[jboss-dev-forums] [PicketBox Development] - JBoss AS7: Configuring SSL on JBoss Web

Anil Saldhana do-not-reply at jboss.com
Wed Jan 18 13:49:33 EST 2012 

Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the document:

"JBoss AS7: Configuring SSL on JBoss Web"

To view the document, visit: https://community.jboss.org/docs/DOC-17503

--------------------------------------------------------------
*Disclaimer:  Article is still in progress and is not definitive.*

There are 3 sets of connectors that one can configure with JBossWeb.
* AJP Connectors
* HTTP/HTTPS Connectors
* Native Connectors

*AJP Connectors* are primarily used to service requests coming from a web server such as Apache Httpd with mod_jk, mod_cluster etc in between.
*HTTP/HTTPS Connectors* are the standard connectors that can service web requests directly.
*Native Connectors* use the APR subsystem and provide better performance.


In JBoss AS7, the web subsystem configuration is performed in the web module in standalone.xml or domain.xml
h3. 
h3. Important Points to remember:
1. The intention of the JBossWeb developers has been to unify the SSL configuration for all the connectors via the <ssl/> subelement.
2. When the native modules exist in JBoss AS (in the +lib+ folder of JBOSS_HOME/modules/org/jboss/as/web/main), the Native Connector settings come into play.

jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/web/main$ ls
jasper-jdt-7.0.3.Final.jar        jboss-as-web-7.1.0.Final-SNAPSHOT.jar        jbossweb-7.0.8.Final.jar        lib
jasper-jdt-7.0.3.Final.jar.index  jboss-as-web-7.1.0.Final-SNAPSHOT.jar.index  jbossweb-7.0.8.Final.jar.index  module.xml

anil at localhost:~jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/web/main$ ls lib/
linux-i686  linux-x86_64  macosx-i686  macosx-x86_64  win-i686  win-x86_64


As you can see the native libraries for each os architecture is available here.

*+===> If you do not want the native connector settings kicking in, you should remove the lib directory and its contents.  <====
+*


h3. 
h3. Working With KeyStores

For SSL settings, we will need access to a keystore. 

If there is Client Certificate based authentication, then we will need to have access to a trust store also.

h3. 
h3. Preferred KeyStores

For Native Connector settings,  use the OpenSSL generated certificates and Keys.
For the Https Connector settings, you can use the Java Keytool generated keystore.


OpenSSL Generated Key and Certificate

Three Steps are involved.

Step 1: 

$ openssl genrsa -des3 -out newkey.pem 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for newkey.pem:
Verifying - Enter pass phrase for newkey.pem:

I used a pass phrase of "mykey"


Step 2:

$ openssl req -new -key newkey.pem -out server.csr
Enter pass phrase for newkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:IL
Locality Name (eg, city) [Default City]:Chicago
Organization Name (eg, company) [Default Company Ltd]:RedHat
Organizational Unit Name (eg, section) []:JBoss
Common Name (eg, your name or your server's hostname) []:Anil
Email Address []:anil at apache.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mykey
An optional company name []:
--------------------------------------------------------------

Comment by going to Community
[https://community.jboss.org/docs/DOC-17503]

Create a new document in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120118/db704031/attachment.html

More information about the jboss-dev-forums mailing list