Encrypt SSLPassword for native connectors on JBoss

Native http connectors use a whole different set of attributes to set SSL. Here is an example configuration:

 

<Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           SSLPassword="changeit"
           SSLCertificateFile="server.crt"
           SSLCertificateKeyFile="server.pem" SSLProtocol="TLSv1" />

 

The problem with this configuration is that the password for the certificate file is in plain text in server.xml and the instructions for encrypting the password found here do not apply.

Starting with JBoss AS 6 we have added a feature to allow encryption of this password.

Here are the steps:

 

1. Create the encoded version of the password  using PBE:

java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils <salt> <iteration count> <master password> <password>







Here is an example:

java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 17 master changeit
Encoded password: KAaxoMQCJH30GZWb96Mov







 

2. Create the opaque master password file:

java -cp jbosssx.jar org.jboss.security.plugins.FilePassword <salt> <iteration count> <master password> <password file>







Here is an example:

java -cp jbosssx.jar org.jboss.security.plugins.FilePassword abcdefgh 17 master server.password







 

3. Create the JaasSecurityDomain either as a MBean or a MC bean.

3.1 MBean example:

<server>
  <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
         name="jboss.security:service=JaasSecurityDomain,domain=SSLPassword">
    <constructor>
      <arg type="java.lang.String" value="SSLPassword"></arg>
    </constructor>
    <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
    <attribute name="Salt">abcdefgh</attribute>
    <attribute name="IterationCount">17</attribute>
  </mbean>
</server>

3.2 MC bean example:

<deployment xmlns="urn:jboss:bean-deployer:2.0">
  <bean name="JaasSecurityDomain:SSLPassword" class="org.jboss.security.plugins.JaasSecurityDomain">
     <constructor>
          <parameter>SSLPassword</parameter>
     </constructor>
     <property name="keyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</property>
     <property name="salt">abcdefgh</property>
     <property name="iterationCount">17</property>
     <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.security:service=JaasSecurityDomain,domain=SSLPassword", exposedInterface=org.jboss.security.plugins.JaasSecurityDomainMBean.class)</annotation>
  </bean>
</deployment>

 

4. Set up the connector using the new protocol:

<Connector protocol="org.jboss.net.ssl.JBossHttp11AprProtocol" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           SSLPassword="KAaxoMQCJH30GZWb96Mov"
           securityDomain="SSLPassword"
           SSLCertificateFile="server.crt"
           SSLCertificateKeyFile="server.pem" SSLProtocol="TLSv1" />

 

Note:

One can create server.pem and server.crt as follows:

openssl genpkey -algorithm RSA -des3 -pass pass:changeme -outform PEM -out server.pem

openssl req -new -key server.pem -x509 -days 365 -out server.crt

 

Don't forget to copy corresponding native libs to $JBOSS_HOME/native/lib or create LD_LIBRARY_PATH variable on Linux systems.

 

Section 3.2 should have anotation part like this:

<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.security:service=JaasSecurityDomain,domain=SSLPassword", exposedInterface=org.jboss.security.plugins.JaasSecurityDomainMBean.class)</annotation>

 

Due to syntax highlighting quotes arround name parameter are missing.