-
1. Re: public key and Jboss
jaime.chavarriaga Jul 24, 2011 1:19 AM (in response to davidraines)To export a certificate of your web server, you must first determine which key-store is the server using. In Java, the keys and certificates are stored in special files. You can define which store file must be used by JBoss using arguments in the script starting the server and/or the configuration of the JBoss Web.
Locating the Key Store File
If you have configured the SSL in your server, possible the configuration is defined by the JBoss Web (embedded tomcat) configuration
- <jboss-home>/server/default/deploy/jbossweb.sar/server.xml
The connector for SSL defines which store file must be used for the server (the keystore) and which store must be used to validate certificates from other servers (the truststore). The default connector configuration uses a store file called "chap8.keystore", but don't define a truststore.
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />You can modify the default configuration, and include differente store files. You can define which key alias must be used for the server.
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/opt/pki/server.keystore"
keystorePass="changeit"
truststoreFile="/opt/pki/cacerts.jks"
truststorePass="changeit"keyAlias="myServer"
sslProtocol = "TLS" />In some configurations, the store files are specified in the startup script of the JBoss server.
# run -Djavax.net.ssl.keyStore=/opt/pki/server.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/opt/pki/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit
Exporting the certificate
If you have determined your keystore file, you can use the keytool java utility to list and extract the certificates.
to list the keys/certirficates in the file, you can use
# keytool -list -keystore /opt/pki/server.keystore -storepass changeit
Each pair of key and certificate has an alias. You can export the certificate usng this alias. To export the certificate with the alias myServer into the file server.crt, you can use
# keytool -exportcert -alias myServer -keystore /opt/pki/server.keystore -storepass changeit -file server.crt
Limiting access to authorized clients
To limit the access to all the applications to users with browsers with the proper certificate, you can configure the SSL connector setting the parameter for client authentication (clientAuth) to "true"
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"...
If you are configuring the secutiry just for an application, you must use the CLIENT-CERT authentication type in your web application.
SSL configuration
To learn more about the configuration of SSL in JBoss, you can review the documentation