[jboss-user] [Installation, Configuration & DEPLOYMENT] - Configuring JBoss (4.2.1) SSL

SoulGrind do-not-reply at jboss.com
Fri May 2 21:29:19 EDT 2008


OK - so I have a bit of a conundrum...

The organization I work for is attempting to get JBoss running with SSL.

We have purchased a GoDaddy Turbo SSL cert. The problem is this... GoDaddy doesn't have a cert specific for JBoss. They do however support Apache and Tomcat. I optend for "Other" as JBoss wasn't listed. I do realize however this may not have been the wisest choice.

I have been reviewing the JBoss wiki located at http://wiki.jboss.org/wiki/SSLSetup;jsessionid=648378AE78137D63E6CE8DA1B7A1DE56

It seems to be heavily geared towards JBoss-3.2.3/Tomcat-4.1.x with anecdotal references to JBoss-4.2.1.

Anyway... I am hoping that I am on the right tract. Maybe somebody can steer me in the right direction...

Our implementation is somewhat non-standard. But the directory structure is basically unchanged.

Here are the steps I've taken thus far:

1.) Generate the keystore file using Sun JAVA 1.4.2_15

M:\java\j2sdk1.4.2_15\bin\keytool.exe -genkey -alias jboss-ssl - keyalg RSA -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -validity 3650

NOTE: rel500-qa is the name of the site in question.

2.) Generate the CSR

M:\java\j2sdk1.4.2_15\bin\keytool.exe -certreq -alias jboss-ssl -keyalg RSA -file M:\clients\rel500-qa\SSL\rel500-qa.csr -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore

3.) Submit the CSR to GoDaddy and receive a Turbo SSL Cert

4.) According to GoDaddy, it was recommended that I include GoDaddy's "Cross-Intermediate and Intermediate certs."

a.) M:\java\j2sdk1.4.2_15\bin\keytool.exe -import -alias cross -keystore rel500-qa.keystore -trustcacerts -file M:\clients\rel500-qa\SSL\gd_cross_intermediate.cer

b.) M:\java\j2sdk1.4.2_15\bin\keytool.exe -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -import -alias inter -file M:\clients\rel500-qa\SSL\gd_intermediate.cer.

5.) Import the GoDaddy assigned cert

M:\java\j2sdk1.4.2_15\bin\keytool.exe -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -keyalg "RSA" -import -trustcacerts -file M:\clients\rel500-qa\SSL\rel500-qa.domain-name.crt

I now have a fully populated keystore file.

When I test the keystore for PKCS12 validity, it fails...

M:\clients\rel500-qa\SSL>M:\java\j2sdk1.4.2_15\bin\keytool.exe -list -keystore M:\clients\rel500-qa\SSL\rel500-qa.keystore -storetype PKCS12
  | keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

That is my first hurdle...

After that is resolved, my next hurdle is WHERE should the keystore file reside?

>From the wiki, I am thinking it belongs in /conf/rel500-qa.keystore

Additionally, I am thinking that according to the wiki, I need to modify deploy/jboss-web.deployer/server.xml however, the formatting is considerably different than that for JBoss-3.2.3/Tomcat-4.1.x and I am wondering how it should look. Can I still use the following configration data:

keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
  |          keystorePass="tc-ssl"
  |          protocol = "TLS"/>

If so, how should it look? I am thinking something like this, but I'm not entirely sure...

    <!-- Define a SSL HTTP/1.1 Connector on port 8443
  |          This connector uses the JSSE configuration, when using APR, the
  |          connector should be using the OpenSSL style configuration
  |          described in the APR documentation -->
  | 
  |     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  |                maxThreads="150" scheme="https" secure="true"
  |                keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
  |                clientAuth="false" sslProtocol="TLS" />

Any assistance would be greatly appreciated - thanks.

Caine 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4148471#4148471

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4148471



More information about the jboss-user mailing list