8 Replies Latest reply on Nov 23, 2005 10:32 AM by Andy Brook

    How to use IBMJSSE2 with JBoss?

    Trey Ethridge Newbie

      Hello all,

      I have an AIX box that I have to support. I've got HTTPS working using Sun's JSSE on linux and windows, but I can't get it working with the IBM JVM on AIX. I've modified the provider line in the java.security file to look like this:

      #
      # List of providers and their preference orders (see above):
      #
      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.2=com.ibm.crypto.provider.IBMJCE
      security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.4=com.ibm.security.cert.IBMCertPath


      When I try to start jboss I get the following error:

      14 Nov 2005 16:01:01 [ERROR] [org.apache.coyote.http11.Http11Protocol] - Error initializing endpoint
      java.io.IOException: Class com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl configured for a KeyManagerFactory: not a KeyManagerFa
      ctory
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:127)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259)
      at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:137)
      at org.apache.coyote.tomcat5.CoyoteConnector.initialize(CoyoteConnector.java:1429)
      at org.jboss.web.tomcat.tc5.StandardService.initialize(StandardService.java:612)
      at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2384)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:507)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:548)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
      at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
      at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:109)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
      at org.jboss.web.tomcat.tc5.Tomcat5.startService(Tomcat5.java:259)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
      at sun.reflect.GeneratedMethodAccessor16.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
      at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
      at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java(Inlined Compiled Code))
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java(Inlined Compiled Code))



      I've search the jboss forums, wiki, and ibm.com. Can anybody point me in the right direction?

      Thanks in advance,
      -- tale

        • 2. Re: How to use IBMJSSE2 with JBoss?
          Andy Brook Newbie

          Failing that, check out a later issue, http://www.jboss.com/index.html?module=bb&op=viewtopic&t=72456

          All other things being equal you should just need to add the 3 jsse jars to your server/xyz/lib folder, and modify the JRE/lib/security/java.security, as per post.

          hope this helps

          • 3. Re: How to use IBMJSSE2 with JBoss?
            Andy Brook Newbie

            Unfortunately it looks like 4.0.3SP1 and prior have a dependancy on the SUN security classes. To see this, go to the server/all/jbossweb-tomcat55.sar folder,
            extract tomcat-util.jar into a temp folder then do:

            strings org/apache/tomcat/util/net/jsse/JSSE13SocketFactory | grep sun
            

            All manner of SUNness gets listed, I guess someone had to pick A provider, shame I can t do this in a declarative way in a configuration file...

            To get SUNs JSSE into the IBM VMyou have to first dump the JSSE jars in the jre/lib/ext folder, fine and easy. Next up is to configure the java.security file appropriately. I see all manner of 'change this and it will break' over non-US users - mileage may vary.

            If I get the SUN provider registered in the IBM VM I'll post some comments.

            • 4. Re: How to use IBMJSSE2 with JBoss?
              Trey Ethridge Newbie

              Well, I've read the responses and tried their suggestions, but I still can't get it to work. First off, I'd like to respond to the "not a jboss" response. I'm trying to get this working with the IBM JVM and it appears that JBoss requires Sun's JSSE jar files. Maybe I don't have things configured right, but to me that seems like a JBoss issue if it is the case, in addition to moving the jars.

              So, can I use JBoss WITHOUT Sun's JSSE providers? If so, could somebody lay out the steps that they took to configure JBoss?

              If I remove the Sun jars (jnet.jar, jcert.jar, jsse.jar) from the installation, JBoss won't even start. The boot log gives an [ERROR] could not create deployment: file:/path/to/jboss-service.xml. The root cause in the stack trace appears to be "Caused by: java.lang.NoClassDefFoundError: com/sun/net/ssl/internal/ssl/Provider". Just to be clear, I commented out the providers in java.security for Sun in this case.

              If I include the jars back in the jre/lib/ext directory, I get the original error from my first post. In this case I added back the sun providers to java.security.

              If I set LoadSunJSSEProvider to false in jboss-service.xml, under JaasSecurityDomain, I get an error in server.log that states it can't access SunX509. This is with the jars, but the providers commented out in java.security.

              Can anyone shed some light on my problem?

              • 5. Re: How to use IBMJSSE2 with JBoss?
                Adrian Brock Master

                 

                "ethridgt" wrote:
                Well, I've read the responses and tried their suggestions,
                ...
                Can anyone shed some light on my problem?


                No you haven't.
                And most of what the others have said (including yourself) is gibberish.

                org/apache/tomcat/util/net/jsse/JSSE13SocketFactory -> 4.0.3SP1?
                JBoss4 does not run on JDK1.3, this is random speculation.

                And these "jnet.jar, jcert.jar, jsse.jar" are JDK1.3 as well
                which doesn't match your original post JSSE14SocketFactory.

                Read my initial response:

                JBoss -> JDK(JSSE) -> Provider (IBM)

                If your provider does not support something it will try to search for something else
                (just like it says in the javadoc I posted).
                Speak to IBM or change the config to use something your provider does support.

                This is not the IBM JDK support forum.

                Also, don't change things at random (like classpaths) without reading the
                JSSE documentation and IBM's release notes. Your are just going to confuse
                yourself further.

                If you don't understand how the most basic piece of configuration works,
                do you really have confidence that this SSL security is working as you want?

                • 6. Re: How to use IBMJSSE2 with JBoss?
                  Trey Ethridge Newbie

                  Ok, let me try to post something that isn't gibberish for the non believers. :-) This is my setup.

                  I have AIX 5.3. I'm running IBM JVM 1.4.2, which as we all know includes JSSE by default. I'm using the default java.security file, which is pre-configured for the IBM JSSE providers.

                  ./java -version
                  java version "1.4.2"
                  Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2)
                  Classic VM (build 1.4.2, J2RE 1.4.2 IBM AIX build ca142-20040917 (JIT enabled: jitc))

                  Here is the manifest file for the JBoss run.jar. I believe this should give a good understanding of which version of JBoss I'm using.

                  Manifest-Version: 1.0
                  Specification-Title: JBoss
                  Created-By: 1.4.2_05-b04 (Sun Microsystems Inc.)
                  Specification-Version: 3.2.6
                  Implementation-Vendor-Id: http://www.jboss.org/
                  Implementation-URL: http://www.jboss.org/
                  Class-Path: ../client/getopt.jar
                  Ant-Version: Apache Ant 1.6.2
                  Main-Class: org.jboss.Main
                  Implementation-Title: JBoss [WonderLand]
                  Specification-Vendor: JBoss (http://www.jboss.org/)
                  Implementation-Version: 3.2.6 (build: CVSTag=JBoss_3_2_6 date=20041014
                  0106)
                  Implementation-Vendor: JBoss.org

                  I've generated a keystore, which works fine on Linux and Windows under JBoss, so I know the keystore is fine.

                  I've modified server\default\server\deploy\jbossweb-tomcat50.sar\server.xml
                  to include the following section:

                   <Connector port="8443" minProcessors="5" maxProcessors="200"
                   enableLookups="true" disableUploadTimeout="true"
                   keystoreFile="${jboss.server.home.dir}/conf/.keystore"
                   keystorePass="changeit"
                   acceptCount="200" debug="0" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
                  


                  I've modified jboss-service.xml by switching the JaasSecurityManagerService to use the JaasSecurityDomain instead of the JassSecurityManager. Here is what that looks like in the file.
                   <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
                   name="jboss.security:service=JaasSecurityManager">
                   <attribute name="SecurityManagerClassName">
                   org.jboss.security.plugins.JaasSecurityDomain
                   </attribute>
                   </mbean>
                  


                  I've also modified jboss-service.xml by adding the mbean block for the JaasSecurityDomain. I've added the attribute to disable loading the Sun JSSE as recommended by the documentation when using JVM version 1.4.2 or a non-Sun JVM. That code block looks like this:
                   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
                   name="Security:service=JaasSecurityDomain,domain=TomcatSSL">
                   <depends>jboss.security:service=JaasSecurityManager</depends>
                   <constructor>
                   <arg type="java.lang.String" value="TomcatSSL" />
                   </constructor>
                   <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/.keystore</attribute>
                   <attribute name="KeyStorePass">changeit</attribute>
                   <attribute name="LoadSunJSSEProvider">false</attribute>
                   </mbean>
                  


                  When I start jboss, I get several errors. These errors lead me to believe that using the Sun JSSE is hard coded into JBoss as first noted by javaholic:

                  17 Nov 2005 09:32:08 [ERROR] [org.jboss.security.plugins.JaasSecurityDomain] - Initialization failed Security:service=JaasSecurityDomain,domain=TomcatSSL
                  java.security.NoSuchAlgorithmException: Algorithm SunX509 not available
                  at com.sun.net.ssl.SunJSSE_b.a(DashoA6275)
                  at com.sun.net.ssl.KeyManagerFactory.getInstance(DashoA6275)
                  at org.jboss.security.plugins.JaasSecurityDomain.createService(JaasSecurityDomain.java:383)
                  at org.jboss.system.ServiceMBeanSupport.jbossInternalCreate(ServiceMBeanSupport.java:237)
                  at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:219)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  ...

                  17 Nov 2005 09:32:27 [ERROR] [org.apache.coyote.http11.Http11Protocol] - Error initializing endpoint
                  java.io.IOException: Algorithm SunX509 not available
                  at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:127)
                  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
                  at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259)
                  at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:137)
                  at org.apache.coyote.tomcat5.CoyoteConnector.initialize(CoyoteConnector.java:1429)
                  at org.jboss.web.tomcat.tc5.StandardService.initialize(StandardService.java:612)
                  at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2384)
                  at org.apache.catalina.startup.Catalina.load(Catalina.java:507)
                  at org.apache.catalina.startup.Catalina.start(Catalina.java:548)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
                  ...

                  Now, I've taken the time to be as clear as I possibly can. If I've left out something you would like to have posted, just ask and I'll make it available. Basically telling users that they don't have a clue what they are doing doesn't help anyone. I would appreciate it if someone could provide thorough explaination of what I should try to resolve this issue.

                  -- tale


                  • 7. Re: How to use IBMJSSE2 with JBoss?
                    Trey Ethridge Newbie

                    Ok, I've made a little progress. I've figured out how to enable HTTPS inside JBoss, but I still have problems when I try to configure the JaasSecurityDomain.

                    If you just want to enable HTTPS, you need to add the algorithm parameter to server.xml so that it looks like this:

                    <Connector port="8443" minProcessors="5" maxProcessors="200"
                     enableLookups="true" disableUploadTimeout="true"
                     keystoreFile="${jboss.server.home.dir}/conf/.keystore"
                     keystorePass="changeit" algorithm="IbmX509"
                     acceptCount="200" debug="0" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />
                    


                    To verify this works, I temporarily deleted the mbean section of jboss-service.xml that was added for JaasSecurityDomain and I switched JaasSecurityManagerService back to using JaasSecurityManager. I restarted JBoss and it started without errors. I was able to navigate to https://localhost:8443 without problems.

                    Now I want to add JaasSecurityDomain back into my configureation, but when I do, I get the SunX509 algorithm not available again. I'm a little confused as to why all the tutorials say this is necessary. Can somebody explain what functionality won't be secure if I leave this out?

                    Also, since I'm sure I need to enable the JaasSecurityDomain, can somebody tell me how I can specify the proper algorithm for the JaasSecurityDomain to use?

                    By the way, I do have the default algorithms set to use IbmX509 in java.security, so that doesn't fix this issue.

                    • 8. Re: How to use IBMJSSE2 with JBoss?
                      Andy Brook Newbie

                      Hey thanks, you just made my day, looks like it was a 'jboss question' after all :)

                      I added the algorithm key to my config and my setup works now, Im looking into M$ AD LDAP auth, but have had basic file config working for a webapp, perhaps I can help.

                      I'm on AMD64 not AIX but I am using the IBM vm so perhaps I can help.
                      I have IBM VM 1.5.0_05-b05, just downloaded jboss-4.0.3SP1 which included some files necessary for the securing of the JMX-console.

                      Getting the JMX console secured is pretty much following the wiki, did you try this as a proof?

                      The deploy/jmx-console/WEB-INF/jboss-web.xml identifies the security domain as 'jmx-console' which gets listed in the server/conf/login-config.xml. The default login module for the jmx-console is the UsersRolesLogin Module. If you get this far then reworking the content of the login-module or writing your own should be straight forward.

                      Cheers[/img]