5 Replies Latest reply: Nov 30, 2006 5:13 PM by Peter Johnson RSS

SSL Configuration using Verisign

hvp2000 Newbie

JBOSS Installation : jboss-3.0.8
JDK Installation : jdk1.3


1. Download JSSE from http://www.javasoft.com/products/jsse

2. Copy jcert.jar,jnet.jar and jsse.jar to /lib/ext directory of your JRE

3. Register the JSSE provider in the java.security file in the \lib\security directory of your JRE.
Add the following line in java.security file
security.provider.3=com.sun.net.ssl.internal.ssl.Provider


4.Generate .keyStore File

C:\ssl>keytool -genkey -alias j2ee -keyalg RSA -keystore ./.keystore
Enter keystore password: password
What is your first and last name?
[Unknown]: Prasad
What is the name of your organizational unit?
[Unknown]: IRCTC
What is the name of your organization?
[Unknown]: IRCTC
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: Karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is <CN=Prasad, OU=IRCTC, O=IRCTC, L=Bangalore, ST=Karnataka, C=IN> correct?
[no]: y

Enter key password for <j2ee>
(RETURN if same as keystore password): password

5. Create a local Certificate Signing Request
C:\ssl>keytool -certreq -keyalg RSA -alias j2ee -file j2ee.csr -keystore ./.keystore
Enter keystore password: password

6.Go to http://www.verisign.com and get the SSL Trail ID.You will be getting a certificate by email.
Save it as jboss.cer

7.Installing the Intermediate CA Certificate(note: Also referred to as a SERVER CERT CHAIN)
Go to http://www.verisign.com/support/install/intermediate.html and obtain an Intermediate CA Certificate. Save the certificate as chain.cer

8.Install OPEN SSL Software available at the below mentioned location http://www.slproweb.com/products/Win32OpenSSL.html(Win32OpenSSL-v0.9.7d)

9.Convert jboss.cer to jboss.cer.pem by envoking the following command

C:\ssl>openssl x509 -in jboss.cer -out jboss.cer.pem -outform PEM

10.Convert chain.cer to chain.cer.der by invoking the following command

C:\ssl>openssl x509 -in chain.cer -out chain.cer.der -outform DER

11. Import chain.cer.der to key store by invoking the following command

C:\ssl>keytool -import -alias ugent -file chain.cer.der -keystore ./.keystore
Enter keystore password: password
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Internationa
l Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Serial number: 254b8a853842cce358f8c5ddae226ea4
Valid from: Thu Apr 17 05:30:00 IST 1997 until: Tue Oct 25 05:29:59 IST 2011
Certificate fingerprints:
MD5: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
SHA1: C2:F0:08:7D:01:E6:86:05:3A:4D:63:3E:7E:70:D4:EF:65:C2:CC:4F
Trust this certificate? [no]: y
Certificate was added to keystore

12. Import jboss.cer.pem in to the keystore by invoking the following command

C:\ssl>keytool -import -alias j2ee -file jboss.cer.pem -keystore ./.keystore
Enter keystore password: password
keytool error: java.lang.Exception: Failed to establish chain from reply

C:\ssl>keytool -import -alias j2ee1 -file jboss.cer.pem -keystore ./.keystore
Enter keystore password: password
Owner: CN=Prasad, OU=IRCTC, O=IRCTC, L=Bangalore, ST=Karnataka, C=IN
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/reposi
tory/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Serial number: 6dcfc6d63849c3df67a1c8ab638d053f
Valid from: Wed Jun 09 05:30:00 IST 2004 until: Thu Jun 24 05:29:59 IST 2004
Certificate fingerprints:
MD5: 90:58:A1:4D:5A:90:3A:0E:80:1E:3D:E0:A4:90:85:7B
SHA1: 49:77:42:3F:19:99:76:88:4B:DF:92:EC:03:57:97:91:95:8F:B0:FB
Trust this certificate? [no]: y
Certificate was added to keystore


Additional Links :
http://www.lowagie.com/techtips/#ssl
http://www.verisign.com/support/csr/tomcat/v00.html

13.Place the .keystore file in JBoss directory and uncomment the following configuration element in jboss-service.xml of
Jetty SAR deployment descriptor




8443
5
100
30000
2000
/ssl/.keystore
password
password


  • 1. DatabaseServerLoginModule
    Dietmar Scheidl Newbie

    hi i have problem with the DatabaseServerLoginModule, i have tryed all i know
    (that isent much but any way) the problem is that it will not work,
    i'm using hypersonic database , and jboss 3.2.1
    here is my web.xml followed by my jboss-web.xml and my login-config.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>

    <!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

    <web-app>

    <!-- Standard Action Servlet Configuration (with debugging) -->

    <servlet-name>action</servlet-name>
    <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
    <init-param>
    <param-name>config</param-name>
    <param-value>/WEB-INF/struts-config.xml</param-value>
    </init-param>
    <init-param>
    <param-name>debug</param-name>
    <param-value>4</param-value>
    </init-param>
    <init-param>
    <param-name>detail</param-name>
    <param-value>4</param-value>
    </init-param>
    <load-on-startup>2</load-on-startup>



    <!-- Standard Action Servlet Mapping -->
    <servlet-mapping>
    <servlet-name>action</servlet-name>
    <url-pattern>*.do</url-pattern>
    </servlet-mapping>


    <!-- The Usual Welcome File List -->
    <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>


    <!-- Struts Tag Library Descriptors -->

    <taglib-uri>/tags/struts-bean</taglib-uri>
    <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>



    <taglib-uri>/tags/struts-html</taglib-uri>
    <taglib-location>/WEB-INF/struts-html.tld</taglib-location>



    <taglib-uri>/tags/struts-logic</taglib-uri>
    <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>



    <taglib-uri>/tags/struts-nested</taglib-uri>
    <taglib-location>/WEB-INF/struts-nested.tld</taglib-location>



    <taglib-uri>/tags/struts-tiles</taglib-uri>
    <taglib-location>/WEB-INF/struts-tiles.tld</taglib-location>


    <!-- Secure the pages, also see jboss-web.xml for jboss specific security settings -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Something??</web-resource-name>
    <url-pattern>/app/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>admin</role-name>
    </auth-constraint>
    </security-constraint>

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Admin pages</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>admin</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/logon.jsp</form-login-page>
    <form-error-page>/logonFailed.jsp</form-error-page>
    </form-login-config>
    </login-config>

    <security-role>
    <role-name>admin</role-name>
    </security-role>

    </web-app>

    and then my jboss-web.xml

    <jboss-web>
    <security-domain>java:/jaas/my</security-domain>
    </jboss-web>

    and my login-config.xml

    <?xml version='1.0'?>
    <!DOCTYPE policy PUBLIC
    "-//JBoss//DTD JBOSS Security Config 3.0//EN"
    "http://www.jboss.org/j2ee/dtd/security_config.dtd">

    <!-- The XML based JAAS login configuration read by the
    org.jboss.security.auth.login.XMLLoginConfig mbean. Add
    an application-policy element for each security domain.

    The outline of the application-policy is:
    <application-policy name="security-domain-name">

    <login-module code="login.module1.class.name" flag="control_flag">
    <module-option name = "option1-name">option1-value</module-option>
    <module-option name = "option2-name">option2-value</module-option>
    ...
    </login-module>

    <login-module code="login.module2.class.name" flag="control_flag">
    ...
    </login-module>
    ...

    </application-policy>

    $Revision: 1.6.2.1 $
    -->


    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">

    <login-module code = "org.jboss.security.ClientLoginModule"
    flag = "required">
    </login-module>

    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">

    <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
    flag = "required">
    <module-option name = "unauthenticatedIdentity">guest</module-option>
    <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
    </login-module>

    </application-policy>

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">

    <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
    flag = "required">
    <module-option name = "principal">sa</module-option>
    <module-option name = "userName">sa</module-option>
    <module-option name = "password"></module-option>
    <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
    </login-module>

    </application-policy>

    <application-policy name = "FirebirdDBRealm">

    <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
    flag = "required">
    <module-option name = "principal">sysdba</module-option>
    <module-option name = "userName">sysdba</module-option>
    <module-option name = "password">masterkey</module-option>
    <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
    </login-module>

    </application-policy>

    <application-policy name = "JmsXARealm">

    <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
    flag = "required">
    <module-option name = "principal">guest</module-option>
    <module-option name = "userName">guest</module-option>
    <module-option name = "password">guest</module-option>
    <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
    </login-module>

    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
    defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">

    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
    flag = "required" />

    </application-policy>

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
    <!-- A simple server login module, which can be used when the number
    of users is relatively small. It uses two properties files:
    users.properties, which holds users (key) and their password (value).
    roles.properties, which holds users (key) and a comma-separated list of
    their roles (value).
    The unauthenticatedIdentity property defines the name of the principal
    that will be used when a null username and password are presented as is
    the case for an unuathenticated web client or MDB. If you want to
    allow such users to be authenticated add the property, e.g.,
    unauthenticatedIdentity="nobody"
    -->

    <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
    flag = "required" />

    </application-policy>

    <application-policy name = "my">

    <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
    flag = "required">
    <module-option name="dsJndiName">java:/DefaultDS</module-option>
    <module-option name="pricipalsQuery">select Password from Principals where PrincipalID=?</module-option>
    <module-option name="rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
    </login-module>

    </application-policy>



    i don't know whats wrong so please help my on my way
    /thanks Henrik

  • 2. Re: SSL Configuration using Verisign
    hvp2000 Newbie

    13.Place the .keystore file in JBoss directory and uncomment the following configuration element in jboss-service.xml of Jetty SAR deployment descriptor




    8443
    5
    100
    30000
    2000
    /ssl/.keystore
    password
    password


  • 3. Re: SSL Configuration using Verisign
    srinivasa parise Newbie

    Hi:

    I am trying to sert up my site with SSL from Verisign. Followed all steps specified. Server starts fine.

    When I click on littler key for secure 126 bit, the certicate showing the issued to name and issuer name same. Actually we bought certifcate from verisgn. So issuer name should show as Verisign, right. But is not not. Am I doing some thing wrong? Please advice.

  • 4. Re: SSL Configuration using Verisign
    jBossTester jBossTester Newbie

    We are also having this problem. Was anyone able to come up with a solution?