14 Replies Latest reply: May 16, 2011 3:58 PM by joblandin RSS

HTTPS?

joblandin Newbie

Newbie here and I was tasked to install and configure JBoss ON.    I can'tfind anywhere how to redirect the traffic to use https only.   Can anyone point me in the right direction?

 

Thanks!!!

  • 1. Re: HTTPS?
    Ian Springer Master

    Edit <jon-server-home>/jbossas/server/default/deploy/jboss-web.deployer/conf/web.xml and add the following lines at the bottom of the file, just before the "</web-app>" line:

     

       <security-constraint>

          <display-name>Redirect HTTP to HTTPS</display-name>

          <web-resource-collection>

             <web-resource-name>Entire Application</web-resource-name>

             <url-pattern>/*</url-pattern>

          </web-resource-collection>

          <user-data-constraint>

             <transport-guarantee>CONFIDENTIAL</transport-guarantee>

          </user-data-constraint>

       </security-constraint>

     

    then restart the JON Server.

  • 2. HTTPS?
    Ian Springer Master

    !! CORRECTION to my previous post !!

     

    Add the security constraint block to <jon-server-home>/jbossas/server/default/deploy/rhq.ear/rhq-portal.war/WEB-INF/web.xml instead of to <jon-server-home>/jbossas/server/default/deploy/jboss-web.deployer/conf/web.xml. And if you are on JON 2.4.0 or later, also add it to <jon-server-home>/jbossas/server/default/deploy/rhq.ear/coregui.war/WEB-INF/web.xml.

     

    The problem with adding it to the global web.xml, as I originally suggested is that it also affects the JMX Remoting servlet invoker war and ends up breaking communication with Agents.

     


  • 3. HTTPS?
    joblandin Newbie

    I made the changes and tried HTTPS on port 7443 without success, page not display using IE. I checked the boot log and noticed the following error

     

    10:04:11,078 DEBUG [LocalJBossServerDomain] handleNotification: javax.management.Notification[source=jboss.system:service=ServiceController][type=org.jboss.system.ServiceMBean.create][message=]

    10:04:11,078 DEBUG [DefaultManagedObjectFactoryMap] Failed to find factory for event: javax.management.Notification[source=jboss.system:service=ServiceController][type=org.jboss.system.ServiceMBean.create][message=]

     

    Is this the problem or should I be looking somewhere else? Thanks.

  • 4. HTTPS?
    Ian Springer Master

    That doesn't look related. Are there any errors or warnings in your Server log?

     

    Did you remember to restart your Server? Did you remember to not add the security constraint to the global web.xml? What error do you in the browser when you try to go to http://yourjonhost:7080/? Does it redirect to https://yourjonhost:7443/ before it fails?

  • 5. HTTPS?
    joblandin Newbie

    I stopped and started the JON server after making the changes. Using http...7080 does not redirect to https...7443. I receive the following error using IE "Internet explorer cannot display the webpage"

     

    This error is in the rhq-server-log4j log

      at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.run(JobStoreSupport.java:3907)

    2011-05-13 10:43:18,995 WARN  [org.quartz.impl.jdbcjobstore.AttributeRestoringConnectionInvocationHandler] Failed restore connection's original auto commit setting.

    java.sql.SQLException: Connection is not associated with a managed connection.org.jboss.resource.adapter.jdbc.jdk5.WrappedConnectionJDK5@346801

            at org.jboss.resource.adapter.jdbc.WrappedConnection.lock(WrappedConnection.java:81)

     

    No changes to global web.xml. Only changed in the two places you mentioned above.Changes are below. Thanks!!

    <security-constraint>
       <display-name>Redirect HTTP to HTTPS</display-name>
       <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
      </security-constraint>

    </web-app>

  • 6. HTTPS?
    Ian Springer Master

    I'm not sure that error's related either. If you give me a pastebin link to your entire Server log, I can take a look at it and see if anything jumps out at me.

  • 7. HTTPS?
    joblandin Newbie

    I've copied all the lines from the rhq-server-log4j.log. It is over 5000 lines. I saw the pastebin option previously, how can I invoke it on my reply? RIght clicking only brings up the IE options. Thanks.

  • 8. HTTPS?
    joblandin Newbie

    Ok, see if this works.http://pastebin.com/mxz6ygP1

  • 9. HTTPS?
    Ian Springer Master

    This looks like the relevant exception:

     

    1. 2011-05-13 13:02:44,825 INFO  [org.apache.coyote.http11.Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-7080
    2. 2011-05-13 13:02:44,847 ERROR [org.apache.coyote.http11.Http11Protocol] Error initializing endpoint
    3. java.io.IOException: Keystore was tampered with, or password was incorrect
    4.         at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
    5.         at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source)
    6.         at java.security.KeyStore.load(Unknown Source)
    7.         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:349)
    8.         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:289)
    9.         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:462)
    10.         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:408)
    11.         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:142)
    12.         at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:498)
    13.         at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
    14.         at org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
    15.         at org.apache.catalina.core.StandardService.initialize(StandardService.java:669)
    16.         at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
    17.         at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
    18.         at org.apache.catalina.startup.Catalina.start(Catalina.java:558)
    19.         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    20.         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    21.         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    22.         at java.lang.reflect.Method.invoke(Unknown Source)
    23.         at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:297)
    24.         at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
    25.         at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
    26.         at org.jboss.web.tomcat.service.JBossWeb.startService(JBossWeb.java:457)
    27. ..

     


     

    My guess is that you changed something in the RHQ Server's Tomcat server.xml file? I'm not sure. I don't think the issue is caused by the changes you made in the web.xml files though. Note, in general, it is not advised to change any files under the RHQ Server's jbossas/ subdirectory.

     

    You also have quite a few DB-related exceptions in your log. I'm not sure what's going on there either.

     

    At this point, you might want to try starting over with a fresh install of JON and following the installation guide very carefully.

     

    By the way, what version of JON are you using?

  • 10. HTTPS?
    joblandin Newbie

    Oh boy, tomcat is not even installed on this server so no changes to the server.xml file. So JON needs Tomcat up and running to use HTTPS, is that the problem? As you can tell, I'm not exactly a JON expert. I can spell it and install it. The jre and postgres RPMs have been installed but not Tomcat. This is a badly fumbled handoff, VM was supposed to be ready for JON and only JON was to be installed. I really appreciate your time and effort.

  • 11. HTTPS?
    Ian Springer Master

    I was referring to the JBossAS Tomcat server that's part of the internals of the RHQ Server. Let me ask a different question - did you modify any files within the RHQ Server install dir other than those two web.xml files?

     

    Your pastebin did not contain your full Server log (it may have been too long). Seeing your full log might be helpful. If you want, you can email it to me at ips -AT- redhat -DOT- com.

  • 12. HTTPS?
    joblandin Newbie

    Ok that makes sense,. I saw there was a tomcat jar file as part of JON but saw nothing related to an install. I did change the keystore and truststore files but the originals still exist so I can go back to them. You are correct about the server log. There log is in two parts I pasted the most recent one and smaller one. I just e-mailed the logs files to you. Our version of JON is 2.4.1

     

    -rw------- 1 root root  746747 May 13 14:16 rhq-server-log4j.log

    -rw------- 1 root root 5242937 May 13 11:35 rhq-server-log4j.log.1

     

    I also added this file to the link below ==>jon-server-2.4.1.GA/jbossas/server/default/deploy/jboss-web.deployer/server.xml

    http://pastebin.com/ZJL1Qb59

  • 13. HTTPS?
    Ian Springer Master

    Please try switching back to the original keystore and truststore files and restarting the Server. Let me know if that clears up the exceptions.

     

    You didn't change the server.xml at all, correct?

  • 14. HTTPS?
    joblandin Newbie

    No, the server.xml file has not been changed. I backup out the changes to keystore and truststore files and restarted the server. We are much closer now because when attempting to access via http:/....:7080 it does redirect to http:/....7443 and then prompts me for a certificate (using IE8). When using FIrefox I get a "This connection is untrusted" message and gives me options to end the session, technical details, or I understand the risks. I am able to select "I understand the risks" and get redirected into the HTTPS signon page using Firefox. IE is still a problem for now. We thought there may be a way to config Tomcat to allow an ignore or the client cert connections since it appears to use accept only. I know that IIS allows this option but not so certain about Tomcat.

    So your changes did work after we undid what we had "fixed" trying to make it work. Thank You very much for your time and help with this issue. It was very much appreciated.