In this post, we will see how to install and configure SSL support on Jboss EAP server.

In nutshell, we will do following tasks:

  1. Generate a keytore using Java Keytool.
  2. Generate a CSR(Cerificate Signing Request) for keystore generated in step 1.
  3. Get a trial SSL certificate from CA (Cerification Authority) such as:

    www.thawte.com OR www.verisign.com

  4. Install trial SSL certificate obtained in step 3 to the keystore generated in step 1.
  5. Update Jboss EAP configuration file i.e standalone.xml to use keystore generated at step 1 for creating SSL connections for incoming HTTPS requests.

Now lets dig into each step deeper:

STEP 1.

use the following command to generate a keystore file with single self signed certificate:

keytool -genkey -alias hello -keyalg RSA -keysize 2048 -keystore hello.keystore
Enter the details when prompted by command. An example detail section is given below:

1
Note: first and last name must be a hostname e.g. www.xyz.com not an IP.

STEP 2.

Use the following command to generate a CSR (if you need an SSL certificate signed by some trusted authority) and add this entry to keystore generated at step 1:

keytool -certreq -keyalg RSA -alias http -file http.csr -keystore http.keystore

Above command will generate http.csr file containing your CSR request code as shown below:

2
STEP 3.

Now visit a Trusted CA e.g. www.thawte.com OR www.verisign.com. Here, we will generate a trial SSL certificate.

a. Visit CA’s website.

3
b. Enter Technical Contact Details.

4
c. Enter CSR code.

5
d. Agree to the terms.

6
e. Order Confirmation page will be displayed.

7
f. Now, check your email id for the trial SSL certificate, which will look something like this.

8
STEP 4.
There are 3 different certificates that you will receive:

  1. CA Root certificate
  2. CA Intermediate Certificate
  3. Trial SSL Certificate

Install these certificates one by one using following commands:

  1. CA root certificate

    keytool -import -alias root -keysize 2048 -keystore hello.keystore -trustcacerts -file root.txt

    Note: Put your CA root certificate code from received mail to a file e.g. root.txt

  2. CA Intermediate certificate

    keytool -import -alias intermediate -keysize 2048 -keystore hello.keystore -trustcacerts -file intermediate.txt

    Note: Put your CA Intermediate certificate code from received mail to a file e.g. intermediate.txt

  3. Trial SSL certificate

    keytool -import -alias trial -keystore hello.keystore -file ssl.txt

    Note: Put your Trial SSL certificate code from received mail to a file e.g. ssl.txt

Note: make sure alias in each command above is different, because keystore accepts only unique alias for each certificate.

That’s it you have installed SSL on your system.

STEP 5.

Next step is to configure Jboss to use this keystore containing SSL certifactes for making HTPP requests. Now, depnding on whether you are using Jboss EAP (Enterprise) version or Jboss (Community) version, make the required chnages in configuration file as follows:

For Jbos EAP (Enterprise)

Open your standalone.xml file from //standalone/configuration location.

1. Add a Connector for HTTPS connection as follows:
9
Make sure socket-binding for your Jboss specify the port for https. E.g. 8443 In my case.
10
For Jboss (Community)

11
Above connectors uses keystore generated at step 1 to check for SSL certificates.

Note: cipher-suite/cipher attribute is sometime used dues to an error that modern browser usually throw while trying to connect to an SSL certified site based on 1048 bit encryption.

Weak ephemeral Diffie-Hellman public key  (this error occurs if you have generated your keystore using 1024 bit encryption instead of 2048 bit).

Use the trial certificates for testing purpose only. For commercial puposes get a paid and full SSL certificate.


Using Hostname instead of IP for accesssing applications on Jboss Web Server.

Sometimes, you would be using Jboss on your intranet where you access your application like https:<your_jbosss_server_ip>:<port>/<application_context_path>.

But here is catch, SSL certificates are issued for FQDN (fully qualified domain names) e.g. www.xyz.com not for IPs. So, when you will try to generate a trial SSL certificate by giving IP as first and last name in CSR, it will throw an error that Common Name is an IP not a hostname. Therefore, you must have a registred domain name for your server machine which is mapped to your IP address.

But if you don’t want to buy a domain name and check out your SSL configuration in action locally then, You can set up a DNS Server on your linux machine and configure your client machines to use this DNS Server for hostname to IP resolution. Now, whenever you hit https:<your_jbosss_server_ip>:<port>/<application_context_path> in your browser from a client machine. It will resolve the entered hostname to its corresponding IP.

Thereafter, you can use hostname as first and last name while generating CSR.

How to set up SSL connection on JBOSS Server

One thought on “How to set up SSL connection on JBOSS Server

  • May 31, 2016 at 1:13 pm
    Permalink

    A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *