3 Replies Latest reply on Jun 1, 2009 9:59 AM by yashendrac

Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2.3.G

isc-hoa Feb 16, 2009 10:51 AM

Hi there

I'm having a question about setting up SSL for a JBoss-4.2.3GA:

I was able to configure the following connector-entry in the Tomcat server.xml:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
 port="8443" minSpareThreads="5" maxSpareThreads="75"
 enableLookups="true" disableUploadTimeout="true"
 acceptCount="100" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="12345678"
 truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
 truststorePass="12345678"
 clientAuth="want" sslProtocol="TLS"/>

With this entry, SSL works fine. Unfortunately, I was not happy with the password in plain text. So I tried to setup a connector with encrypted password as described in

http://www.jboss.org/community/docs/DOC-9702

My Connector:

<Connector port="8443" address="${jboss.bind.address}"
 maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
 scheme="https" secure="true" clientAuth="want"
 sslProtocol = "TLS"
 securityDomain="java:/jaas/encrypt-keystore-password"
 SSLImplementation="org.jboss.net.ssl.JBossImplementation" >

I also added the entries in security-service.xml and the jboss-web.deployer\META-INF\jboss-service.xml as described in the wiki.

I can start the JBoss without any exceptions or errors, http is working fine, but when I'm sending a https-request, I'm running into a time-out. There are still no warnings or excpetions. The JBoss or the Tomcat just does not response...

Hint: When I change the value SSLImplementation to "whatTheHell", I still got no exception! No "NoClassDefFoundError" or something like that... Is this attribute still valid in 4.2.3?

Is there something special to foresee with JBoss-4.2.3.GA?

Thanks for helping!

Cheers

Andre

1. Re: Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2

yashendrac May 28, 2009 3:56 PM (in response to isc-hoa)

Hi Andre,

Any luck finding the solution of this problem I was also running into same problem only difference is that I tried this same configuration with JBoss 5.0.1.
Actions
2. Re: Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2

isc-hoa May 29, 2009 1:18 AM (in response to isc-hoa)

Hi yashendrac

I was not able to find a solution. I spent quite a lot of time on this topic, but without any luck...
Actions
3. Re: Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2

yashendrac Jun 1, 2009 9:59 AM (in response to isc-hoa)
Andre,
I confirmed that it is broken in JBoss5.0.1, I am not sure since when it is broken but it was working on JBoss4.2.1. I also confirmed that it is fixed in JBoss5.1.0

I checked the source code for following classes under jbosswe.jar and jbossweb-service.jar

1.org.jboss.net.ssl.JBossImplementation.java

2.org.jboss.net.ssl.JBossSocketFactory.java

3.org.apache.tomcat.util.net.jsse.JSSESocketFactory

JBossSocketFactory overrides following methods from tomcat's
JSSESocketFactory

protected TrustManager[] getTrustManagers(String keystoreType, String algorithm) protected KeyManager[] getKeyManagers(String keystoreType, String algorithm, String keyAlias)

But in tomcat JSSESocketFactory under JBoss5.0.1, method signatures are changed by adding additional String parameter String keystoreProvider.
So methods are changed to following in tomcat JSSESocketFactory

protected TrustManager[] getTrustManagers(String keystoreType, String keystoreProvider, String algorithm) protected KeyManager[] getKeyManagers(String keystoreType, String keystoreProvider, String algorithm, String keyAlias)

So JBossSocketFactory was not overriding these methods anymore and despite providing SSLImplementation="org.jboss.net.ssl.JBossImplementation" these two methods from JSSESocketFactory were invoked in place of JBossSocketFactory.

This is fixed in JBoss5.1.0
Actions

Go to original post