[jbossts-issues] [JBoss JIRA] Commented: (JBTM-347) Make sure XTS works with HTTPS

[ https://jira.jboss.org/jira/browse/JBTM-347?page=com.atlassian.jira.plugi... ] Andrew Dinn commented on JBTM-347: ---------------------------------- Ok, so I have enabled use of https for all XTS messages when using the WS-TX 1.1 protocols. This requires enabling of the secure HTTP port in any JBoss AS which is running either an XTS client, an XST participannt (web service) or the XTS coordinator. It also requires setting up a keystore and truststore to allow secure communications using SSL. Secure communication is switched on by specifying an XTS coordinator URL with an https scheme. The usual XTS 1.1 coordinator endpoint address is http://<bindhost>:8080/ws-c11/ActivationService where <bindhost> is the bind address supplied as a parameter on the JBoss AS run.sh/run.bat command line using the -b flag (<bindhost> defaults to localhost if this parameter is not supplied). If the client is run in an AS which specifies the coordinator URL as https://<bindhost>:8443/ws-c11/ActivationService then the initial client<-->coordinator exchange at transaction begin and all subsequent XTS message exchanges between client<-->coordinator and participant (web service)<-->coordinator will employ https. The coordinator URL can be reset in a variety of ways and this fix has changed the behaviour slightly. One option is to set system properties, either for the whole URL org.jboss.jbossts.xts11.coordinator.url if unset then the components properties are tested for and used to construct a URL or, in case that is unset, by specifying individual components of the URL org.jboss.jbossts.xts11.coordinator.scheme value should be http/https and defaults to http org.jboss.jbossts.xts11.coordinator.host defaults to <bindhost> org.jboss.jbossts.xts11.coordinator.port defaults to jbossweb http port (normally 8080) if scheme is http and jbossweb secure http port (normally 8443) if scheme is https org.jboss.jbossts.xts11.coordinator.path defaults to ws-c11/ActivationService If none of these system properties is set then the URL is obtained from the value of property org.jboss.jbossts.xts11.coordinatorURL which is specified in property file wstx11.xml which can be found in config.jar in the deployed jbossxts.sar. Edits to this file take effect the next time the XTS service is deployed. n.b. just for the record because configuration was not straightforward in order to test this with client, participants and coordinator all located on localhost I had to create a keystore and truststore in the server conf directory and modify the jbossweb server.xml to enable the secure HTTPS port using SSL. The former was done by executing cd $JBOSS_HOME keytool -genkey -keystore server/default/conf/test.keystore -storepass test -keyalg RSA -keysize 1024 -validity 1000 -alias localhost -dname "CN=localhost" keytool -export -keystore server/default/conf/test.keystore -storepass test -alias localhost -file server/default/conf/localhost.cer keytool -import -keystore server/default/conf/wsse.truststore -storepass jbossws -trustcacerts -alias localhost -file server/default/conf/localhost.cer The latter was achieved by uncommenting the SSL secure port declaration in server/default/deploy/jbossweb.sar/server.xml and pointing it at the relevant store files: <!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false" truststoreFile="${jboss.server.home.dir}/conf/test.truststore" truststorePass="test" keystoreFile="${jboss.server.home.dir}/conf/test.keystore" keystorePass="test" sslProtocol = "TLS" /> <!-- --> When running the AS the following JAVA_OPTS settings were required to enable use of https in the coordinator URL point the remoting code at the relevant key and trust stores ensure that the client side of an XTS exchange did _not_ try to validate the hostname in the certificate returned form the XTS server side of the exchange. export JAVA_OPTS="-Dorg.jboss.jbossts.xts11.coordinator.scheme=https \ -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/default/conf/test.truststore \ -Djavax.net.ssl.trustStorePassword=test \ -Djavax.net.ssl.keyStore=$JBOSS_HOME/server/default/conf/test.keystore \ -Djavax.net.ssl.keyStorePassword=test \ -Dorg.jboss.security.ignoreHttpsHost=true" The last property (ignoreHttpsHost) was required because the entry for the loopback address 127.0.0.1 in /etc/hosts contained localhost.localdomain and localhost as aliases _in that order_. This meant that the wrong hostname was being used to verify the server certificate address/hostname. If localhost is placed before localhost.localdomain in /etc/hosts then the last property can be left undefined and the truststore check works ok. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira