1 2 3 4 Previous Next 55 Replies Latest reply: Apr 23, 2013 1:11 PM by guillaume cornet RSS

HTTPS on JBoss AS 7 - truststore configuration

guinotphil Apprentice

Hello,

 

I’m trying to port some settings from a JBoss AS 4 server to JBoss AS 7, especially the SSL configuration.

 

Formerly in JBoss AS 4's server.xml I has the following configuration:

 

<Connector port="443" protocol="HTTP/1.1"

    maxThreads="100"

    strategy="ms"

    maxHttpHeaderSize="8192"

    emptySessionPath="false"

    clientAuth="true"

    URIEncoding="UTF-8"

 

 

    scheme="https"

    secure="true"

    SSLEnabled="true"

    keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"

    keystorePass="mypassword"

    truststoreFile="${jboss.server.home.dir}/conf/truststore.jks"

    truststorePass="mypassword"

    sslProtocol="TLS"

/>

 

According to the JBoss Web 7 documentation the configuration is quite different now…

http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html

In standalone.xml (subsystem urn:jboss:domain:web:1.0)

<connector name="https"

    scheme="https"

    protocol="HTTP/1.1"

    socket-binding="https"

    enable-lookups="false"

    secure="true">

        <ssl name="ssl" protocol="TLSv1" key-alias="mykey" />

</connector>

I’m not really sure how to use a keystore, but I guess the key-alias refer to the keystore in the security subsystem: https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration

So, in <security-domain> :

<jsse  server-alias="mykey"

    keystore-url="C:/test/keystore.jks"

    keystore-password="mypassword"

    truststore-url="C:/test/truststore_test.jks"

    truststore-password="mypassword"

    protocols="TLS" />

 

 

But, when I start the server, I got the following exception :

 

10:32:26,224 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-2) Failed to load keystore type JKS with path C:\Users\me/.keystore due to C:\Users\me\.keystore (Le fichier spécifié est introuvable): java.io.FileNotFoundException: C:\Users\me\.keystore (Le fichier spécifié est introuvable)

       at java.io.FileInputStream.open(Native Method) [:1.6.0_22]

       at java.io.FileInputStream.<init>(FileInputStream.java:106) [:1.6.0_22]

       at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:374) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:299) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:515) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:452) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:168) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:999) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:190) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.catalina.connector.Connector.init(Connector.java:976) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121) [jboss-as-web-7.1.0.Alpha1-SNAPSHOT.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223) [jboss-as-web-7.1.0.Alpha1-SNAPSHOT.jar:7.1.0.Alpha1-SNAPSHOT]

       at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

       at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

       at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_22]

       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_22]

       at java.lang.Thread.run(Thread.java:662) [:1.6.0_22]

 

 

A breakpoint in jbossweb-7.0.1.Final.jar’s org.apache.tomcat.util.net.jsse.JSSESocketFactory tells me that it looks for the keystore from the keystore attribute of the… <ssl> tag!

this.attribute : Hastable {keyAlias=mykey, protocols=TLSv1, enableLookups=false}

 

I could try to add those tomcat parameters (keystore, keystorePass, truststoreFile, truststorePass) as coded in JSSESocketFactory.java in the <ssl> tag but then the server won’t start because the standalone.xml validation fails!

 

Any idea then on how to configure JBoss web to use SSL with standalone.xml?

 

Thank you very much

  • 1. Re: HTTPS on JBoss AS 7
    Emanuel Muckenhuber Master

    You would need to configure ssl for jboss-web as part of the web subsystem. Look at the 'jboss-as-web_1_0.xsd' in "$JBOSS_HOME/docs/schema" which should be the correct schema definition.

  • 2. Re: HTTPS on JBoss AS 7
    guinotphil Apprentice

    You're right: I can actually use the certificate-key-file to refers a keystore. For some reason I thought I could only use pem certificate and not keystore.

     

    And then it passes the right attributes in the tomcat configuration, I understand now...

     

    But, how do I set a truststore ? The ca-certificate-file param doens't seem to be passed in the Tomcat configuration.

     

    Thanks for your help !

  • 3. Re: HTTPS on JBoss AS 7
    Fabrizio Benedetti Novice

    You're right, the ca-certificate-file is not passed to Tomcat configuration. I reported this one  on Jira (https://issues.jboss.org/browse/AS7-1680). I don't know if it will be solved in 7.0.2.

     

    In the meantime you have to set the system property javax.net.ssl.trustStore in standalone.xml or domain.xml:

    <system-properties>

        <property name="javax.net.ssl.trustStore" value="/path/to/truststore.jks"/>

    </system-properties>

  • 4. Re: HTTPS on JBoss AS 7
    guinotphil Apprentice

    Thank you for your concern !

     

    I'll try the system property. Where should I put the system-properties in standalone.xml ? I thought they were supposed to be in /bin/sandaline.conf instead ?

     

    Thanks for your help.

  • 5. Re: HTTPS on JBoss AS 7
    Fabrizio Benedetti Novice

    Yes, in standalone.xml or standalone.conf, as you like.

     

    Bye,

    Fabrizio

  • 6. Re: HTTPS on JBoss AS 7 - truststore configuration
    guinotphil Apprentice

    Hello,

     

    I've been upgrading yesterday to the latest JBoss AS 7 nightly build jboss-as-7.1.0.Alpha2-SNAPSHOT.

     

    Since, that, I now got the following error when starting the server:

     

    12:06:02,015 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-8) Error initializing endpoint: java.lang.Exception: Unable to load certificate key C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/server_test.jks (error:0906D06C:PEM routines:PEM_read_bio:no start line)

              at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:660) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.apache.catalina.connector.Connector.init(Connector.java:976) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121) [jboss-as-web-7.1.0.Alpha2-SNAPSHOT.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223) [jboss-as-web-7.1.0.Alpha2-SNAPSHOT.jar:7.1.0.Alpha2-SNAPSHOT]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

              at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_27]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_27]

              at java.lang.Thread.run(Thread.java:662) [:1.6.0_27]

     

     

     

    And in my standalone.xml

     

                <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">

                    <ssl name="https" password="ricserver" certificate-key-file="C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/server_test.jks" protocol="TLSv1" ca-certificate-file="C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/truststore_test.jks"/>

                </connector>

     

     

    Are the keystore jks file no longer supported with this new version ? It really looks like it handles only pem certificate nowaward.

     

    Thanks for your help.

  • 7. Re: HTTPS on JBoss AS 7 - truststore configuration
    Remy Maucherat Novice

    With native installed, it uses OpenSSL, so the certificate config needs to be adapted.

  • 8. Re: HTTPS on JBoss AS 7 - truststore configuration
    guinotphil Apprentice

    Thank you.

     

    I've uninstalled native and now it works..

     

    However, I still can't make use of a truststore, the system property javax.net.ssl.trustStore does not seem to be used...

     

    Thanks for your help.

  • 9. Re: HTTPS on JBoss AS 7 - truststore configuration
    Fabrizio Benedetti Novice

    What do you mean for "does not seem to be used"? Do you want to make client authentication? If so you have to set verify-client attribute to "want" or "true".

  • 10. Re: HTTPS on JBoss AS 7 - truststore configuration
    guinotphil Apprentice

    Yes, client authentication. It's working fine now, thank you !

  • 11. Re: HTTPS on JBoss AS 7 - truststore configuration
    Kevin Wu Newbie

    Hi

     

    I am trying to porting our Jboss 4.2.3 apps to AS 7 (currently on AS 7.0.1.final).  I am facing two issues to configure SSL.

     

    1. Default system property does not recognize (in standalone.xml).

     

    <connector name="https"

                           scheme="https"

                           protocol="HTTP/1.1"

                           socket-binding="https"

                           enable-lookups="false"

                           secure="true">

                    <ssl name="ssl"

                         protocol="TLSv1"

                         password="changeit"

                         certificate-key-file="${jboss.server.config.dir}/jbossHttps.keystore"

                         ca-certificate-file="${jboss.server.config.dir}/jbossHttps.keystore"

                         verify-client="true" />

                </connector>

     

    14:29:03,078 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC serv

    ice thread 1-4) Failed to load keystore type JKS with path ${jboss.server.config

    .dir}/jbossHttps.keystore due to ${jboss.server.config.dir}\jbossHttps.keystore

    (The system cannot find the path specified): java.io.FileNotFoundException: ${jb

    oss.server.config.dir}\jbossHttps.keystore (The system cannot find the path spec

    ified)

            at java.io.FileInputStream.open(Native Method) [:1.6.0_21]

     

     

    2. After changed to absolute path, jboss started without error.  But, when I accessed to http://127.0.01:8080, it did not redirect to my defined secured port 443.

     

    <standalone.xml>

     

         <subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">

            <!--

                <connector name="http" scheme="http" protocol="HTTP/1.1" socket-binding="http"/>

            -->

                <connector name="http"

                           scheme="http"

                           protocol="HTTP/1.1"

                           socket-binding="http"

                           redirect-port="443" />

                <connector name="https"

                           scheme="https"

                           protocol="HTTP/1.1"

                           socket-binding="https"

                           enable-lookups="false"

                           secure="true">

                    <ssl name="ssl"

                         protocol="TLSv1"

                         password="changeit"

                         certificate-key-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"

                         ca-certificate-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"

                         verify-client="true" />

                </connector>

           

                <virtual-server name="default-host" enable-welcome-root="true">

                   <alias name="localhost" />

                   <alias name="example.com" />

                </virtual-server>

            </subsystem>

     

        <interfaces>

            <interface name="management">

                <inet-address value="127.0.0.1"/>

                <!-- any-address / -->

            </interface>

            <interface name="public">

               <inet-address value="47.11.50.59"/>

                   <!-- any-address / -->

            </interface>

        </interfaces>

     

        <socket-binding-group name="standard-sockets" default-interface="public">

            <socket-binding name="http" port="8080"/>

            <socket-binding name="https" port="443"/>

            <socket-binding name="jmx-connector-registry" port="1090"/>

            <socket-binding name="jmx-connector-server" port="1091"/>

    ....

     

    Did I miss configure anything?

     

    Thanks for all the help,

     

    Kevin

  • 12. Re: HTTPS on JBoss AS 7 - truststore configuration
    Fabrizio Benedetti Novice
    1. Default system property does not recognize (in standalone.xml).

     

    Yes, ssl element doesn't seem to support system properties substitution.

     

     

    2. After changed to absolute path, jboss started without error.  But, when I accessed to http://127.0.01:8080, it did not redirect to my defined secured port 443.

     

    Why should it redirect you to port 443?

    To be redirected you have to deploy an application with at least a security-constraint in web.xml. For example:

     

    <security-constraint> 
        <web-resource-collection> 
            <web-resource-name>Secured resources</web-resource-name> 
            <url-pattern>/secured/*</url-pattern> 
        </web-resource-collection> 
        <auth-constraint> 
            <role-name>admins</role-name> 
        </auth-constraint> 
        <user-data-constraint> 
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint> 
    </security-constraint>
    <login-config> 
        <auth-method>CLIENT-CERT</auth-method> 
        <realm-name>MyRealm</realm-name> 
    </login-config> 
    <security-role> 
        <role-name>admins</role-name> 
    </security-role>

     

     

    and then access http://127.0.0.1:8080/myapp/secured/

  • 13. Re: HTTPS on JBoss AS 7 - truststore configuration
    Kevin Wu Newbie

    Thanks for you help

  • 14. Re: HTTPS on JBoss AS 7 - truststore configuration
    Kevin Wu Newbie

    Hi Fabrizio,

     

    I got further issue on this topic.

     

    Configuration in standalone.xml

     

    <system-properties>

            <property name="javax.net.ssl.trustStore" value="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"/>

            <property name="javax.net.ssl.trustStorePassword" value="mypassword"/>

        </system-properties>

     

    <subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">

                <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>

                <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">

                    <ssl name="ssl" password="mypassword" certificate-key-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore" protocol="TLSv1" verify-client="true"/>

                </connector>

                <virtual-server name="default-host" enable-welcome-root="true">

                    <alias name="localhost"/>

                    <alias name="example.com"/>

                </virtual-server>

            </subsystem>

     

    Configuration in web.xml (sample.war)

     

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>Secured resources</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>admins</role-name>

        </auth-constraint>

        <user-data-constraint>

            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

    <login-config>

        <auth-method>CLIENT-CERT</auth-method>

        <realm-name>MyRealm</realm-name>

    </login-config>

    <security-role>

        <role-name>admins</role-name>

    </security-rol

     

    Issue

     

    When I tried to access "http://[server-ip]/sample/", I got "Untrusted connection" > "understand the risk" > "add exception" (pointed to "https://[server-ip]/sample/" > "Confirm Security Exception".  All those steps were expected.  After that, I got following error in Firefox:

     

    Secure Connection Failed

     

    An error occurred during a connection to 47.11.50.59.

     

    SSL peer cannot verify your certificate.

     

    (Error code: ssl_error_bad_cert_alert)

     

    I have verified the keystore which contained correct info.  Do I miss any configuration?

     

    Thanks for all your help,

1 2 3 4 Previous Next