Using SSL with JBoss

Author:Tom Coleman <tcoleman@autowares.com>

Introduction

Adding SSL (Secure Socket Layer) support is simple using JBoss 2.4 with either Tomcat or Jetty Web containers. The specific releases used were JBoss 2.4 BETA Rel_2_4_0_23 with Tomcat 3.2.2, and JBoss-2.4.0_Jetty-3.1.RC8-1.

The target system was a RH Linux 6.2 system using the Sun 1.3 JDK and Sun's Secure Socket Extension, JSSE 1.0.2.

Outstanding Deployment Issues

Multiple site certificates. Support of certificates for multiple sites is currently under discussion. Please post your requirements to the forums or the jboss-user mailing list.

Contributors:

  • Scott Stark

Installation & Configuration

  1. Download JSSE

    If you are using JDK 1.3 or 1.2, JSSE is optional. Download it from Sun's JSSE Page. Jump through the hoops as required.

    If you are using JDK 1.4, JSSE is included. But then, JDK 1.4 is another story.

  2. Install JSSE

    Follow steps 1 through 5 of the JSSE installation instructions.

    If you need to run 'keytool' on your system to create and/or import certificates, copy the JSSE jars to $JAVA_HOME/jre/lib/ext.

  3. Generate a Server Key and Certificate

    The following shell script can be used to create a "self-signed" server certificate for testing:

    The keystore file will be generated in the directory from which you run keytool. Copy the keystore file to an appropriate directory.

     
    keytool -genkey -alias tomcat -keyalg RSA \
       -dname 'CN=your.domain.com, OU=Skunk Works Unit, O=Your Organization, L=Your Location, S=Your State, C=US' \
       -keypass changeit \
       -storepass changeit \
       -keystore server.keystore
    	
    

    It should be possible to import existing certificates generated with OpenSSL using keytool. See the section Importing SSL certificates in the Tomcat documentation.

  4. Configure Web Container

    If using Tomcat - Find the section in the Tomcat server.xml configuration file that starts with, "Uncomment this for SSL support". Uncomment the following section, and insert the location of your server key.

     
    <Connector className="org.apache.tomcat.service.PoolTcpConnector">
        <Parameter name="handler" 
            value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
        <Parameter name="port" 
            value="8443"/>
        <Parameter name="socketFactory" 
            value="org.apache.tomcat.net.SSLSocketFactory" />
        <Parameter name="keystore" value="/usr/java/jakarta-tomcat-3.2.2/server.keystore" /> 
        <Parameter name="keypass" value="changeit" /> 
    </Connector>
    	
           

    Copy the JSSE jars to your $TOMCAT_HOME/lib directory.

    If using Jetty - Find the section in the $JBOSS_JETTY_HOME/conf/jetty/jetty.xml configuration file that starts with, "Uncomment this to add an SSL listener". Uncomment the following section, and insert the location of your server key.

     
    <Call name="addListener">
      <Arg>
        <New class="com.mortbay.HTTP.SunJsseListener">
          <Set name="Port">8443</Set>
          <Set name="MinThreads">5</Set>
          <Set name="MaxThreads">255</Set>
          <Set name="MaxIdleTimeMs">50000</Set>
          <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/etc/server.keystore</Set>
    	   <Set name="Password">changeit</Set>
    	   <Set name="KeyPassword">changeit</Set>
        </New>
      </Arg>
    </Call>
    	
           
  5. Start JBoss

    Start JBoss and point your browser to https://your-server-name.your-domain:8443 to test your SSL implementation.

    If using "self-signed" certificates, you may have to import your test certificate into your browser.