[jboss-dev-forums] [PicketBox Development] - JBoss AS7: Configuring SSL on JBoss Web
Anil Saldhana
do-not-reply at jboss.com
Wed Jan 18 13:49:33 EST 2012
Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the document:
"JBoss AS7: Configuring SSL on JBoss Web"
To view the document, visit: https://community.jboss.org/docs/DOC-17503
--------------------------------------------------------------
*Disclaimer: Article is still in progress and is not definitive.*
There are 3 sets of connectors that one can configure with JBossWeb.
* AJP Connectors
* HTTP/HTTPS Connectors
* Native Connectors
*AJP Connectors* are primarily used to service requests coming from a web server such as Apache Httpd with mod_jk, mod_cluster etc in between.
*HTTP/HTTPS Connectors* are the standard connectors that can service web requests directly.
*Native Connectors* use the APR subsystem and provide better performance.
In JBoss AS7, the web subsystem configuration is performed in the web module in standalone.xml or domain.xml
h3.
h3. Important Points to remember:
1. The intention of the JBossWeb developers has been to unify the SSL configuration for all the connectors via the <ssl/> subelement.
2. When the native modules exist in JBoss AS (in the +lib+ folder of JBOSS_HOME/modules/org/jboss/as/web/main), the Native Connector settings come into play.
jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/web/main$ ls
jasper-jdt-7.0.3.Final.jar jboss-as-web-7.1.0.Final-SNAPSHOT.jar jbossweb-7.0.8.Final.jar lib
jasper-jdt-7.0.3.Final.jar.index jboss-as-web-7.1.0.Final-SNAPSHOT.jar.index jbossweb-7.0.8.Final.jar.index module.xml
anil at localhost:~jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/web/main$ ls lib/
linux-i686 linux-x86_64 macosx-i686 macosx-x86_64 win-i686 win-x86_64
As you can see the native libraries for each os architecture is available here.
*+===> If you do not want the native connector settings kicking in, you should remove the lib directory and its contents. <====
+*
h3.
h3. Working With KeyStores
For SSL settings, we will need access to a keystore.
If there is Client Certificate based authentication, then we will need to have access to a trust store also.
h3.
h3. Preferred KeyStores
For Native Connector settings, use the OpenSSL generated certificates and Keys.
For the Https Connector settings, you can use the Java Keytool generated keystore.
OpenSSL Generated Key and Certificate
Three Steps are involved.
Step 1:
$ openssl genrsa -des3 -out newkey.pem 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for newkey.pem:
Verifying - Enter pass phrase for newkey.pem:
I used a pass phrase of "mykey"
Step 2:
$ openssl req -new -key newkey.pem -out server.csr
Enter pass phrase for newkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:IL
Locality Name (eg, city) [Default City]:Chicago
Organization Name (eg, company) [Default Company Ltd]:RedHat
Organizational Unit Name (eg, section) []:JBoss
Common Name (eg, your name or your server's hostname) []:Anil
Email Address []:anil at apache.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mykey
An optional company name []:
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-17503]
Create a new document in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120118/db704031/attachment.html
More information about the jboss-dev-forums
mailing list