Setting up SSL on JBoss 5

Solution 1

This may not be the most direct answer you're looking for, but after years of setting up a lot of Tomcat based infrastructure I always front-end them now with Apache and mod_ssl, using mod_jk (ajp13) to connect them. This is beneficial for many, many reasons:

• you can offload all static file processing to Apache for better performance
• you get access to all of the mod_rewrite (and other awesome modules) features
• setting up SSL w/Apache is a no brainer, Tomcat never even knows it's an SSL channel

...and on and on. While the java engine can handle SSL it's just not one of it's strong points in life and tends to be more of a hassle than what it's worth. Let java handle the webapps and their java code, let Apache do what it does best. You will also find that mod_jk has a lot of great options for making sure your app engine doesn't get overloaded; using the right combination of parameters you can have your users temporarily redirected in a clean, good looking manner when the Tomcat instances are not responding fast enough (or crash/lock up).

Solution 2

I had exactly same issue.

http://forums.novell.com/novell-product-support-forums/identity-manager/im-userapp-workflow/321716-error-enabling-ssl.html

"The problem arose due to a bug in Tomcat. The bug will cause this error if the keystore password and the key password are not the same which was the case in my setup. The fix is simply to recreate the keystore with both passwords the same. "

Now works for me.

Solution 3

This might be a bit late but as you're very close it seems worth giving an answer:

1. It's not clear from your description but I assume you've got a server cert in the keystore? If not you'll need to do that - you can generate a certificate using OpenSSL if you've not done that already.

2. You need to add a new parameter to server.xml to specify the alias to use to lookup the certificate in the server.keystore. So if your certificate alias was 'localhost' then you need to add keyAlias="localhost" to your server.xml so it would look like this:

   <Connector protocol="HTTP/1.1" SSLEnabled="true"
      port="8443" address="${jboss.bind.address}"
      scheme="https" secure="true" clientAuth="false"
      keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
      keystorePass="mypassword" sslProtocol = "TLS" 
      keyAlias="localhost"/>

Replacing localhost with whatever alias name you chose for the certificate in your server.xml.

btw - depending on your specific requirements I do tend to agree with Tactical Vim that using mod_ssl is a better option.

Final note - configuring client authentication once you have the server side working is relatively straight forward. You need a new keystore which will contain CAs trusted to sign client certificates. So you have these new parameters to add truststoreFile, truststorePassword and clientAuth. Setting clientAuth to 'want' means that you will be asked for authentication but cancelling will not lock you out, setting to true means that you will not be able to access the server if you don't provide client access (at this point you'll probably want to disable the cleartext connector). The other two parameters are equivalent to the corresponding keystore parameters but be very careful as to what certificates you put in your truststore as any certificate signed by a cert in the truststore will be accepted for client auth (if you think about this for a while it will make sense).

Related videos on Youtube

08 : 15

how to configure ssl in jboss Standalone mode

Nitin Mestry

25

33 : 30

Jboss EAP 7.1/WILDFLY-11 - SSL Configurations

Veerababu Anupoju

13

03 : 22

How to change Jboss default ssl/https port from 8443 to 443

Nitin Mestry

6

03 : 25

Setting up SSL on JBoss 5 (4 Solutions!!)

Roel Van de Paar

5

40 : 17

Enable SSL (https) in JBoss admin console | application | domain | standalone.

Veerababu Anupoju

3

Author by

Admin

Updated on September 17, 2022