
Use the below simple command to create a keystore with self signed certificate and then enable SSL :
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Now configure this keystore (created above) in a JBoss connector to enable SSL :
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" >
<ssl name="ssl" key-alias="mydomain" password="password"
Thanks for your suggestions. Am aware of the commands to be used and necessary of ssl certificates.
have already enabled TLS1.2 protocol at Apache level, so all the requests poke to JBoss using 1.2. But there are some other internal services which connect JBoss directly without Apache. For this, I have to make changes at JBoss level. Would it possible at JBoss without SSL to enable TLS 1.2 as it runs on JDK1.7. My concern if I create new SSL certs for JBoss may interrupt other services.Any suggestions, please.
Looks like you have SSL enabled from browser to Apache but not for Apache to JBoss EAP.
Now your Apache to EAP communication is working on http not https and if you will enable HTTPS connector in EAP then I don't believe anything should break unless you remove the already working http connector.
So don't make any change in working HTTP connector (not even redirection to https) and start a new HTTPS connector on JBoss EAP and configure your internal services who intend to connect to JBoss EAP directly to use this new https connector/port.
Also it is not possible to set any TLS protocol or TLS communication without providing SSL certificate.
>> For this, I have to make changes at JBoss level. Would it possible at JBoss without SSL to enable TLS 1.2 as it runs on JDK1.7. My concern if I create new SSL certs for JBoss may interrupt other services.Any suggestions, please.
No, it won't be possible. You need to have ssl enabled at jboss level. If you enable one way SSL at jboss level as well , I don't think it will impact anything. You just need to access the services over https.
Will work on it and would update re SSL certs.