[jboss-user] [Security & JAAS/JBoss] - Re: JBoss with SSL
Marcos_APS
do-not-reply at jboss.com
Tue Dec 16 06:49:17 EST 2008
- JBoss 4.2.3.GA
- Java 5 Update 17
- Windows Server 2003 SP2
Hello, everybody!
Since my first post, I've done some research on how to enable SSL in JBoss. Two articles were very helpful to me:
- An article that teaches how to configure SSL on Tomcat (I thought that
it was good to start from this article because this configuration is
very similar to what I was going to find on JBoss relating to SSL):
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
- An article that teaches how to configure SSL on JBoss:
http://www.jboss.org/community/docs/DOC-11989
After reading these articles I decided that my SSL configuration would be based on this:
- Use JSSE (Java Secure Socket Extension)
- Use a self-signed Certificate.
So, according to all this, I decided to take the steps listed below to configure SSL. I'm just listing these steps here in the case that I missed something or did something wrong, so you can tell me where the mistake is.
1. Create the self-signed Certificate
- %JAVA_HOME%\bin\keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore
- Enter keystore password:
password
- What's your first and last name?
www.mydomain.com
- What is the name of your organizational unit?
Centro de Processamento de Dados - CPD
- What is the name of your organization?
Universidade Regional do Cariri - URCA
- What is the name of your City or Locality?
Crato
- What is the name of your State or Province?
CE
- What is the two-letter country code for this unit?
BR
- Enter key password for
2. Move the keystore "server.keystore" created in C:\Documents and Settings\USER_NAME to %JBOSS_HOME%\server\default\conf.
3. Configure JBoss
- In the file %JBOSS_HOME%\server\default\deploy\jboss-web.deployer\server.xml
- Change this configuration:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
| maxThreads="150" scheme="https" secure="true"
| clientAuth="false" sslProtocol="TLS" />
- To this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
| maxThreads="150" scheme="https" secure="true"
| clientAuth="false" sslProtocol="TLS"
| keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
| keystorePass="password" />
My doubts are:
At this point, I'm lost. I don't know if I'm already done or if I have to do something else. I believe that I still need to complete the SSL configuration for use in JBoss, but the second article mentioned above, http://www.jboss.org/community/docs/DOC-11989, doesn't explain very well what it is doing, so I'm confused. For example, it shows four authentication scenarios:
1. SSL enabled on the server - the common case
2. SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client
3. SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client
4. SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert
I suppose that I should use the first one or the second one, but I'm not sure how. Could you tell me which one I should use? Just to remind you, I want to use a self-signed Certificate and to generate my own Certificate, not to purchase one from a well known Certificate Authority.
Also, some steps in scenario 1 and 2 need more explanation to me. For example, in both scenarios there's one step called Run the client:
In the first option:
java -Djavax.net.ssl.trustStore=client.truststore
-Djavax.net.ssl.trustStorePassword=123456
acme/ReadHttpsURL2 https://localhost:8443
In the second option:
java -Djavax.net.ssl.keyStore=client.keystore
-Djavax.net.ssl.keyStorePassword=123456
-Djavax.net.ssl.trustStore=client.truststore
-Djavax.net.ssl.trustStorePassword=123456
acme/ReadHttpsURL2 https://localhost:8443
Which client is this? What happens with this command line?
In the second option, SSL enabled on the server with self-signed client certs, there's a step Create the client certificate:
keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer
Is this command creating the Certificate that I will be using instead of the Certificate provided by a Certificate Authority?
As you can see, I have a lot of doubts. I would be very thankful if you could answer my questions and tell me what I should do to fully enable SSL.
Thank you.
Marcos
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196846#4196846
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4196846
More information about the jboss-user
mailing list