2 Replies Latest reply on Jan 29, 2009 5:59 PM by Anu Didi

    Configuring JBoss (4.2.1) SSL

    Caine Horr Newbie

      OK - so I have a bit of a conundrum...

      The organization I work for is attempting to get JBoss running with SSL.

      We have purchased a GoDaddy Turbo SSL cert. The problem is this... GoDaddy doesn't have a cert specific for JBoss. They do however support Apache and Tomcat. I optend for "Other" as JBoss wasn't listed. I do realize however this may not have been the wisest choice.

      I have been reviewing the JBoss wiki located at http://wiki.jboss.org/wiki/SSLSetup;jsessionid=648378AE78137D63E6CE8DA1B7A1DE56

      It seems to be heavily geared towards JBoss-3.2.3/Tomcat-4.1.x with anecdotal references to JBoss-4.2.1.

      Anyway... I am hoping that I am on the right tract. Maybe somebody can steer me in the right direction...

      Our implementation is somewhat non-standard. But the directory structure is basically unchanged.

      Here are the steps I've taken thus far:

      1.) Generate the keystore file using Sun JAVA 1.4.2_15

      M:\java\j2sdk1.4.2_15\bin\keytool.exe -genkey -alias jboss-ssl - keyalg RSA -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -validity 3650


      NOTE: rel500-qa is the name of the site in question.

      2.) Generate the CSR

      M:\java\j2sdk1.4.2_15\bin\keytool.exe -certreq -alias jboss-ssl -keyalg RSA -file M:\clients\rel500-qa\SSL\rel500-qa.csr -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore


      3.) Submit the CSR to GoDaddy and receive a Turbo SSL Cert

      4.) According to GoDaddy, it was recommended that I include GoDaddy's "Cross-Intermediate and Intermediate certs."

      a.)
      M:\java\j2sdk1.4.2_15\bin\keytool.exe -import -alias cross -keystore rel500-qa.keystore -trustcacerts -file M:\clients\rel500-qa\SSL\gd_cross_intermediate.cer


      b.)
      M:\java\j2sdk1.4.2_15\bin\keytool.exe -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -import -alias inter -file M:\clients\rel500-qa\SSL\gd_intermediate.cer.


      5.) Import the GoDaddy assigned cert

      M:\java\j2sdk1.4.2_15\bin\keytool.exe -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -keyalg "RSA" -import -trustcacerts -file M:\clients\rel500-qa\SSL\rel500-qa.domain-name.crt


      I now have a fully populated keystore file.

      When I test the keystore for PKCS12 validity, it fails...

      M:\clients\rel500-qa\SSL>M:\java\j2sdk1.4.2_15\bin\keytool.exe -list -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -storetype PKCS12
      keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.


      That is my first hurdle...

      After that is resolved, my next hurdle is WHERE should the keystore file reside?

      From the wiki, I am thinking it belongs in /conf/rel500-qa.keystore

      Additionally, I am thinking that according to the wiki, I need to modify deploy/jboss-web.deployer/server.xml however, the formatting is considerably different than that for JBoss-3.2.3/Tomcat-4.1.x and I am wondering how it should look. Can I still use the following configration data:

      keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       keystorePass="tc-ssl"
       protocol = "TLS"/>


      If so, how should it look? I am thinking something like this, but I'm not entirely sure...

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
       This connector uses the JSSE configuration, when using APR, the
       connector should be using the OpenSSL style configuration
       described in the APR documentation -->
      
       <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       clientAuth="false" sslProtocol="TLS" />


      Any assistance would be greatly appreciated - thanks.

      Caine