12 Replies Latest reply on Jun 28, 2002 5:09 AM by virtuous

    jboss2.4.4-Catalina4.0.1-beta ssl config probs

    Mike Newbie

      I finally discovered how to configure SSL (and afew other things) with the above version of jboss-tomcat - and it only cost $10 US ;)

      Anyway, my jboss.jmcl now has the following:





      .keystore
      changeit


      ...
      and

      ...

      <!-- Uncomment to add embedded catalina service -->

      80






      I'm trying to run this on Win 98 (at home) and I get the following error in the log:

      [20:48:24,200,EmbeddedCatalinaServiceSX] Starting
      [20:48:24,200,EmbeddedCatalinaServiceSX] Starting EmbeddedCatalinaSX....
      [20:48:24,250,EmbeddedCatalinaServiceSX] Setting catalina debug level to: 0
      [20:48:24,580,EmbeddedCatalinaServiceSX] Setting catalina.home to: E:\JBoss-2.4.4_Tomcat-4.0.1-beta\catalina
      [20:48:24,860,EmbeddedCatalinaServiceSX] Building Http engine and connector
      [20:48:25,840,JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@3c6641
      [20:48:25,840,JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@5d391d
      [20:48:25,900,RMI+SSL] CachePolicy set to: org.jboss.util.TimedCachePolicy@5d391d
      [20:48:25,900,JaasSecurityManagerService] Added RMI+SSL, org.jboss.security.plugins.SecurityDomainContext@50a649 to map
      [20:48:25,900,Default] Apache Tomcat/4.0.1
      [20:48:26,010,EmbeddedCatalinaServiceSX] HttpConnector Opening server socket on all host IP addresses
      [20:48:26,010,EmbeddedCatalinaServiceSX] HttpConnector[80] Starting background thread
      [20:48:26,450,EmbeddedCatalinaServiceSX] HttpProcessor[80][0] Starting background thread
      [20:48:26,500,EmbeddedCatalinaServiceSX] HttpProcessor[80][1] Starting background thread
      [20:48:26,500,EmbeddedCatalinaServiceSX] HttpProcessor[80][2] Starting background thread
      [20:48:26,500,EmbeddedCatalinaServiceSX] HttpProcessor[80][3] Starting background thread
      [20:48:26,500,EmbeddedCatalinaServiceSX] HttpProcessor[80][4] Starting background thread
      [20:48:26,500,EmbeddedCatalinaServiceSX] HttpConnector Opening server socket on all host IP addresses
      [20:48:26,560,EmbeddedCatalinaServiceSX] Stopped
      java.lang.NullPointerException
      at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74)
      at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57)
      at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:946)
      at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1114)
      at org.apache.catalina.startup.Embedded.start(Embedded.java:962)
      at org.jboss.web.catalina.EmbeddedCatalinaServiceSX.startService(EmbeddedCatalinaServiceSX.java:245)
      at org.jboss.util.ServiceMBeanSupport.start(ServiceMBeanSupport.java:103)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.configuration.ConfigurationService$ServiceProxy.invoke(ConfigurationService.java:959)
      at $Proxy0.start(Unknown Source)
      at org.jboss.util.ServiceControl.start(ServiceControl.java:79)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.Main.(Main.java:209)
      at org.jboss.Main$1.run(Main.java:111)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.Main.main(Main.java:107)
      [20:48:26,670,ConfigurationService] Unexpected error
      java.lang.NullPointerException
      at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74)
      at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57)
      at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:946)
      at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1114)
      at org.apache.catalina.startup.Embedded.start(Embedded.java:962)
      at org.jboss.web.catalina.EmbeddedCatalinaServiceSX.startService(EmbeddedCatalinaServiceSX.java:245)
      at org.jboss.util.ServiceMBeanSupport.start(ServiceMBeanSupport.java:103)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.configuration.ConfigurationService$ServiceProxy.invoke(ConfigurationService.java:959)
      at $Proxy0.start(Unknown Source)
      at org.jboss.util.ServiceControl.start(ServiceControl.java:79)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.Main.(Main.java:209)
      at org.jboss.Main$1.run(Main.java:111)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.Main.main(Main.java:107)

      Any ideas? I only have a PII 350 with 128 megs of RAM so perhaps memory is my problem. If anyone can see a little faux pas, I'd appreciate it.

      Mike

        • 1. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
          Brill Pappin Newbie

          Hi Mike,
          Maybe we can help each other :) I refuse to buy the basic documentation that should be free because as far as I'm concerned, I am helping them with this project by spending many, many hours tracking down their bug in the simple process of getting it to work. Anyway, I think its unethical to charge for basic config documentation. particularly in light of the above.
          Ok, enough of the ramble.

          So far, yours is the only post that refers to SSL with the embedded tomcat 4. and I'm attempting to get SSL working.

          Anyway, i found it curious that in your example, you specify the service on port 80, and the connector (with the SSL SocketFactory defined) on port 443.

          In tomcat, when creating the port 80 HTTP service, you specify an attribute called redirectPort which points to the SSL connector.

          So, are you sure this config is correct? or should you be specifing two connectors?

          • 2. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
            Brill Pappin Newbie

            Ok, I'm getting the same exception, but before I do, I get another one:
            java.security.NoSuchAlgorithmException: Algorithm SunX509 not available

            So, why is the constructor string RMI+SSL rather than just SSL?

            • 3. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
              Brill Pappin Newbie

              Ok, got the SSL Working: Basicall I bypassed the JBoss config for it, and let tomcat (tried and tested) do the SSL connection. See the mlet code. Remember, in this case, the keystore file is referenced from the *catalina* home, not the jboss home. Also, the redirect port "RedirectPort" may or may not be a config option (though jboss doesn't complain about it) in tomcat, its for setting a non-standard SSL port to connect on (which I have to do on my dev machine) however its not doing the redirect. and i have to specify the port in the URL. Can someone tell me what the parameters are for the EmbeddedTomcat MLet? You'll also notice that I've set TLS as the protocal not SSL (SSL is now TLS).


              80
              8443





              • 4. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                Mike Newbie

                Well, I just tried my version on my machine at work (NT with 400 megs) and it works....with 2.4.4-Catalina 4.0.1

                ...but if I copy the same jboss.jmcl file to my jboss2.4.3-Catalina4.0 conf dir, only the regular http service starts (on 80), not the SSL on 443. Curious...I suspect a bug that the newer version fixes. I'm going to try your version of the mbean entry on the 2.4.3 version.

                starksm if you are reading this, is this a bug with 2.4.3? Should I report this as a bug?

                BTW Brill, hows the weather in TO..lived there for 8 years and I'm up in Ottawa now...

                Mike

                • 5. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                  Colin Boatwright Newbie

                  I got SSL working with the security domain. Something to know is that (in 2.4.3 at least) "KeyStoreURL" should be "KeyStoreFile". Not sure if they changed that in the 2.4.4 release or not.

                  Also, I never could get <Connector ...></Connector stuff to with with 2.4.3. Haven't tried 2.4.4 yet.

                  Colin Boatwright

                  • 6. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                    Mike Newbie

                    Yeah..I reported this as a bug and got the reply back that it is only in the 2.4.4 package....2.4.3 didn't even implement it. So I guess we should wait for 2.4.4 to become stable.

                    When is that anyway?

                    Mike

                    • 7. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                      Mike Newbie

                      An update: The above config has changed in the Dec 10 release of jboss2.4.4-Catalina4.0.1-beta ->

                      FYI it should now read (changes in bold):



                      ( Note: no 's' on arg...;) )

                      .keystore
                      changeit


                      ...
                      and

                      ...

                      <!-- Uncomment to add embedded catalina service -->

                      80






                      This works great on all platforms... I guess I have an 'old' version of the 2.4.4 catalina bundle at work

                      Mike "Nothing better to do on his x-mas vacation"

                      • 8. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                        Nathan W. Phelps Novice

                        I've got this exact config and I keep getting:

                        java.security.NoSuchAlgorithmException: Algorithm SunX509 not available

                        Ideas?

                        • 9. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                          Mike Newbie

                          Yeah...
                          This is an JSSE installation problem, not a jboss problem:

                          Make sure you have the following in your $JAVA_HOME/jre/lib/security/java.security file:

                          security.provider.1=sun.security.provider.Sun
                          security.provider.2=com.sun.net.ssl.internal.ssl.Provider
                          security.provider.3=com.sun.rsajca.Provider

                          Also be sure that your $JAVA_HOME/jre/lib/ext directory contains the following jars (from the JSSE download from java.sun.com):

                          jsse.jar
                          jcert.jar
                          jnet.jar
                          (USExportpolicy.jar if you are outside US and Canada)

                          and you should be off to the races

                          • 10. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                            Gerry Duhig Newbie

                            I have faithfully copied Mike's configuration and (finally !!) I can run both SSL and non-SSL and I can use 80 & 443 or 8080 and 8443. So far so good!

                            What I can't do and what is ESSENTIAL for our sites is have <transport-guarantee>CONFIDENTIAL</tr....>. I simply get an internal server error 500 returned!

                            Is this possible? How please?

                            Gerry

                            • 11. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                              virtuous Newbie

                              Hi,

                              May I know where can I obtain the file xportpolicy.jar ?
                              I'm from Malaysia

                              regards,
                              Vtkid

                              • 12. Re: jboss2.4.4-Catalina4.0.1-beta ssl config probs
                                virtuous Newbie

                                > Yeah...
                                > This is an JSSE installation problem, not a jboss
                                > problem:
                                >
                                > Make sure you have the following in your
                                > $JAVA_HOME/jre/lib/security/java.security file:
                                >
                                > security.provider.1=sun.security.provider.Sun
                                > security.provider.2=com.sun.net.ssl.internal.ssl.Provi
                                > er
                                > security.provider.3=com.sun.rsajca.Provider
                                >
                                > Also be sure that your $JAVA_HOME/jre/lib/ext
                                > directory contains the following jars (from the JSSE
                                > download from java.sun.com):
                                >
                                > jsse.jar
                                > jcert.jar
                                > jnet.jar
                                > (USExportpolicy.jar if you are outside US and
                                > Canada)
                                >
                                > and you should be off to the races
                                >

                                I am currently using JBoss_2.4.4_Tomcat_4.0.1. I get the following error message:

                                java.security.NoSuchAlgorithmException: Algorithm SunX509 not available


                                I've use the configuration by Mike as below:





                                C:/project/.keystore
                                changeit



                                <!-- Uncomment to add embedded catalina service -->

                                80








                                I've checked that my Jsse are installed properly and I am currently using the global version of JssE 1.0.3 as I am staying outside of US/Canada. Mike mention about xportpolicy.jar but I didn't manage to find it. Can you give me some guidelines about this? Thanks!

                                Please help!

                                vtkid