1 2 3 4 Previous Next 56 Replies Latest reply on Apr 16, 2019 6:11 AM by vradhe

    HTTPS on JBoss AS 7 - truststore configuration

    guinotphil

      Hello,

       

      I’m trying to port some settings from a JBoss AS 4 server to JBoss AS 7, especially the SSL configuration.

       

      Formerly in JBoss AS 4's server.xml I has the following configuration:

       

      <Connector port="443" protocol="HTTP/1.1"

          maxThreads="100"

          strategy="ms"

          maxHttpHeaderSize="8192"

          emptySessionPath="false"

          clientAuth="true"

          URIEncoding="UTF-8"

       

       

          scheme="https"

          secure="true"

          SSLEnabled="true"

          keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"

          keystorePass="mypassword"

          truststoreFile="${jboss.server.home.dir}/conf/truststore.jks"

          truststorePass="mypassword"

          sslProtocol="TLS"

      />

       

      According to the JBoss Web 7 documentation the configuration is quite different now…

      http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html

      In standalone.xml (subsystem urn:jboss:domain:web:1.0)

      <connector name="https"

          scheme="https"

          protocol="HTTP/1.1"

          socket-binding="https"

          enable-lookups="false"

          secure="true">

              <ssl name="ssl" protocol="TLSv1" key-alias="mykey" />

      </connector>

      I’m not really sure how to use a keystore, but I guess the key-alias refer to the keystore in the security subsystem: https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration

      So, in <security-domain> :

      <jsse  server-alias="mykey"

          keystore-url="C:/test/keystore.jks"

          keystore-password="mypassword"

          truststore-url="C:/test/truststore_test.jks"

          truststore-password="mypassword"

          protocols="TLS" />

       

       

      But, when I start the server, I got the following exception :

       

      10:32:26,224 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-2) Failed to load keystore type JKS with path C:\Users\me/.keystore due to C:\Users\me\.keystore (Le fichier spécifié est introuvable): java.io.FileNotFoundException: C:\Users\me\.keystore (Le fichier spécifié est introuvable)

             at java.io.FileInputStream.open(Native Method) [:1.6.0_22]

             at java.io.FileInputStream.<init>(FileInputStream.java:106) [:1.6.0_22]

             at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:374) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:299) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:515) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:452) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:168) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:999) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:190) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.catalina.connector.Connector.init(Connector.java:976) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121) [jboss-as-web-7.1.0.Alpha1-SNAPSHOT.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223) [jboss-as-web-7.1.0.Alpha1-SNAPSHOT.jar:7.1.0.Alpha1-SNAPSHOT]

             at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

             at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

             at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_22]

             at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_22]

             at java.lang.Thread.run(Thread.java:662) [:1.6.0_22]

       

       

      A breakpoint in jbossweb-7.0.1.Final.jar’s org.apache.tomcat.util.net.jsse.JSSESocketFactory tells me that it looks for the keystore from the keystore attribute of the… <ssl> tag!

      this.attribute : Hastable {keyAlias=mykey, protocols=TLSv1, enableLookups=false}

       

      I could try to add those tomcat parameters (keystore, keystorePass, truststoreFile, truststorePass) as coded in JSSESocketFactory.java in the <ssl> tag but then the server won’t start because the standalone.xml validation fails!

       

      Any idea then on how to configure JBoss web to use SSL with standalone.xml?

       

      Thank you very much

        • 1. Re: HTTPS on JBoss AS 7
          emuckenhuber

          You would need to configure ssl for jboss-web as part of the web subsystem. Look at the 'jboss-as-web_1_0.xsd' in "$JBOSS_HOME/docs/schema" which should be the correct schema definition.

          1 of 1 people found this helpful
          • 2. Re: HTTPS on JBoss AS 7
            guinotphil

            You're right: I can actually use the certificate-key-file to refers a keystore. For some reason I thought I could only use pem certificate and not keystore.

             

            And then it passes the right attributes in the tomcat configuration, I understand now...

             

            But, how do I set a truststore ? The ca-certificate-file param doens't seem to be passed in the Tomcat configuration.

             

            Thanks for your help !

            • 3. Re: HTTPS on JBoss AS 7
              fabrizio.benedetti

              You're right, the ca-certificate-file is not passed to Tomcat configuration. I reported this one  on Jira (https://issues.jboss.org/browse/AS7-1680). I don't know if it will be solved in 7.0.2.

               

              In the meantime you have to set the system property javax.net.ssl.trustStore in standalone.xml or domain.xml:

              <system-properties>

                  <property name="javax.net.ssl.trustStore" value="/path/to/truststore.jks"/>

              </system-properties>

              1 of 1 people found this helpful
              • 4. Re: HTTPS on JBoss AS 7
                guinotphil

                Thank you for your concern !

                 

                I'll try the system property. Where should I put the system-properties in standalone.xml ? I thought they were supposed to be in /bin/sandaline.conf instead ?

                 

                Thanks for your help.

                • 5. Re: HTTPS on JBoss AS 7
                  fabrizio.benedetti

                  Yes, in standalone.xml or standalone.conf, as you like.

                   

                  Bye,

                  Fabrizio

                  • 6. Re: HTTPS on JBoss AS 7 - truststore configuration
                    guinotphil

                    Hello,

                     

                    I've been upgrading yesterday to the latest JBoss AS 7 nightly build jboss-as-7.1.0.Alpha2-SNAPSHOT.

                     

                    Since, that, I now got the following error when starting the server:

                     

                    12:06:02,015 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-8) Error initializing endpoint: java.lang.Exception: Unable to load certificate key C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/server_test.jks (error:0906D06C:PEM routines:PEM_read_bio:no start line)

                              at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:660) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:121) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.apache.catalina.connector.Connector.init(Connector.java:976) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.apache.catalina.core.StandardService.addConnector(StandardService.java:351) [jbossweb-7.0.1.Final.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.jboss.as.web.WebServerService.addConnector(WebServerService.java:121) [jboss-as-web-7.1.0.Alpha2-SNAPSHOT.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:223) [jboss-as-web-7.1.0.Alpha2-SNAPSHOT.jar:7.1.0.Alpha2-SNAPSHOT]

                              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

                              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]

                              at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_27]

                              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_27]

                              at java.lang.Thread.run(Thread.java:662) [:1.6.0_27]

                     

                     

                     

                    And in my standalone.xml

                     

                                <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">

                                    <ssl name="https" password="ricserver" certificate-key-file="C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/server_test.jks" protocol="TLSv1" ca-certificate-file="C:/DEV/jboss-as-7.1.0.Alpha2-SNAPSHOT/ssl/truststore_test.jks"/>

                                </connector>

                     

                     

                    Are the keystore jks file no longer supported with this new version ? It really looks like it handles only pem certificate nowaward.

                     

                    Thanks for your help.

                    • 7. Re: HTTPS on JBoss AS 7 - truststore configuration
                      rmaucher

                      With native installed, it uses OpenSSL, so the certificate config needs to be adapted.

                      • 8. Re: HTTPS on JBoss AS 7 - truststore configuration
                        guinotphil

                        Thank you.

                         

                        I've uninstalled native and now it works..

                         

                        However, I still can't make use of a truststore, the system property javax.net.ssl.trustStore does not seem to be used...

                         

                        Thanks for your help.

                        • 9. Re: HTTPS on JBoss AS 7 - truststore configuration
                          fabrizio.benedetti

                          What do you mean for "does not seem to be used"? Do you want to make client authentication? If so you have to set verify-client attribute to "want" or "true".

                          • 10. Re: HTTPS on JBoss AS 7 - truststore configuration
                            guinotphil

                            Yes, client authentication. It's working fine now, thank you !

                            • 11. Re: HTTPS on JBoss AS 7 - truststore configuration
                              kevinwu

                              Hi

                               

                              I am trying to porting our Jboss 4.2.3 apps to AS 7 (currently on AS 7.0.1.final).  I am facing two issues to configure SSL.

                               

                              1. Default system property does not recognize (in standalone.xml).

                               

                              <connector name="https"

                                                     scheme="https"

                                                     protocol="HTTP/1.1"

                                                     socket-binding="https"

                                                     enable-lookups="false"

                                                     secure="true">

                                              <ssl name="ssl"

                                                   protocol="TLSv1"

                                                   password="changeit"

                                                   certificate-key-file="${jboss.server.config.dir}/jbossHttps.keystore"

                                                   ca-certificate-file="${jboss.server.config.dir}/jbossHttps.keystore"

                                                   verify-client="true" />

                                          </connector>

                               

                              14:29:03,078 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC serv

                              ice thread 1-4) Failed to load keystore type JKS with path ${jboss.server.config

                              .dir}/jbossHttps.keystore due to ${jboss.server.config.dir}\jbossHttps.keystore

                              (The system cannot find the path specified): java.io.FileNotFoundException: ${jb

                              oss.server.config.dir}\jbossHttps.keystore (The system cannot find the path spec

                              ified)

                                      at java.io.FileInputStream.open(Native Method) [:1.6.0_21]

                               

                               

                              2. After changed to absolute path, jboss started without error.  But, when I accessed to http://127.0.01:8080, it did not redirect to my defined secured port 443.

                               

                              <standalone.xml>

                               

                                   <subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">

                                      <!--

                                          <connector name="http" scheme="http" protocol="HTTP/1.1" socket-binding="http"/>

                                      -->

                                          <connector name="http"

                                                     scheme="http"

                                                     protocol="HTTP/1.1"

                                                     socket-binding="http"

                                                     redirect-port="443" />

                                          <connector name="https"

                                                     scheme="https"

                                                     protocol="HTTP/1.1"

                                                     socket-binding="https"

                                                     enable-lookups="false"

                                                     secure="true">

                                              <ssl name="ssl"

                                                   protocol="TLSv1"

                                                   password="changeit"

                                                   certificate-key-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"

                                                   ca-certificate-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"

                                                   verify-client="true" />

                                          </connector>

                                     

                                          <virtual-server name="default-host" enable-welcome-root="true">

                                             <alias name="localhost" />

                                             <alias name="example.com" />

                                          </virtual-server>

                                      </subsystem>

                               

                                  <interfaces>

                                      <interface name="management">

                                          <inet-address value="127.0.0.1"/>

                                          <!-- any-address / -->

                                      </interface>

                                      <interface name="public">

                                         <inet-address value="47.11.50.59"/>

                                             <!-- any-address / -->

                                      </interface>

                                  </interfaces>

                               

                                  <socket-binding-group name="standard-sockets" default-interface="public">

                                      <socket-binding name="http" port="8080"/>

                                      <socket-binding name="https" port="443"/>

                                      <socket-binding name="jmx-connector-registry" port="1090"/>

                                      <socket-binding name="jmx-connector-server" port="1091"/>

                              ....

                               

                              Did I miss configure anything?

                               

                              Thanks for all the help,

                               

                              Kevin

                              • 12. Re: HTTPS on JBoss AS 7 - truststore configuration
                                fabrizio.benedetti
                                1. Default system property does not recognize (in standalone.xml).

                                 

                                Yes, ssl element doesn't seem to support system properties substitution.

                                 

                                 

                                2. After changed to absolute path, jboss started without error.  But, when I accessed to http://127.0.01:8080, it did not redirect to my defined secured port 443.

                                 

                                Why should it redirect you to port 443?

                                To be redirected you have to deploy an application with at least a security-constraint in web.xml. For example:

                                 

                                {code}<security-constraint>

                                    <web-resource-collection>

                                        <web-resource-name>Secured resources</web-resource-name>

                                        <url-pattern>/secured/*</url-pattern>

                                    </web-resource-collection>

                                    <auth-constraint>

                                        <role-name>admins</role-name>

                                    </auth-constraint>

                                    <user-data-constraint>

                                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                                    </user-data-constraint>

                                </security-constraint>

                                <login-config>

                                    <auth-method>CLIENT-CERT</auth-method>

                                    <realm-name>MyRealm</realm-name>

                                </login-config>

                                <security-role>

                                    <role-name>admins</role-name>

                                </security-role>{code}

                                 

                                and then access http://127.0.0.1:8080/myapp/secured/

                                • 13. Re: HTTPS on JBoss AS 7 - truststore configuration
                                  kevinwu

                                  Thanks for you help

                                  • 14. Re: HTTPS on JBoss AS 7 - truststore configuration
                                    kevinwu

                                    Hi Fabrizio,

                                     

                                    I got further issue on this topic.

                                     

                                    Configuration in standalone.xml

                                     

                                    <system-properties>

                                            <property name="javax.net.ssl.trustStore" value="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore"/>

                                            <property name="javax.net.ssl.trustStorePassword" value="mypassword"/>

                                        </system-properties>

                                     

                                    <subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">

                                                <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>

                                                <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">

                                                    <ssl name="ssl" password="mypassword" certificate-key-file="C:\Jboss7UpgradeProject\jboss7\jboss-as-7.0.1.Final\standalone\configuration\jbossHttps.keystore" protocol="TLSv1" verify-client="true"/>

                                                </connector>

                                                <virtual-server name="default-host" enable-welcome-root="true">

                                                    <alias name="localhost"/>

                                                    <alias name="example.com"/>

                                                </virtual-server>

                                            </subsystem>

                                     

                                    Configuration in web.xml (sample.war)

                                     

                                    <security-constraint>

                                        <web-resource-collection>

                                            <web-resource-name>Secured resources</web-resource-name>

                                            <url-pattern>/*</url-pattern>

                                        </web-resource-collection>

                                        <auth-constraint>

                                            <role-name>admins</role-name>

                                        </auth-constraint>

                                        <user-data-constraint>

                                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                                        </user-data-constraint>

                                    </security-constraint>

                                    <login-config>

                                        <auth-method>CLIENT-CERT</auth-method>

                                        <realm-name>MyRealm</realm-name>

                                    </login-config>

                                    <security-role>

                                        <role-name>admins</role-name>

                                    </security-rol

                                     

                                    Issue

                                     

                                    When I tried to access "http://[server-ip]/sample/", I got "Untrusted connection" > "understand the risk" > "add exception" (pointed to "https://[server-ip]/sample/" > "Confirm Security Exception".  All those steps were expected.  After that, I got following error in Firefox:

                                     

                                    Secure Connection Failed

                                     

                                    An error occurred during a connection to 47.11.50.59.

                                     

                                    SSL peer cannot verify your certificate.

                                     

                                    (Error code: ssl_error_bad_cert_alert)

                                     

                                    I have verified the keystore which contained correct info.  Do I miss any configuration?

                                     

                                    Thanks for all your help,

                                    1 2 3 4 Previous Next