-
1. Re: Configuring https on JBoss 7 -- impossible?
jaikiran Jan 20, 2012 9:53 AM (in response to gregcharles)Gregory Charles wrote:
2. The script used in the example is only in Bourne shell. It hasn't been ported to Windows for whatever reason. Not a blocker, but a confusing omission.
-
2. Re: Configuring https on JBoss 7 -- impossible?
jaikiran Jan 20, 2012 9:55 AM (in response to gregcharles)Gregory Charles wrote:
3. When I tried to start up my application on JBoss 7.1, it choked on my JKS type keystore, where the certficate is. Some research showed that 7.1 ships with native OpenSSL support, and expects certificates to be in that form now, though only a cryptic error message informs you of this.
I think there was a change in the way the native libraries were loaded which might have resulted in the OpenSSL ones being picked up by default. Now I'm not sure whether it was intentional to make OpenSSL the default or whether there's a better way to switch to JKS (instead of removing those files from the module). I'll have to check with someone from the JBossWeb team
-
3. Re: Configuring https on JBoss 7 -- impossible?
gregcharles Jan 20, 2012 1:10 PM (in response to jaikiran)Thanks Jaikiran, I can always rely on you to reply to these questions. I'm frustrated right now, because I'm an application programmer and I'm used to solving issues by analyzing code and running it through a debugger. Stuff like that. I hate configuration tasks because when I hit issues I have to scour the web hoping that someone has hit the same problem, figured out how to solve, and bothered to describe clearly what they did.
I'm still a big fan of the JBoss development team, but a few things are boggling my mind at the moment. How does a CR release get made that breaks any https configuration that follows the current JBoss 7 documentation? Is configuring https through JBoss so uncommon they didn't think to test it out before the release? I can understand that masking the keystore password might be less common, but it was possible in JBoss 4, and also the VaultTool sees fit to mask the password into the keystore it's using, so that acknowledges some need.
-
4. Re: Configuring https on JBoss 7 -- impossible?
anil.saldhana Jan 20, 2012 1:55 PM (in response to gregcharles)I have been working on an article that you may find useful. https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb
-
5. Re: Configuring https on JBoss 7 -- impossible?
gregcharles Jan 20, 2012 9:10 PM (in response to anil.saldhana)Thanks Anil, that is very helpful as regards OpenSSL. It doesn't, however, answer my main question of how to encrypt the keystore password. In JBoss 4.2.3, we had
server.xml (snippet)
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true" sslProtocol="TLS"
maxThreads="250" maxHttpHeaderSize="8192"
clientAuth="false"
securityDomain="java:/jaas/encrypt-keystore-password"
SSLImplementation="org.jboss.net.ssl.JBossImplementation"
/>
security-service.xml:
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=PBESecurityDomain">
<constructor>
<arg type="java.lang.String" value="encrypt-keystore-password"></arg>
</constructor>
<attribute name="KeyStoreType">jks</attribute>
<attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
<attribute name="Salt">abcdefgh</attribute>
<attribute name="IterationCount">27</attribute>
</mbean>
The encrypted password for localhost.keystore was stored in keystore.password. The configuration is bit cryptic, but it did work. For the life of me, I cannot figure out how to do the same thing in JBoss 7. Again, this is a fatal flaw for my customer and would mean we could not use JBoss 7.
-
6. Re: Configuring https on JBoss 7 -- impossible?
anil.saldhana Jan 20, 2012 9:41 PM (in response to gregcharles)Prior to AS7, each subsystem used a different mechanism to mask the passwords. So for an user, this meant that they had to follow each subsystem guide to mask the passwords. Even though all the subsystems are part of JBoss AS, the masking of passwords is done very differently.
Starting AS7, we want to provide to the users one unified approach to securing passwords. This is what we document in https://community.jboss.org/wiki/JBossAS7SecuringPasswords
All the subsystem developers are supposed to follow this approach to mask sensitive attributes.
Now this goes to the masking of connector passwords also. They are supposed to follow this. Let me verify this with the JBossWeb devs.
-
7. Re: Configuring https on JBoss 7 -- impossible?
jaikiran Jan 20, 2012 10:42 PM (in response to gregcharles)1 of 1 people found this helpfulThe other thing that I checked with the JBossWeb team was the ability to switch back from OpenSSL to JKS. Thanks to Jean-Frederic:
jaikiran wrote:
Some recent threads in the AS7 forum indicate that in AS 7.1 the OpenSSL
native libraries are picked by default (I guess due to the change
related to the way we load them). But for users who want to switch to
JKS, the suggested way to do that currently appears to be to delete the
native libs https://community.jboss.org/message/646156#646156. Is that
the right way for this or is there some other better way of dealing with
it?
native="false" in the web subsystem.
The right way would be to export the key/cert from keystore and convert it to pem format http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format
So if you want to switch back to JKS instead of the default OpenSSL, set native=false on the web subsystem. On the other hand, if you want to convert the keystore to a pem, then follow that stackoverflow thread.
-
8. Re: Configuring https on JBoss 7 -- impossible?
n0n3 Jan 21, 2012 7:42 AM (in response to gregcharles)With you on that, but I've managed to do it
Here's the example, tell if you have any questions
-
9. Re: Configuring https on JBoss 7 -- impossible?
anil.saldhana Jan 23, 2012 10:58 AM (in response to n0n3)Currently, it seems we have not worked on masking the passwords for the ssl element in the connector configuration. It should be done this week. We are going to basically use the vault in AS7.
-
10. Re: Configuring https on JBoss 7 -- impossible?
anil.saldhana Jan 23, 2012 11:20 AM (in response to jaikiran)jaikiran pai wrote:
Gregory Charles wrote:
2. The script used in the example is only in Bourne shell. It hasn't been ported to Windows for whatever reason. Not a blocker, but a confusing omission.
Haa Gregory. Be a kind OSS citizen and contribute a vault.bat for us. It is a simple port.
-
11. Re: Configuring https on JBoss 7 -- impossible?
gregcharles Jan 23, 2012 6:50 PM (in response to anil.saldhana)@Anil
Yes, I will make a vault.bat if I can get a couple of spare hours. I'm having a brutal few weeks here.
Awesome news on masking passwords in the SSL element. Do you think that will make it into the 7.1 final release for next month?
@"None" -- thanks for that example! However, I don't really get it. You have:
<ssl name="ssl"
certificate-key-file="/home/n0n3/server/jboss-as-7.1.0.CR1b/standalone/configuration/localhost.key"
certificate-file="/home/n0n3/server/jboss-as-7.1.0.CR1b/standalone/configuration/localhost.crt"
protocol="TLSv1"
verify-client="true"/
So you don't even have an attribute for the password into the certificate file? How does that work? Did you not put a password on that file? Is that even possible?
@Jaikiran
Thanks for the info on that native="false" message. That solved that part of my problem. I really appreciate it!
-
12. Re: Configuring https on JBoss 7 -- impossible?
gregcharles Jan 24, 2012 2:14 PM (in response to gregcharles)I finished the port to vault.bat and posted it to https://issues.jboss.org/browse/AS7-2154