Tuesday, January 20, 2015

config jboss to support https with a self signed certificate

This HOWTO walks you through the HTTPS configuration using a self-signed certificate on a JBoss server.
It was tested on JBoss EAP 4.3 but should work on other versions.  Tomcat users should refer to the excellent instructions contained in the CASDemo.  To install a certificate from a recognized certificate authority you will need to modify these steps slightly.

Self-signed certificate on JBoss:

  1.  The instructions assume a virgin jBoss install.
  2. Identify the hostname for the computer hosting the server.  I.e.: myHostname for these instructions
  3. Identify the jBoss server type (all, default, production).  I.e.: default for these instructions
  4. jBoss recommends using the same file as both keystore and trustore.  This will be server.keystore.  In a virgin install there should be noserver.keystore in the default/conf folder.  If you have one, you must decide whether to delete it (to use these instructions) or whether to adapt the instructions to suit your situation.
  5. Creating the keystore and private key:
    1. Open a command prompt or shell and go to the default/conf folder.
    2. keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore
    3. Answer the prompts.  Use myHostname when asked for first/last name.  This is critical.
    4. server.keystore is generated.
    5. keytool -list -keystore server.keystore
    6. You should see the PrivateKeyEntry named jbosskey in the listing.
  6. Generating and storing the certificate.
    1. keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore server.keystore
    2. server.crt is generated.
    3. keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore
    4. You receive a warning that it already exists in the keystore.  Ignore it.  It is because Java expects separate keystore adn trustore files and we are using only one.
    5. keytool -list -keystore server.keystore
    6. You should see a TrustedCertEntry named jbosscert in the listing.
  7. Ensure that you start the server with:
    1. -c default -b 0.0.0.0 -Djavax.net.ssl.trustStore="/server/default/conf/server.keystore"
    2. Where -c specfies your server type
    3. Where -b is required to use the server as anything but localhost, with a server name if you only have 1 network card, with 0.0.0.0 if you have multiple network cards
    4. -Djavax.net.ssl.trustStore specifies the location of your truststore.
    5. In Windows you may place these parameters in a shortcut you use to execute run.bat.
    6. In Unix you may place them in your startup script.
    7. In Eclipse, RAD or any other Eclipse-derivative your best bet is to use the jBossTools plugin.
      1. Go to the jBossServer view
      2. Double-click on the server
      3. Verify that your hostname is set to myHostname
      4. Click OpenLaunchConfiguration
      5. Add to the program arguments.
  8. Enable jBoss' Tomcat for HTTPS:
    1. Edt "/server/default/deploy/jboss-web.deployer/server.xml"
    2. Uncomment the section that begins with 
    3. At the end of the section (but still inside of it) add:
      1. keystoreFile="${jboss.server.home.dir}\conf/\server.keystore""
      2. keystorePass="changeit"
  9. Post-setup tests:
    1. All of these test should succeed.  If they fail, you probably made a mistake in the previous steps.  Your browser will warn you about untrusted sites/certificates - this is OK, you are using a self-signed certificate. If you want to get rid of the warnings you must get a certificate from a certificate authority.
    2. Vanilla access to jBoss' home page:   _http://myHostname:8080_
    3. HTTPS access to jBoss' home page:  _https://myHostname:8443_
    4. Vanilla access to a non-CAS application:  _http://myHostname:8080/myApp_
    5. HTTPS access to a non-CAS application:  https://myHostname:8443/myApp
    6. Vanilla access to CAS:
      1. _http://myHostname:8080/login_
      2. _http://myHostname:8080/logout_
    7. Access a CAS-enabled application: 
      1. _http://myCAS-enabledApp_
      2. Unprotected pages should be accessible without going to CAS.
      3. You should be redirected to the CAS login the first time you access a protected page.  After the login you should reach the page.
      4. Subsequent accesses to protected pages should not redirect you to the CAS login unless you time out or close your browser.

 Certificate from a Certificate Authority (CA):

No comments:

Post a Comment