5 Replies Latest reply on Feb 28, 2002 5:23 PM by Andrew Swan

    SSL Configuration Help Please....

    Andrew Swan Newbie

      Dear All,

      I'm an SSL newbie and would like some help please. I'm trying to configure JBoss 2.4.4 + Tomcat 4.0.1 to use SSL on port 443 while continuing to service normal HTTP requests on port 80. After reading various threads on this site, I have done the following:

      What I've Done

      (1) used keytool.exe to create a keystore file called ".keystore", and saved this in my JBoss\bin directory. The file has the alias "tomcat" and both passwords are "hello1".

      (2) added the following sections to my jboss.jcml file:

      <!-- ==================================================================== -->
      <!-- SSL Security Domain (added by AS on 27/2/02) -->
      <!-- ==================================================================== -->




      .keystore
      hello1


      <!-- ==================================================================== -->
      <!-- EmbeddedCatalinaServiceSX (added by AS on 27/2/02) -->
      <!-- ==================================================================== -->

      80
      443







      The Problem

      When I start JBoss, I get a bunch of errors, this being the first one:

      [INFO,tomcat] Starting
      [ERROR,ConfigurationService] Unexpected error
      java.security.NoSuchAlgorithmException: Algorithm SunX509 not available
      at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
      at com.sun.net.ssl.KeyManagerFactory.getInstance([DashoPro-V1.2-120198])
      at org.jboss.security.plugins.JaasSecurityDomain.start(JaasSecurityDomain.java:98)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.configuration.ConfigurationService$ServiceProxy.invoke(ConfigurationService.java:967)
      at $Proxy0.start(Unknown Source)
      at org.jboss.util.ServiceControl.start(ServiceControl.java:79)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.Main.(Main.java:208)
      at org.jboss.Main$1.run(Main.java:110)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.Main.main(Main.java:106)

      Any ideas please? I have searched these forums for the SunX509 error message, but no luck.

      Thanks,

      Andrew

        • 1. Re: SSL Configuration Help Please....
          Mike Newbie

          Andrew,

          I think you can fix your configuration using either one of two ways

          1)change the line


          to
          <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="Security:name=JaasSecurityDomain,domain=RMI+SSL">

          and



          to

          <arg type="java.lang.String" value="RMI+SSL"/>

          or

          2) change the line



          to

          <Factory className="org.jboss.web.catalina.security.SSLServerSocketFactory" securityDomainName="java:/jaas/tomcat"/>

          The securityDomainName in the EmbeddedTomcatSX mbean code needs to match the name of the SSL Secutity Domain you created earlier.

          I think doing one of these should do it

          Mike


          • 2. Re: SSL Configuration Help Please....
            Mike Newbie

            Andrew,

            I think you can fix your configuration using either one of two ways

            1)change the line


            to
            <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="Security:name=JaasSecurityDomain,domain=RMI+SSL">

            and



            to

            <arg type="java.lang.String" value="RMI+SSL"/>

            or

            2) change the line



            to

            <Factory className="org.jboss.web.catalina.security.SSLServerSocketFactory" securityDomainName="java:/jaas/tomcat"/>

            The securityDomainName in the EmbeddedTomcatSX mbean code needs to match the name of the SSL Secutity Domain you created earlier.

            I think doing one of these should do it

            Mike
            (oops forgot to turn off the bold...preview doesn't appear to be working again)

            • 3. Re: SSL Configuration Help Please....
              Andrew Swan Newbie

              Dear Mike/Johnny,

              Thanks for the tip, however there must be something else wrong, because it still doesn't work.

              I told my keystore to use the RSA algorithm, but the error message above says it can't find the SunX509 algorithm, which is the default. This suggests to me that it can't find my keystore file (and therefore use my specified algorithm) because I've saved it in the wrong directory.

              I'm running Windows 2000 and have JBoss installed in C:\JBoss. I have saved my keystore file (called ".keystore", including the dot) in C:\JBoss\bin directory. Is this the right place?

              Or is there something else I should do?

              Thanks for any help.

              Cheers,

              Andrew

              • 4. Re: SSL Configuration Help Please....
                Andrew Swan Newbie

                (1) I have worked out that...

                ... my "java.security.NoSuchAlgorithmException: Algorithm SunX509 not available" error was caused by the JSSE jar files not being installed in "jre\lib\ext" as is required, so that is now fixed.

                ... my keystore file is indeed being found, because if I move it out of JBoss\bin (which seems to be the default location), I get this error: "java.net.MalformedURLException: Failed to find url=server.keystore as a URL, file or resource".

                (2) My new problem is ...
                ...that when I start JBoss, I get this error (noting that my security domain is now called "RMI+SSL"):

                ...blah...
                ...blah...
                [INFO,ServiceControl] Initialized 48 services
                [INFO,ServiceControl] Starting 48 MBeans
                [INFO,RMI+SSL] Starting
                [INFO,JaasSecurityManagerService] Added RMI+SSL, org.jboss.security.plugins.JaasSecurityDomain@2af081 to map
                [WARN,JaasSecurityManagerService] Failed to locate auth CachePolicy at: java:/timedCacheFactory for securityDomain=RMI+SSL
                [INFO,RMI+SSL] Started
                [INFO,EmbeddedCatalinaServiceSX] Starting
                [INFO,EmbeddedCatalinaServiceSX] Starting EmbeddedCatalinaSX....
                [INFO,EmbeddedCatalinaServiceSX] Building Http engine and connector
                [INFO,Default] Apache Tomcat/4.0.1
                [INFO,EmbeddedCatalinaServiceSX] HttpConnector Opening server socket on all host IP addresses
                [INFO,EmbeddedCatalinaServiceSX] HttpConnector[80] Starting background thread
                [INFO,EmbeddedCatalinaServiceSX] HttpProcessor[80][0] Starting background thread
                [INFO,EmbeddedCatalinaServiceSX] HttpProcessor[80][1] Starting background thread
                [INFO,EmbeddedCatalinaServiceSX] HttpProcessor[80][2] Starting background thread
                [INFO,EmbeddedCatalinaServiceSX] HttpProcessor[80][3] Starting background thread
                [INFO,EmbeddedCatalinaServiceSX] HttpProcessor[80][4] Starting background thread
                [INFO,EmbeddedCatalinaServiceSX] HttpConnector Opening server socket on all host IP addresses
                [ERROR,EmbeddedCatalinaServiceSX] Stopped
                java.lang.NullPointerException
                at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74)

                at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57)
                at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:946)
                ...blah...
                ...blah...


                (3) If it helps, my jboss.jcml file now looks like this...

                ...




                server.keystore
                changeit
                JKS

                ...

                80
                443






                ...


                I don't know if the WARNing in bold is a real problem, but the ERROR seems to be a show-stopper. Any ideas please?

                P.S. Is it necessary to modify catalina's server.xml file in any way? I tried uncommenting the SSL connector section but it didn't affect the error messages decribed above.

                Thanks for any help!

                Andrew

                • 5. Re: SSL Configuration Help Please....
                  Andrew Swan Newbie

                  Woohoo! I fixed it.

                  My problem was that the two s listed above were at the start of my jboss.jcml file, so they couldn't access the resources being made available by later mbeans. I moved these two mbeans to the end of the file and it worked.

                  Hope this helps some other newbie!

                  Andrew