0 Replies Latest reply on Oct 17, 2004 5:05 PM by William Pool

    JBoss 3.2.5 SSL Configuration on Sun Solaris 2.9 09/04 relea

    William Pool Newbie

      Hello, I'm trying to setup and configure JBoss 3.2.5 to run over SSL and NOT standard port 8080.

      I've looked all over the net and have found a 'few' guides, only to be kinda off from what I"m doing. Also, all the research shows that Tomcat 4.0 is in 2.3.5. However, I "believe" mine's got TomCat 5.0 (downloaded from jboss.com).

      Here's what I did and what not. However, no such luck. Any advice would be GREATLY appricated. The "actual" values are left out for company reasons. However, the exacty 'step' was performed.

      Okay the steps performed were the ones located at:

      http://www.theserverside.com/discussions/thread.tss?thread_id=22243

      Steps included:

      Step 1)
      First of all, we are going to make a keystore. This is the place we are
      going to store the keys in on the serverside. We will use the Java-tool
      keytool for this. The algorithm used here is RSA.

      The value alias name was replaced with "company"


      At the selected directory:
      keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore

      Fill in all the information that is asked.
      A keystore with the name name.keystore is generated.

      Step 2)
      Then we have to make a Certificate Signing Request (CSR) for the
      Certificate Authority. We can get this signed by a certifying authority
      like verisign or thwate

      keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR
      file name>.csr

      Enter the keystore password.
      A < CSR file name>.csr file is generated.

      If you are getting the CSR signed by a certifying authority, then skip the
      next step.
      Step 3)
      If you are using going to sign using your own CSR by using, for example,
      OpenSSL, then the steps are:

      (This assumes that you are working on a Linux machine with OpenSSL, which
      can be obtained from www.openssl.org. Follow the procedure to install
      OpenSSL)
      To Sign the certificate:
      Make a new directory:

      cd usr/local/
      mkdir newCA

      Copy openssl.cnf and CA.sh
      from the OpenSSL apps directory to your new directory (newCA)
      cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
      cp ../../openssl-0.9.6a/apps/CA.sh newCA/

      Edit your new copy of openssl.cnf and CA.sh:
      Set the dir variable to the current directory
      dir . # (... Specifies current directory where everything is kept)
      Set the CATOP variable to the current directory:
      CATOP=. # (... Specifies current directory where everything is kept)

      Create the certificates for Certification Authority:
      cd newCA
      chmod 744 CA.sh (only if necessary)
      CA.sh .newca
      ls -l

      Send the < CSR file name>.csr file to Certification authority and Creating
      Server Certificate

      cp < CSR file name>.csr /usr/local/newCA
      or ftp the < CSR file name>.csr file to the m/c acting as CA.
      cd /usr/local/newCA

      Create the certificate

      openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA
      cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM

      Optionally convert the server certificate from PEM encoding to DER for
      distributing to Clients:

      openssl x509 -inform pem -outform der < cacert.pem > cacert.cer

      We receive two files, cacert.der, containing the CA's public key and a
      file <pem file name>.pem, containing the public key signed by the CA using
      the CA's private key. I will now import these two files into my keystore
      (the order is important!):


      ****This is where shit gets interesting****

      Step 4)
      keytool -import -alias <alias name> -file cacert.der -keystore
      ./name.keystore

      The file name "cacert.der" isn't created from ANY of the above commands.
      Not sure what crack pipe they smoke from.
      However, it 'does' create the file "cacert.cer". Thinking this is a
      possible typo I did the above command with
      cacert.cer instead of cacert.der. Volia it worked!

      Step 5)
      keytool -import -alias <alias name> -file <pem file name>.pem -keystore
      ./name.keystore

      Okay, I did this and it complained that the "alias name" has already been
      added. So, I went ahead and made a "company2" alias which added fine.

      It asks you to move the following files:

      jcert.jar
      jnet.jar
      jsse.jar

      Into the $JAVA_HOME/jre/lib/ext directory.

      Now, there's 'three' versions of these files all which reside in the :

      $JBOSS_HOME/server/all/lib/*.jar
      $JBOSS_HOME/default/lib/*jar
      $JBOSS_HOME/client/lib/*.jar

      All of which are the same size. So, I decided to use the 'default' one to
      copy over.

      Tomcat over SSL (HTTPS)
      If we have Tomcat running as a jBoss service, we need to make a few
      changes in some configuration files:
      1. $JBOSS_DIST/server/default/conf/jboss-service.xml
      We want JaasSecurityDomain as SecurityManagerClass instead of
      JaasSecurityManager, so we need to change this in the file:
      <!-- JAAS security manager and realm mapping -->


      org.jboss.security.plugins.JaasSecurityDomain



      2. $JBOSS_DIST/server/default/conf/jboss-service.xml
      Add the below lines after the paragraph mentioned above in jboss-service.xml


      jboss.security:service=JaasSecurityManager




      put the path to your name.keystore file
      here
      put your name.keystore password
      here


      3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
      This is the final step: We remove the Connector that listens on port 8080
      and replace it by one that listens on port 8443

      Which DOES NOT exist that's a bogus deal.

      I *believe* /opt/jboss-3.2.5/server/default/deploy/jbossweb-tomcat50.sar

      is the directory you want to look at and the file: server.xml

      Now this is what "the guide" has:





      After:

      <!-- A HTTP Connector on port 8080 -->


      Which looks different then what was in the actual file. Which is:

      <!-- A HTTP/1.1 Connector on port 8080 -->


      <!-- A AJP 1.3 Connector on port 8009 -->


      <!-- SSL/TLS Connector configuration using the admin devl guide
      keystore

      -->

      When I start it I get the following errors:

      14:03:11,314 WARN [JaasSecurityManagerService] Failed to locate auth CachePolicy at: java:/timedCacheFactory for securityDoma
      in=TomcatSSL

      It's accessable via http://:8080 just not via https at either 8080 or 8443.

      Thanks for any help on this!

      -Puddle
      rotaecho@yahoo.com