Logo 
Search:

Java Forum

Ask Question   UnAnswered
Home » Forum » Java       RSS Feeds

Using SSL

  Asked By: Hondo    Date: Oct 07    Category: Java    Views: 756
  

As I'm developing a Webapp, I need to use SSL on Jboss in localhost for an experimental purpose. Seems like I will need a certificate to install which should be bought from Verisign or....
Is there a way to configure JBoss the way We can implement and test a Webapp in localhost as the real one?

Share: 

 

3 Answers Found

 
Answer #1    Answered By: Dustin Dean     Answered On: Oct 07

Step 1)
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.

At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore

Fill in all the information that is asked.
A keystore with the name name.keystore is generated.

Step 2)
Then we have to make a certificate  Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate

keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr

Enter the keystore password.
A < CSR file name>.csr file is generated.

If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:

(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install  OpenSSL)
To Sign the certificate:
Make a new directory:

cd usr/local/
mkdir newCA

Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/

Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)

Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh –newca
ls -l



Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate

cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA

Create the certificate

openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM

Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:

openssl x509 -inform pem -outform der < cacert.pem > cacert.cer

We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):

Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore

Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore


Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider


And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.

Tomcat over ssl  (HTTPS)
If we have Tomcat running as a jboss  service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
<attribute name="SecurityManagerClassName">
org.jboss.security.plugins.JaasSecurityDomain
</attribute>
</mbean>

2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="Security:service=JaasSecurityDomain,domain=TomcatSSL">
<depends>jboss.security:service=JaasSecurityManager</depends>
<constructor>
<arg type="java.lang.String" value="TomcatSSL" />
</constructor>

<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>
</mbean>

3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443

Add the following lines:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>
</Connector>

After:

<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>

 
Answer #2    Answered By: Ruairidh Anderson     Answered On: Oct 07

Thank you very much for your practical instruction, but I stopped at step 3 because I'm using Windows XP as my testing platform, is there any other way to follow the rest of procedures as I should?

 
Answer #3    Answered By: Jay Richards     Answered On: Oct 07

Follow this 3 step:

1)Generate keys with keytool
# Using the JDK's keytool program you find the program in bin
catalog in java_home, create an encryption key named tomcat and
store it in a keystore named training.keystore. Enter the password
training when prompted :

keytool -genkey -alias tomcat -keyalg RSA -keystore
training.keystore -validity 3650

# The password can be changed later, if necessary:

keytool -keypasswd -alias tomcat -keystore .\training.keystore -
keypass training -new JBtraining

Move the created file training.keystore to jboss-
4.0.x/server/default/conf.

2)Enable HTTPS support in Jboss
# You need to edit the tomcat configuration to enable HTTPS within
Tomcat. This file is in jboss-4.0.x/server/default/deploy/jbossweb-
tomcat50.sar/server.xml
# Uncomment the SSL/TLS connector section within this XML file.
# Change the keystoreFile attribute of the connector to point to the
location of the keystore file you created (training.keystore).
# The keystorePass attribute must be the same password you used to
create the keystore (training).


<!-- SSL/TLS Connector configuration using the admin devl guide
keystore -->

<Connector port="8443" address="${jboss.bind.address}"

maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

emptySessionPath="true"

scheme="https" secure="true" clientAuth="false"


keystoreFile="${jboss.server.home.dir}/conf/training.keystore"

keystorePass="training" sslProtocol = "TLS" />

3)
Test your HTTPS setup by connecting to the jboss  default servlet via
encrypted channel: https://localhost:8443
now you should get a quastion if you accept the keys. if you dont
whant that cliens dont get that quastion you most by a key från a
certified provider.

 
Didn't find what you were looking for? Find more on Using SSL Or get search suggestion and latest updates.




Tagged: