Configure SSL on Jetty

Solution 1

I had a lot of problems making it work but I finally foud out how to make it happend. I'm using ubuntu 10.04 with java 7. It may be possible to do it under windows but all the comands lines are bash commands, maybe possible to do the same with cigwin/mingw

I used Jetty 8.1.8. Download it from codehaus and choose the .tar.gz file for linux (.zip for windows).

Unzip the file in any directory you wish, this will be your {jetty} home folder for the sake of this article/answer.

Go to the {jetty}/etc directory.

Execute all the following command lines in order. Whenever a password is asked, input the same password all the time. The passwords are used to protect the key file, the key store and the certificate itself. Sometimes, a password will be asked to unlock the key store or to use a generated key. Once you will understand what everything is and how to use the passwords correctly, you may change those passwords when you feel ready (safer for production use). Otherwise, input the requested informations when asked.

openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

Now you have to edit {jetty}/etc/jetty-ssl.xml and configure your password to match the one you used during certificate generation. If you want to obfuscate your password, go back to the command line. Go tho your {jetty} home directory and execute the following:

java -cp lib/jetty-util-8.1.8.v20121106.jar org.eclipse.jetty.util.security.Password "{PASSWORD}"

Change {PASSWORD} for your actual password then past the obfuscated password, including the "OBF:" in all password fields found in jetty-ssl.xml. Note that a password obfuscated like that is hard to read for humans but easily unobfiscated programmatically. It just prevent developpers to know the password when they edit the file. All configuration files should be secured properly and their accesses be as restrictive as possible.

Edit {jetty}/start.ini and uncomment the line #etc/jetty-ssl.xml (just remove the #).

Start jetty:

java -jar start.jar

Now contact your server at: https://localhost:8443

Done!

Note that this answer is a quick way to enable SSL with jetty. To make it secure for production, you have to read some more on the subject.

Solution 2

Answer updated after more experience with keystores. I assure you this solution works perfectly with intermediate certificates (29/07/2015).

Note: PEM format means a readable file, certificates start with ---BEGIN CERTIFICATE--- and private keys start with -----BEGIN PRIVATE KEY----- line.

Here's an easy step by step guide. Start with an empty directory.
Skip to Step 2 if you have private key (PEM encoded .key)
Skip to Step 3 if you have certificate signing request (PEM encoded .csr)
Skip to Step 4 if you have your certificate (PEM encoded .crt or .pem)

1. Prepare (password-less) private key.

   openssl genrsa -des3 -passout pass:1 -out domain.pass.key 2048
   openssl rsa -passin pass:1 -in domain.pass.key -out domain.key
   rm domain.pass.key
   

2. Prepare certificate signing request (CSR). We'll generate this using our key. Enter relevant information when asked. Note the use of -sha256, without it, modern browsers will generate a warning.

   openssl req -key domain.key -sha256 -new -out domain.csr
   

3. Prepare certificate. Pick one:

   a) Sign it yourself

   openssl x509 -req -days 3650 -in domain.csr -signkey domain.key -out domain.crt
   

   b) Send it to an authority

   Your SSL provider will supply you with your certificate and their intermediate certificates in PEM format.

4. Add to trust chain and package it in PKCS12 format. First command sets a keystore password for convenience (else you'll need to enter password a dozen times). Set a different password for safety.

   export PASS=LW33Lk714l9l8Iv
   

   Pick one:

   a) Self-signed certificate (no need for intermediate certificates)

   openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name domain -passout pass:$PASS
   keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore domain.keystore -srckeystore domain.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias domain
   

   b) Need to include intermediate certificates

   Download intermediate certificates and concat them into one file. The order should be sub to root.

   cat sub.class1.server.ca.pem ca.pem > ca_chain.pem
   

   Use a -caname parameter for each intermediate certificate in chain file, respective to the order they were put into the chain file.

   openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name domain -passout pass:$PASS -CAfile ca_chain.pem -caname sub1 -caname root -chain
   keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore domain.keystore -srckeystore domain.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias domain
   

   Important note: Although keytool -list will only list one entry and not any intermediate certificates, it will work perfectly.

5. Configure jetty.

   Move domain.keystore file to JETTY_HOME/etc/.

   Pick one:

   a) You're using new start.ini style configuration (Jetty 8+):

   jetty.keystore=etc/domain.keystore
   jetty.truststore=etc/domain.keystore
   jetty.keystore.password=LW33Lk714l9l8Iv
   jetty.keymanager.password=LW33Lk714l9l8Iv
   jetty.truststore.password=LW33Lk714l9l8Iv
   

   b) You're using old style configuration with .xml files (you should upgrade to new style!):

   Edit JETTY_HOME/etc/jetty-ssl.xml file and change the part below. Replace password parts to match your password. We don't define KeyManagerPassword because our key has no password.

   <Configure id="Server" class="org.eclipse.jetty.server.Server">
     <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
       <Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
       <Set name="KeyStorePassword">LW33Lk714l9l8Iv</Set>
       <Set name="TrustStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
       <Set name="TrustStorePassword">LW33Lk714l9l8Iv</Set>
     </New>
     <Call name="addConnector">...</Call>
   </Configure>
   

   Edit start.ini file to include jetty-ssl.xml file.

6. (Re)start jetty.

Note that this keystore file can also be used with other containers like Tomcat. Good luck!

Solution 3

A default configuration file for Jetty and is located at $JETTY_HOME/etc/jetty.xml

If you are using maven's jetty plugin you will need to specify ssl keystore details in your pom.xml file. See this question for details

keytool -keystore keystore -alias jettykey -genkey -keyalg RSA

keytool -certreq -alias jetty -keystore keystore -file jetty.csr

cat mydomain.com.crt gd_bundle.crt > certchain.txt

keytool -importkeystore -srckeystore keystore -destkeystore intermediate.p12 -deststoretype PKCS12
openssl pkcs12 -in intermediate.p12 -out jettykey.pem -nodes

openssl pkcs12 -export -inkey jettykey.pem -in certchain.txt -out jetty.pkcs12

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

keytool -delete  -keystore keystore -alias jettykey

sudo cp keystore /usr/share/jetty/etc/

sudo vi /usr/share/jetty/etc/jetty-ssl.xml

java -cp /usr/share/jetty/lib/jetty.jar:/usr/share/jetty/lib/jetty-util.jar org.mortbay.jetty.security.Password <your.password>

sudo echo "/etc/jetty/jetty-ssl.xml" >> /etc/jetty/jetty.conf

sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

sudo service jetty start

jetty.sslContext.keyStorePath=mystore.jks
jetty.sslContext.keyStorePassword=X
jetty.sslContext.keyManagerPassword=X
jetty.sslContext.trustStorePath=mystore.jks
jetty.sslContext.trustStorePassword=X

Author by

Yura

Updated on May 08, 2020