This tutorial makes the following assumptions:
- That you are running JBoss under a ‘jboss’ user whose home directory is /home/jboss/
For the following examples the string “<server-name/ip>” should be replaced with the domain name, or ip address from which the site will be accessed via https. Also the path to your installed JDK is likely different.
- Create a new keystore using the jdk provided binary:
# /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -genkey -alias your_alias -keyalg RSA -keystore keystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: <server-name/ip>
What is the name of your organizational unit?
[Unknown]: Your Unit
What is the name of your organization?
[Unknown]: Your Organization
What is the name of your City or Locality?
[Unknown]: Your City
What is the name of your State or Province?
[Unknown]: MD
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=<server-name/ip>, OU=Your Unit, O=Your Organization, L=Your City,
ST=MD, C=US correct?
[no]: yes
Enter key password for <your_alias>
(RETURN if same as keystore password):
Re-enter new password:
. When propmted for the key password, you must enter the same password as you first entered, when going through the keystore prompts.
. Put the keystore file in the /home/jboss directory
- Export the generated server certificate in .keystore to server.cer
# /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -export -alias your_alias -storepass password -file server.cer -keystore keystore.jks
- Create a trust-store file and add the server cert to it
# /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -import -v -trustcacerts -alias your_alias -file server.cer -keystore cacerts.jks -keypass password -storepass password
It will display the following:
Owner: CN=<server-name/ip>, OU=Your Unit, O=Your Organization,
L=Your City, ST=MD, C=US
Issuer: CN=<server-name/ip>, OU=Your Unit, O=Your Organization,
L=Your City, ST=MD, C=US
Serial number: 4e20527c
Valid from: Fri Jul 15 10:45:16 EDT 2011 until: Thu Oct 13 10:45:16 EDT 2011
Certificate fingerprints:
MD5: B9:25:A0:89:B9:A3:62:44:38:DD:B7:13:2C:05:C5:8C
SHA1: 3C:F9:54:2D:96:0C:D7:F9:C5:DA:24:54:A3:29:41:98:5E:01:2C:97
Signature algorithm name: SHA1withRSA
Version: 3. Enter ‘yes’
Trust this certificate? [no]: yes
Certificate was added to keystore
- Edit the JBOSS config file $JBOSS_HOME/server/server_profile/deploy/jbossweb.sar/server.xml
. Make a copy of the following block of XML
<!– SSL/TLS Connector configuration using the admin devl guide keystore
<Connector protocol=”HTTP/1.1″ SSLEnabled=”true”
port=”${jboss.web.https.port}” address=”${jboss.bind.address}”
scheme=”https” secure=”true” clientAuth=”false”
keystoreFile=”${jboss.server.home.dir}/conf/chap8.keystore”
keystorePass=”rmi+ssl” sslProtocol = “TLS” />
–>
. Make the following changes:
<Connector protocol=”HTTP/1.1″ SSLEnabled=”true”
port=”${jboss.web.https.port}” address=”${jboss.bind.address}”
scheme=”https” secure=”true” clientAuth=”false”
keystoreFile=”${user.home}/jboss_as_keys/keystore.jks”
keystorePass=”password”
truststoreFile=”${user.home}/jboss_as_keys/cacerts.jks”
truststorePass=”password”
sslProtocol = “TLS” />
. Disable unencrypted http/8080 access to the server by commenting out the following:
<!–
<Connector protocol=”HTTP/1.1″ port=”${jboss.web.http.port}”
address=”${jboss.bind.address}”
redirectPort=”${jboss.web.https.port}” />
–>
- Set up port forwarding for port 443 to 8443 via iptables Use the following iptables commands, replacing $IPADDR with the IP of your web server
# iptables -t nat -A OUTPUT –destination localhost -p tcp –dport 443 -j REDIRECT –to-ports 8443
# iptables -t nat -A OUTPUT –destination $IPADDR -p tcp –dport 443 -j REDIRECT –to-ports 8443
# iptables -t nat -A PREROUTING –destination $IPADDR -p tcp –dport 443 -j REDIRECT –to-ports 8443# /etc/init.d/iptables save
# /etc/init.d/iptables restart