3 Replies Latest reply on Jun 1, 2009 9:59 AM by yashendra chandrakar

    Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2.3.G

    Andre Hofstetter Newbie

      Hi there

      I'm having a question about setting up SSL for a JBoss-4.2.3GA:

      I was able to configure the following connector-entry in the Tomcat server.xml:

      <Connector protocol="org.apache.coyote.http11.Http11Protocol"
       port="8443" minSpareThreads="5" maxSpareThreads="75"
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       keystorePass="12345678"
       truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
       truststorePass="12345678"
       clientAuth="want" sslProtocol="TLS"/>


      With this entry, SSL works fine. Unfortunately, I was not happy with the password in plain text. So I tried to setup a connector with encrypted password as described in

      http://www.jboss.org/community/docs/DOC-9702

      My Connector:

      <Connector port="8443" address="${jboss.bind.address}"
       maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
       scheme="https" secure="true" clientAuth="want"
       sslProtocol = "TLS"
       securityDomain="java:/jaas/encrypt-keystore-password"
       SSLImplementation="org.jboss.net.ssl.JBossImplementation" >


      I also added the entries in security-service.xml and the jboss-web.deployer\META-INF\jboss-service.xml as described in the wiki.

      I can start the JBoss without any exceptions or errors, http is working fine, but when I'm sending a https-request, I'm running into a time-out. There are still no warnings or excpetions. The JBoss or the Tomcat just does not response...

      Hint: When I change the value SSLImplementation to "whatTheHell", I still got no exception! No "NoClassDefFoundError" or something like that... Is this attribute still valid in 4.2.3?

      Is there something special to foresee with JBoss-4.2.3.GA?

      Thanks for helping!

      Cheers

      Andre


        • 1. Re: Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2
          yashendra chandrakar Newbie

          Hi Andre,

          Any luck finding the solution of this problem I was also running into same problem only difference is that I tried this same configuration with JBoss 5.0.1.

          • 2. Re: Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2
            Andre Hofstetter Newbie

            Hi yashendrac

            I was not able to find a solution. I spent quite a lot of time on this topic, but without any luck...

            • 3. Re: Encrypt KeyStore-Password in a Tomcat-Connetctor for 4.2
              yashendra chandrakar Newbie

              Andre,
              I confirmed that it is broken in JBoss5.0.1, I am not sure since when it is broken but it was working on JBoss4.2.1. I also confirmed that it is fixed in JBoss5.1.0

              I checked the source code for following classes under jbosswe.jar and jbossweb-service.jar

              1.org.jboss.net.ssl.JBossImplementation.java

              2.org.jboss.net.ssl.JBossSocketFactory.java

              3.org.apache.tomcat.util.net.jsse.JSSESocketFactory

              JBossSocketFactory overrides following methods from tomcat's
              JSSESocketFactory

              protected TrustManager[] getTrustManagers(String keystoreType, String algorithm)
              protected KeyManager[] getKeyManagers(String keystoreType, String algorithm,
               String keyAlias)
              


              But in tomcat JSSESocketFactory under JBoss5.0.1, method signatures are changed by adding additional String parameter String keystoreProvider.
              So methods are changed to following in tomcat JSSESocketFactory

              protected TrustManager[] getTrustManagers(String keystoreType,
               String keystoreProvider, String algorithm)
              protected KeyManager[] getKeyManagers(String keystoreType,
               String keystoreProvider,
               String algorithm,
               String keyAlias)
              


              So JBossSocketFactory was not overriding these methods anymore and despite providing SSLImplementation="org.jboss.net.ssl.JBossImplementation" these two methods from JSSESocketFactory were invoked in place of JBossSocketFactory.

              This is fixed in JBoss5.1.0