Enabling SSL on JBoss 4.2.0

One of the prerequisites in order to install and configure CAS (Central Authentication Service), a popular open-source Single Sign-On, is to enable SSL on the web container. This can actually be quite painful, especially for developers who enjoy focusing on the implementation details rather than the infrastructure aspects (that would be me 😉 ).

In this post I present the steps required to enable the SSL support in JBoss 4.2.0: JSSE is required (bundled with JDK 1.4 or higher).

Little tip: when prompted use changeit as password as it is the default keystore password.

Delete existing certificates

This is step is not strictly required but it helps to get rid of previously created certificates (in case you have been playing around with the keystore). Run the following commands:

keytool -delete -alias localhost
keytool -delete -alias localhost -keystore “C:/Program Files/Java/jdk1.5.0_14/jre/lib/security/cacerts”

The first command removes the certificate with alias localhost from the user keystore, the second deletes the certificate from the system trusted certification repository.

The cacerts file is basically the system keystore which stores the CA (Certification Authority) certificates and can be found at ${java.home}/jre/lib/security/cacerts

Generate certificate

The certificate can now be generated running:

keytool -genkey -alias localhost -keyalg RSA

The certificate is generated and added to the keystore using the alias localhost while RSA is the recommended algorithm to be used to generate the key pair.

Export certificate to a file

The certificate is exported:

keytool -export -alias localhost -file localhost.cer

The certificate with alias localhost is retrieved from the keystore and stored in the locahost.cer file.

Import certificate into trusted Cert repository

keytool -import -file localhost.cer -keypass changeit -keystore “%JAVA_HOME%/jre/lib/security/cacerts”

The certificate stored in the localhost.cer file is uploaded in the system keystore and added to the list of trusted certificates.

The following can help you to list the content of the keystore (will prompt for password):

keytool -list

JBoss Configuration

Finally edit the embedded Tomcat server.xml which in JBoss 4.2.0 can be found at

${JBoss.home}\server\default\jboss-web.deployer\server.xml

and add the SSL Connector

<Connector port=”443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
keystorePass=”changeit”
keyAlias=”localhost”
clientAuth=”false” sslProtocol=”TLS” />

Now you JBoss container should be able to run on SSL: https://localhost

Tips

  • The user keystore is called .keystore and located in the {user.home}. It is created the first time the keytool genkey command is used on a keystore which doesn’t exist (i.e. can be removed if you need to re-create it from scratch).
  • Create the certificate using cn=localhost as in my examples: CN field normally holds the name of server host.

Resources

Sun’s keytool reference

SSL for Tomcat 5.5

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: