Wednesday, December 2, 2009

Enabling SSL on JBoss 4.2.0


Delete existing certificates

This is step is not strictly required but it helps to get rid of previously created certificates (in case you have been playing around with the keystore). Run the following commands:
keytool -delete -alias localhost
keytool -delete -alias localhost -keystore “C:/Program Files/Java/jdk1.5.0_14/jre/lib/security/cacerts”
The first command removes the certificate with alias localhost from the user keystore, the second deletes the certificate from the system trusted certification repository.
The cacerts file is basically the system keystore which stores the CA (Certification Authority) certificates and can be found at ${java.home}/jre/lib/security/cacerts

Generate certificate

The certificate can now be generated running:
keytool -genkey -alias localhost -keyalg RSA
The certificate is generated and added to the keystore using the alias localhost while RSA is the recommended algorithm to be used to generate the key pair.

Export certificate to a file

The certificate is exported:
keytool -export -alias localhost -file localhost.cer
The certificate with alias localhost is retrieved from the keystore and stored in the locahost.cer file.

Import certificate into trusted Cert repository

keytool -import -file localhost.cer -keypass changeit -keystore “%JAVA_HOME%/jre/lib/security/cacerts”
The certificate stored in the localhost.cer file is uploaded in the system keystore and added to the list of trusted certificates.
The following can help you to list the content of the keystore (will prompt for password):
keytool -list

JBoss Configuration

Finally edit the embedded Tomcat server.xml which in JBoss 4.2.0 can be found at
${JBoss.home}\server\default\jboss-web.deployer\server.xml
and add the SSL Connector

Now you JBoss container should be able to run on SSL: https://localhost

Tips

  • The user keystore is called .keystore and located in the {user.home}. It is created the first time the keytool genkey command is used on a keystore which doesn’t exist (i.e. can be removed if you need to re-create it from scratch).
  • Create the certificate using cn=localhost as in my examples: CN field normally holds the name of server host.
  • When prompted use changeit as password as it is the default keystore password.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)