5 Replies Latest reply on Nov 16, 2005 11:57 AM by Andy Brook

    SSL in 4.0.3, server seems to be only listeneng with HTTP on

    Andy Brook Newbie

      Firstly, yes, I have read the wiki SSL page, and no it doesnt appear to work out of the box with my configuration http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup.

      I notice that the wiki page is written for 3.2.x? and is quite old, some things may now not work according to the 'documentation'?

      I'm migrating a webapp written for Websphere onto Jboss, and all the tweaks have now been done, bar SSL and later, FORM authentication. I'm currently stumbling with SSL...

      Now, following the wiki, Im attempting to set up the simple case of a SSL Server on port 8443 with a self-cert cert. Im running 4.03 under IBMs 1.5VM, I've added the JSSE 1.03_03 jars into my JRE/lib/ext folder, (and yes, I did the tweaks to java.security:

      JRE/lib/security/java.security exerpt:

      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.2=com.ibm.crypto.provider.IBMJCE
      security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.4=com.ibm.security.cert.IBMCertPath
      security.provider.5=com.ibm.security.sasl.IBMSASL
      security.provider.6=sun.security.provider.Sun Added
      security.provider.7=com.sun.net.ssl.internal.ssl.Provider Added
      


      I'll go through the stages the wiki describes:

      * Create a test keystore in the server/default/conf directory: Done
      * Edit jbossweb-tomcat41.sar/META-INF/jboss-service.xml Now called service.xml, Done
      * Start the server and browse to: https://localhost:8443/jmx-console/index.jsp This just doesnt work, and is where the I start trying other things

      The socket factory in question seems to create a standard http server socket listener on 8443, as http://localhost:8443 yields the the jboss main page, and https://localhost:8443 just hangs. Ive seen various other factories suggested http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html, and have tried them but to no avail

      I really don;t understand why I get a PLAIN HTTP/1.1 on port 8443. Nothing bad listed in the boot.log, nothing bad in the server.log.

      Stdout:
      16:50:19,920 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8080
      16:50:20,354 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
      16:50:20,393 INFO [JkMain] Jk running ID=0 time=0/54 config=null
      16:50:20,429 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-8443
      


      My server.xml connector config:
      <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
       port="8443" scheme="https" secure="true" >
       <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
       keystoreFile="${jboss.server.home.dir}/certs/server.keystore"
       keystorePass="pass"
       clientAuth="false"
       protocol="TLS"/>
      </Connector>
      


      Just for giggles I ran 4.03 under SUNs 1.6ea, no difference, so I guess discount JSSE related configurations etc.

      Either I can't read (possible!) or the wiki is leaving something import out. I t should just work but doesnt.

      Clues? helpful ridicule? both equally sought!

      Andy.

        • 1. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
          Adrian Brock Master

          http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossHelp
          You guys amaze me. You don't even read the questions on the same page,
          so there is obviously not attempt to help somebody else.

          • 2. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
            Andy Brook Newbie

            Hey Adrian, of all the comments I thought I'd get, yours amazed me also!

            FYI, I did actuall read the other members post, but I have 0 knowledge of AIX or peculiarities to its variant of IBM VM (Im on AMD64) and as I dont actually have SSL working with a SUN VM or an IBM VM how could I possibly assist this person, I have proved nothing!?

            I've spent two days reading, searching jboss site, old wiki docs and old google hits. Posting here is a last resort.

            By posting relavent information I'd like to think that even if I couldn't answer another users question directly, I might provide enough context for others to figure out their own solutions.

            Hopefully Ill get to the bottom of this and post the result to benefit anyone else who happens accross this thread.

            • 3. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
              Anders Hedstrom Novice

              I don't know what your problem is, but I can tell you that I run JBoss 4.0.3 on Win2K win Sun JDK5. All I need to do to enable SSL is to uncomment this section in %JBOSS_HOME%/server/<your_config>/deploy/jbossweb-tomcat55.sar/server.xml

               <!-- SSL/TLS Connector configuration using the admin devl guide keystore
               <Connector port="8443" address="${jboss.bind.address}"
               maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
               emptySessionPath="true"
               scheme="https" secure="true" clientAuth="false"
               keystoreFile="${jboss.server.home.dir}/conf/my.keystore"
               keystorePass="mypwd" sslProtocol = "TLS" />
               -->
              


              Then if I want to secure the jmx-console, I uncomment the security constraint section in the web.xml file for the jmx-console web application. I then needed to add the following to the web.xml file because it was missing:
              <login-config>
               <auth-method>BASIC</auth-method>
               <realm-name>JBoss JMX Console</realm-name>
              </login-config>
              


              I also uncomment the security-domain section in the jboss-web.xml file for the web application as well.

              Then if I direct my browser to the following URL https://localhost:8080/jmx-console I get prompted to accept my certificate and then for usr/pwd. It works just fine...

              Cheers
              //Anders


              • 4. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
                Anders Hedstrom Novice

                 

                anders.hedstrom wrote:
                I run JBoss 4.0.3 on Win2K win Sun JDK5

                Should be WinXP

                anders.hedstrom wrote:
                https://localhost:8080/jmx-console

                Should be: https://localhost:8443/jmx-console

                • 5. Re: SSL in 4.0.3, server seems to be only listeneng with HTT
                  Andy Brook Newbie

                  Thanks for that,

                  I just tried 4.0.3SP1, which seems to have solve my core problem. Using the wiki info I now have a basic auth protected and SSL secured jmx-console (thereby proving (to me!) it works).

                  The major issue was the use of IBM's 1.5 VM, Ive tussled this around a while an whislt Im not sure, I think that there is a hard coded reference somewhere to SUNs security implementation 'SunX509' in Tomcat. Which may be pluggable into IBM VM, but then again maybe not. I wonder if this is a 'bug' as it restricts the Tomcat web container to running under SUN VMs?

                  Anyhow, the additional tweak to push the jmx-console over SSL was useful to me, and it may be to others. After following the Basic auth and SSL config wiki's, all you have to do is add the following to the file: server/../deploy/jmx-console.war/WEB-INF/web.xml

                  ...
                   <user-data-constraints>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                   </user-data-constraints>
                  </security-constraint>
                  



                  If I figure out the issues around the IBM vm I'll post back.