6 Replies Latest reply on Dec 16, 2008 6:49 AM by Marcos Antonio

    JBoss with SSL

    Marcos Antonio Novice

      Hello, everybody!

      First of all, that's what I'm using:

      - JBoss 4.2.3.GA
      - Java 5 Update 17
      - Windows Server 2003 SP2

      I'm going to use SSL with JBoss. The SSL that I'm going to use is OpenSSL. But before starting this I thought that it would be a good thing to first come here and ask you about good resources (articles, tutorials, documentations, forum threads, ...) that teach me how to do that. So, I would appreciate if you point me to some of these materials for me to start.

      Thank you.

      Marcos

        • 1. Re: JBoss with SSL
          Marcos Antonio Novice

          To use SSL in my web application do I have to purchase a Certificate from a well known Certificate Authority, like Verisign or Thawte, or can I get one for free? Is there any tool that generates Certificates?

          Thank you.

          Marcos

          • 2. Re: JBoss with SSL
            Alejandro Montenegro Novice

            you can make your own, please check the wiki

            • 3. Re: JBoss with SSL
              Marcos Antonio Novice

               

              "aamonten" wrote:
              you can make your own, please check the wiki


              Thank you for your reply, Alejandro.
              I've checked this wiki:

              http://www.jboss.org/community/docs/DOC-11989

              but I didn't see (or didn't understand) how to make my own Certificate. Is this the right wiki? If not, can you please provide the link for the right one? If this is the right wiki, where is this information?

              Marcos

              • 4. Re: JBoss with SSL
                Alejandro Montenegro Novice

                 

                "Marcos_APS" wrote:

                I've checked this wiki:

                http://www.jboss.org/community/docs/DOC-11989

                but I didn't see (or didn't understand) how to make my own Certificate. Is this the right wiki? If not, can you please provide the link for the right one? If this is the right wiki, where is this information?

                Marcos


                In section 2 of the wiki that you mention you can find:
                Create the client certificate
                 keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer


                the keytool command is provided with Sun's java sdk

                • 5. Re: JBoss with SSL
                  Marcos Antonio Novice

                   

                  "aamonten" wrote:

                  In section 2 of the wiki that you mention you can find:
                  Create the client certificate
                   keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer


                  the keytool command is provided with Sun's java sdk


                  So, with this command line the keytool is generating a Certificate (a free one) for me that would be generated by a Certificate Authority, right?

                  Marcos

                  • 6. Re: JBoss with SSL
                    Marcos Antonio Novice

                    - JBoss 4.2.3.GA
                    - Java 5 Update 17
                    - Windows Server 2003 SP2

                    Hello, everybody!

                    Since my first post, I've done some research on how to enable SSL in JBoss. Two articles were very helpful to me:

                    - An article that teaches how to configure SSL on Tomcat (I thought that
                    it was good to start from this article because this configuration is
                    very similar to what I was going to find on JBoss relating to SSL):
                    http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
                    - An article that teaches how to configure SSL on JBoss:
                    http://www.jboss.org/community/docs/DOC-11989

                    After reading these articles I decided that my SSL configuration would be based on this:

                    - Use JSSE (Java Secure Socket Extension)
                    - Use a self-signed Certificate.

                    So, according to all this, I decided to take the steps listed below to configure SSL. I'm just listing these steps here in the case that I missed something or did something wrong, so you can tell me where the mistake is.

                    1. Create the self-signed Certificate
                    - %JAVA_HOME%\bin\keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore
                    - Enter keystore password:
                    password
                    - What's your first and last name?
                    www.mydomain.com
                    - What is the name of your organizational unit?
                    Centro de Processamento de Dados - CPD
                    - What is the name of your organization?
                    Universidade Regional do Cariri - URCA
                    - What is the name of your City or Locality?
                    Crato
                    - What is the name of your State or Province?
                    CE
                    - What is the two-letter country code for this unit?
                    BR
                    - Enter key password for


                    2. Move the keystore "server.keystore" created in C:\Documents and Settings\USER_NAME to %JBOSS_HOME%\server\default\conf.

                    3. Configure JBoss
                    - In the file %JBOSS_HOME%\server\default\deploy\jboss-web.deployer\server.xml

                    - Change this configuration:

                    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />

                    - To this:
                    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS"
                     keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
                     keystorePass="password" />

                    My doubts are:

                    At this point, I'm lost. I don't know if I'm already done or if I have to do something else. I believe that I still need to complete the SSL configuration for use in JBoss, but the second article mentioned above, http://www.jboss.org/community/docs/DOC-11989, doesn't explain very well what it is doing, so I'm confused. For example, it shows four authentication scenarios:

                    1. SSL enabled on the server - the common case
                    2. SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client
                    3. SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client
                    4. SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

                    I suppose that I should use the first one or the second one, but I'm not sure how. Could you tell me which one I should use? Just to remind you, I want to use a self-signed Certificate and to generate my own Certificate, not to purchase one from a well known Certificate Authority.

                    Also, some steps in scenario 1 and 2 need more explanation to me. For example, in both scenarios there's one step called Run the client:

                    In the first option:
                    java -Djavax.net.ssl.trustStore=client.truststore
                    -Djavax.net.ssl.trustStorePassword=123456
                    acme/ReadHttpsURL2 https://localhost:8443


                    In the second option:
                    java -Djavax.net.ssl.keyStore=client.keystore
                    -Djavax.net.ssl.keyStorePassword=123456
                    -Djavax.net.ssl.trustStore=client.truststore
                    -Djavax.net.ssl.trustStorePassword=123456
                    acme/ReadHttpsURL2 https://localhost:8443


                    Which client is this? What happens with this command line?

                    In the second option, SSL enabled on the server with self-signed client certs, there's a step Create the client certificate:

                    keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer

                    Is this command creating the Certificate that I will be using instead of the Certificate provided by a Certificate Authority?

                    As you can see, I have a lot of doubts. I would be very thankful if you could answer my questions and tell me what I should do to fully enable SSL.

                    Thank you.

                    Marcos