[jboss-user] [Security & JAAS/JBoss] - Re: JBoss with SSL

Marcos_APS do-not-reply at jboss.com
Tue Dec 16 06:49:17 EST 2008 

- JBoss 4.2.3.GA
- Java 5 Update 17
- Windows Server 2003 SP2

Hello, everybody!

Since my first post, I've done some research on how to enable SSL in JBoss. Two articles were very helpful to me:

- An article that teaches how to configure SSL on Tomcat (I thought that
  it was good to start from this article because this configuration is
  very similar to what I was going to find on JBoss relating to SSL):
  http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
- An article that teaches how to configure SSL on JBoss:
  http://www.jboss.org/community/docs/DOC-11989

After reading these articles I decided that my SSL configuration would be based on this:

- Use JSSE (Java Secure Socket Extension)
- Use a self-signed Certificate.

So, according to all this, I decided to take the steps listed below to configure SSL. I'm just listing these steps here in the case that I missed something or did something wrong, so you can tell me where the mistake is.

1. Create the self-signed Certificate
   - %JAVA_HOME%\bin\keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore
     - Enter keystore password:
       password
     - What's your first and last name?
       www.mydomain.com
     - What is the name of your organizational unit?
       Centro de Processamento de Dados - CPD
     - What is the name of your organization?
       Universidade Regional do Cariri - URCA
     - What is the name of your City or Locality?
       Crato
     - What is the name of your State or Province?
       CE
     - What is the two-letter country code for this unit?
       BR
     - Enter key password for 
       

2. Move the keystore "server.keystore" created in C:\Documents and Settings\USER_NAME to %JBOSS_HOME%\server\default\conf.

3. Configure JBoss
   - In the file %JBOSS_HOME%\server\default\deploy\jboss-web.deployer\server.xml
     
     - Change this configuration:
     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  |                 maxThreads="150" scheme="https" secure="true"
  |                 clientAuth="false" sslProtocol="TLS" />
     - To this:
     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  |                 maxThreads="150" scheme="https" secure="true"
  |                 clientAuth="false" sslProtocol="TLS"
  |                 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
  |                 keystorePass="password" />
My doubts are:

At this point, I'm lost. I don't know if I'm already done or if I have to do something else. I believe that I still need to complete the SSL configuration for use in JBoss, but the second article mentioned above, http://www.jboss.org/community/docs/DOC-11989, doesn't explain very well what it is doing, so I'm confused. For example, it shows four authentication scenarios:

1. SSL enabled on the server - the common case
2. SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client
3. SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client
4. SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

I suppose that I should use the first one or the second one, but I'm not sure how. Could you tell me which one I should use? Just to remind you, I want to use a self-signed Certificate and to generate my own Certificate, not to purchase one from a well known Certificate Authority.

Also, some steps in scenario 1 and 2 need more explanation to me. For example, in both scenarios there's one step called Run the client:

In the first option:
java -Djavax.net.ssl.trustStore=client.truststore
     -Djavax.net.ssl.trustStorePassword=123456
     acme/ReadHttpsURL2 https://localhost:8443

In the second option:
java -Djavax.net.ssl.keyStore=client.keystore
     -Djavax.net.ssl.keyStorePassword=123456 
     -Djavax.net.ssl.trustStore=client.truststore
     -Djavax.net.ssl.trustStorePassword=123456 
     acme/ReadHttpsURL2 https://localhost:8443

Which client is this? What happens with this command line?

In the second option, SSL enabled on the server with self-signed client certs, there's a step Create the client certificate:

keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer

Is this command creating the Certificate that I will be using instead of the Certificate provided by a Certificate Authority?

As you can see, I have a lot of doubts. I would be very thankful if you could answer my questions and tell me what I should do to fully enable SSL.

Thank you.

Marcos


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196846#4196846

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4196846

More information about the jboss-user mailing list