Labels

Saturday, June 16, 2012

Configuring HTTPS on JBoss

Note: We are assuming here that Jboss6.1 and Jdk1.6.0.27 installed in D: drive and server is running on port 8080.

Step: 1. Creating keystore and private key

  • Open a command prompt with run as administrator.
  • Change directory to D:\jdk1.6.0_27\bin
  • Enter below mentioned command with replacing <changeit> to your password as per your choice.

keytool -genkey -alias jbosskey -keypass <changeit> -keyalg RSA –validity 365 -keystore server.keystore

(Eg: keytool -genkey -alias jbosskey -keypass password -keyalg RSA –validity 365 -keystore server.keystore)

clip_image002

  • Hit enter.
  • Please enter password which you used in first command.
  • Retype the same password again.
  • What is your first and last name?
    Enter your jboss server DNS name or Alias name as per your choice.
  • Enter organizational unit name.
  • Enter organization name.
  • Enter your city name.
  • Enter state name.
  • Enter country code.
  • Enter Y to Agree.

clip_image004

  • You will see “server.keystore” inside D:\jdk1.6.0_27\bin
  • Please enter below command for verifying keystore.
    keytool -list -keystore server.keystore
  • Enter the password.
  • You will see output like below screen shot.
    clip_image006

Generating and storing the Self sing certificate.

Note: replace <changeit> with your “server.keystore" password which you mentioned during "server.keystore" creation

  • Enter following command.

keytool -export -alias jbosskey -keypass <changeit> -file server.crt -keystore server.keystore

Eg: keytool -export -alias jbosskey -keypass password -file server.crt -keystore server.keystore

clip_image008

  • You will see “server.crt” inside D:\jdk1.6.0_27\bin

Note: replace <changeit> with your "server.keystore" password which you mentioned during "server.keystore" creation

  • Enter following command.

keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore

Eg: keytool -import -alias jbosscert -keypass password -file server.crt -keystore server.keystore

Note:You receive a warning that it already exists in the keystore. Ignore it. It is because Java expects separate keystore and trustore files and we are using only one.

clip_image010

  • Please enter below command for verifying keystore.
    keytool -list -keystore server.keystore
  • Enter the password.
  • You should see a TrustedCertEntry named jbosscert in the listing like in below screen shot.

clip_image012

  • Copy “server.keystore” from D:\jdk1.6.0_27\bin to D:\jboss6.1\server\default\conf\ folder.

Step: 2. Enable HTTPS for JBoss

  • Edit server.xml file using text editor(Recommended notepad++) D:\jboss6.1\server\default\deploy\jbossweb.sar folder
  • Search for line SSL/TLS Connector and it will look like as below.

<!-- SSL/TLS Connector configuration using the admin devl guide keystore

<Connector protocol="HTTP/1.1" SSLEnabled="true"

port="${jboss.web.https.port}" address="${jboss.bind.address}"

scheme="https" secure="true" clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"

keystorePass="rmi+ssl" sslProtocol = "TLS" />

-->

  • Uncomment the line, just cut the --> arrow and paste it to first line like shown in below line and edit the code and enter keystore password which you used for creating keystore.

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->

<Connector protocol="HTTP/1.1" SSLEnabled="true"

port="443" address="${jboss.bind.address}"

scheme="https" secure="true" clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/server.keystore"

keystorePass="password" sslProtocol="TLS" />

Step: 3. Enable Re direction from HTTP to HTTPS on JBoss

  • Edit server.xml file using text editor(Recommended notepad++) D:\jboss6.1\server\swift\deploy\jbossweb.sar folder
  • Search for line A HTTP/1.1 Connector on port 8080 and it will look like as below.

<Connector protocol="HTTP/1.1" port="${jboss.web.http.port}" address="${jboss.bind.address}"

redirectPort="${jboss.web.https.port}" />

  • Edit the code as shown in below.

<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}"

redirectPort="443" />

  • Edit web.xml file using text editor(Recommended notepad++) D:\jboss6.1\server\default\deploy\jbossweb.sar folder
  • Add the following code at bottom but before </web-app> as show in below.

/<security-constraint>

<web-resource-collection>

<web-resource-name>Protected Context</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<!-- auth-constraint goes here if you requre authentication -->

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>/

</web-app>

  • Restart the Jboss Server; you are done with the configuration Swift server on SSL with redirection.

Installing a Certificate from a Certificate Authority

To obtain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com or trustcenter.de), read the previous section and then follow these instructions:

Create a local Certificate Signing Request (CSR)

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:

  • Create a local Certificate (as described in the previous section): 
·         keytool -genkey -alias tomcat -keyalg RSA \
    -keystore <your_keystore_filename>

Note: In some cases you will have to enter the domain of your website (i.e. www.myside.org) in the field "first- and lastname" in order to create a working Certificate.


  • The CSR is then created with: 
·         keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr \
    -keystore <your_keystore_filename>

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Importing the Certificate

Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.


  • Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
    For Verisign.com commercial certificates go to: http://www.verisign.com/support/install/intermediate.html
    For Verisign.com trial certificates go to: http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
    For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
    For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
  • Import the Chain Certificate into your keystore 
·         keytool -import -alias root -keystore <your_keystore_filename> \
    -trustcacerts -file <filename_of_the_chain_certificate>


  • And finally import your new Certificate 
·         keytool -import -alias tomcat -keystore <your_keystore_filename> \
    -file <your_certificate_filename>
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)