10 Replies Latest reply on Jan 30, 2002 11:00 PM by Benjamin Chi

    JBoss 2.4.4 + Tomcat 4.0.1 and SSL

    Yuriy Kuzmenko Newbie

      Hello.
      I have some problem with configuration of SSL in the subj.
      As far as I know, I have to add in jboss.jcml MBean




      .keystore
      alazar


      and enable the EmbeddedCatalinaServiceSX MBean:


      9080

      java:/jaas/SSL



      also I have generated the public/private keys pair and wraped it into self-signed certificate with alias SSL, stored in the JBOSS_HOME/bin/.keystore file.
      As a result, the https://localhost:9080/ have become available, but http://localhost:9080 have not.
      What did I wrong? Or there is a bug in this bundle?

        • 1. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
          Colin Boatwright Newbie

          You have to add an additional inside your tag. If I'm not mistaken, it would be:

          <mbean ... >
          < .. same stuff as you have here .. >





          Alternatively, you could remove the "SecurityDomain" attribute and add a Config attribute similar to above, but instead make it secure:
          <mbean ... >
          < .. same stuff as you have here minus the Security Domain attribute .. >







          Regardless of which method you choose (not sure one is better than another) this will tell Tomcat to listen to both ports, one secure and the other non-secure. This should work with 2.4.4 (it does not work with 2.4.3).

          Hope this helps,
          Colin

          • 2. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
            Nathan W. Phelps Novice

            I want to do the same thing, but I'm a bit confused trying to combine the two posts. Can someone post an example with everything we need to put in jboss.jcml to enable SSL on port 443 and normal http on port 80 using JBoss 2.4.4 and Tomcat 4.0.1? Ideally, it should always accept HTTP and redirect to the SSL port if a security constraint is present (just like stand alone Tomcat 4.0).

            • 3. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
              Mike Newbie

              This is the solution I posted here: http://jboss.org/forums/thread.jsp?forum=61&thread=6234




              //(no 's' on arg...)

              .keystore
              changeit


              ...
              and

              ...

              <!-- Uncomment to add embedded catalina service -->

              80






              This works great on all platforms... I guess I have an 'old' version of the 2.4.4 catalina bundle at work

              As for redirect, the above can also take a parameter like redirectPort="443" in the connector tag or as
              443

              Play around and let me know if this works

              Mike

              • 4. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
                Benjamin Chi Newbie

                I can't get this to work. I was able to browse the https port. When I turn on the JSSE debug and then browse, I see this debug info on the console:
                ================================
                [INFO,Default] [read] MD5 and SHA1 hashes: len = 3
                0000[INFO,Default] :
                01[INFO,Default]
                03[INFO,Default]
                00[INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default]
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default]
                [INFO,Default] [read] MD5 and SHA1 hashes: len = 64
                0000[INFO,Default] :
                00[INFO,Default]
                2A[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                10[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                [INFO,Default]
                04[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                05[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                0A[INFO,Default]
                01[INFO,Default]
                [INFO,Default]
                [INFO,Default] .
                *[INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default]
                0010[INFO,Default] :
                00[INFO,Default]
                80[INFO,Default]
                07[INFO,Default]
                00[INFO,Default]
                C0[INFO,Default]
                03[INFO,Default]
                00[INFO,Default]
                80[INFO,Default]
                [INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                09[INFO,Default]
                06[INFO,Default]
                00[INFO,Default]
                40[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                [INFO,Default]
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                @[INFO,Default] .
                [INFO,Default] .
                [INFO,Default]
                0020[INFO,Default] :
                64[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                62[INFO,Default]
                00[INFO,Default]
                00[INFO,Default]
                03[INFO,Default]
                00[INFO,Default]
                [INFO,Default]
                00[INFO,Default]
                06[INFO,Default]
                02[INFO,Default]
                00[INFO,Default]
                80[INFO,Default]
                04[INFO,Default]
                00[INFO,Default]
                80[INFO,Default]
                [INFO,Default]
                d[INFO,Default] .
                [INFO,Default] .
                b[INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default]
                0030[INFO,Default] :
                64[INFO,Default]
                56[INFO,Default]
                10[INFO,Default]
                43[INFO,Default]
                DE[INFO,Default]
                F4[INFO,Default]
                74[INFO,Default]
                D8[INFO,Default]
                [INFO,Default]
                FB[INFO,Default]
                79[INFO,Default]
                A9[INFO,Default]
                95[INFO,Default]
                82[INFO,Default]
                88[INFO,Default]
                E8[INFO,Default]
                51[INFO,Default]
                [INFO,Default]
                dV[INFO,Default] .
                C[INFO,Default] .
                [INFO,Default] .
                t[INFO,Default] .
                [INFO,Default] .
                y[INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                [INFO,Default] .
                Q[INFO,Default]
                [INFO,Default] HttpProcessor[443][4], READ: SSL v2, contentType = 22, translated length = 59
                [INFO,Default] *** ClientHello, v3.0
                [INFO,Default] RandomCookie:
                [INFO,Default] GMT: 0
                [INFO,Default] bytes = {
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 100
                [INFO,Default] ,
                [INFO,Default] 86
                [INFO,Default] ,
                [INFO,Default] 16
                [INFO,Default] ,
                [INFO,Default] 67
                [INFO,Default] ,
                [INFO,Default] 222
                [INFO,Default] ,
                [INFO,Default] 244
                [INFO,Default] ,
                [INFO,Default] 116
                [INFO,Default] ,
                [INFO,Default] 216
                [INFO,Default] ,
                [INFO,Default] 251
                [INFO,Default] ,
                [INFO,Default] 121
                [INFO,Default] ,
                [INFO,Default] 169
                [INFO,Default] ,
                [INFO,Default] 149
                [INFO,Default] ,
                [INFO,Default] 130
                [INFO,Default] ,
                [INFO,Default] 136
                [INFO,Default] ,
                [INFO,Default] 232
                [INFO,Default] ,
                [INFO,Default] 81
                [INFO,Default] }
                [INFO,Default] Session ID:
                [INFO,Default] {}
                [INFO,Default] Cipher Suites: {
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 4
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 5
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 10
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 9
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 100
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 98
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 3
                [INFO,Default] ,
                [INFO,Default] 0
                [INFO,Default] ,
                [INFO,Default] 6
                [INFO,Default] }
                [INFO,Default] Compression Methods: {
                [INFO,Default] 0
                [INFO,Default] }
                [INFO,Default] ***
                [INFO,Default] %% Created: [Session-2, SSL_NULL_WITH_NULL_NULL]
                [INFO,Default] HttpProcessor[443][4]
                [INFO,Default] , SEND SSL v3.0 ALERT:
                [INFO,Default] fatal,
                [INFO,Default] description = handshake_failure
                [INFO,Default] HttpProcessor[443][4], WRITE: SSL v3.0 Alert, length = 2
                ================================

                So, at lease the server is listening to port 443, but the handshake fail.

                Do I need to change the RMI+SSL to something else? I changed to the WAR context name, and also used my host name as well. But both still doesn't work.

                I did generated the .keystore file using Keytool and configured correctly with the right password.

                What could be the problem?

                Thanks,
                Benjamin

                • 5. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
                  Benjamin Chi Newbie

                  Here's the portion of my jboss.jcml:
                    
                  <!-- Tomcat 4.0.1 SSL Configuration -->

                    
                      
                    
                     .keystore
                     password


                     8080
                     443
                    
                    
                    
                    
                    

                  • 6. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
                    Benjamin Chi Newbie

                    I found this article on how SSL works and how to configure SSL Client/Server etc:

                    http://www.onjava.com/pub/a/onjava/2001/05/03/java_security.html

                    Hopefully it'll help resolving the problem.

                    • 7. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
                      Benjamin Chi Newbie

                      JBoss throws this exception for the .keystore created using keytool "keytool -genkey -keystore .keystore -keyalg rsa -alias bchi -storepass serverkspw -keypass serverpw", this creates a .keystore file I updated the jboss.jcml with the keystore location and password:

                      When I start up the server I get this error message:

                      [ERROR,ConfigurationService] Unexpected error
                      java.security.UnrecoverableKeyException: Cannot recover key
                      at sun.security.provider.KeyProtector.recover(KeyProtector.java:304)
                      at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:106)
                      at java.security.KeyStore.getKey(KeyStore.java:250)
                      at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.([DashoPro-V1.2-120198])
                      at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit([DashoPro-V1.2-120198])
                      at com.sun.net.ssl.KeyManagerFactory.init([DashoPro-V1.2-120198])
                      at org.jboss.security.plugins.JaasSecurityDomain.start(JaasSecurityDomain.java:99)
                      at java.lang.reflect.Method.invoke(Native Method)
                      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
                      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
                      at org.jboss.configuration.ConfigurationService$ServiceProxy.invoke(ConfigurationService.java:967)
                      at $Proxy0.start(Unknown Source)
                      at org.jboss.util.ServiceControl.start(ServiceControl.java:79)
                      at java.lang.reflect.Method.invoke(Native Method)
                      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
                      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
                      at org.jboss.Main.(Main.java:208)
                      at org.jboss.Main$1.run(Main.java:110)
                      at java.security.AccessController.doPrivileged(Native Method)
                      at org.jboss.Main.main(Main.java:106)

                      What am I doing wrong?

                      • 8. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
                        Benjamin Chi Newbie

                        Somehow if I don't specify the name of keystore when using keytool to generate the key then I don't have a problem.
                        The generated .keystore is placed on a default directory which is at my "C:\Documents and Settings\Benjamin", then I just copy the file over to the desired location, it seems to work. One more thing I had to change was for the following, I need to change from "bchi" to "tomcat", that works!




                        ...
                        ...

                        ...
                        ...

                        Benjamin

                        • 9. Re: JBoss 2.4.4 + Tomcat 4.0.1 and SSL
                          Mike Newbie

                          The Keystore can be named anything but the alias has to 'tomcat' and the keypass and the store pass have to be the same

                          so
                          keytool -genkey -keystore .keystore -keyalg rsa -alias bchi -storepass serverkspw -keypass serverpw

                          should be more like

                          keytool -genkey -keystore anyname -keyalg rsa -alias tomcat-storepass apass -keypass apass

                          <!-- Tomcat 4.0.1 SSL Configuration -->




                          anyname
                          apass

                          ...

                          8080
                          443







                          Try this and see if it works


                          Mike