In this post, we will see how to install and configure SSL support on Jboss EAP server.
In nutshell, we will do following tasks:
- Generate a keytore using Java Keytool.
- Generate a CSR(Cerificate Signing Request) for keystore generated in step 1.
- Get a trial SSL certificate from CA (Cerification Authority) such as:
www.thawte.com OR www.verisign.com
- Install trial SSL certificate obtained in step 3 to the keystore generated in step 1.
- Update Jboss EAP configuration file i.e standalone.xml to use keystore generated at step 1 for creating SSL connections for incoming HTTPS requests.
Now lets dig into each step deeper:
use the following command to generate a keystore file with single self signed certificate:
keytool -genkey -alias hello -keyalg RSA -keysize 2048 -keystore hello.keystoreEnter the details when prompted by command. An example detail section is given below:
Use the following command to generate a CSR (if you need an SSL certificate signed by some trusted authority) and add this entry to keystore generated at step 1:
keytool -certreq -keyalg RSA -alias http -file http.csr -keystore http.keystore
Above command will generate http.csr file containing your CSR request code as shown below:
Now visit a Trusted CA e.g.
www.verisign.com. Here, we will generate a trial SSL certificate.
a. Visit CA’s website.
- CA Root certificate
- CA Intermediate Certificate
- Trial SSL Certificate
Install these certificates one by one using following commands:
- CA root certificate
keytool -import -alias root -keysize 2048 -keystore hello.keystore -trustcacerts -file root.txt
Note: Put your CA root certificate code from received mail to a file e.g. root.txt
- CA Intermediate certificate
keytool -import -alias intermediate -keysize 2048 -keystore hello.keystore -trustcacerts -file intermediate.txt
Note: Put your CA Intermediate certificate code from received mail to a file e.g. intermediate.txt
- Trial SSL certificate
keytool -import -alias trial -keystore hello.keystore -file ssl.txt
Note: Put your Trial SSL certificate code from received mail to a file e.g. ssl.txt
Note: make sure alias in each command above is different, because keystore accepts only unique alias for each certificate.
That’s it you have installed SSL on your system.
Next step is to configure Jboss to use this keystore containing SSL certifactes for making HTPP requests. Now, depnding on whether you are using Jboss EAP (Enterprise) version or Jboss (Community) version, make the required chnages in configuration file as follows:
For Jbos EAP (Enterprise)
Open your standalone.xml file from /
Note: cipher-suite/cipher attribute is sometime used dues to an error that modern browser usually throw while trying to connect to an SSL certified site based on 1048 bit encryption.
Weak ephemeral Diffie-Hellman public key (this error occurs if you have generated your keystore using 1024 bit encryption instead of 2048 bit).
Use the trial certificates for testing purpose only. For commercial puposes get a paid and full SSL certificate.
Using Hostname instead of IP for accesssing applications on Jboss Web Server.
Sometimes, you would be using Jboss on your intranet where you access your application like
But here is catch, SSL certificates are issued for FQDN (fully qualified domain names) e.g.
www.xyz.com not for IPs. So, when you will try to generate a trial SSL certificate by giving IP as first and last name in CSR, it will throw an error that Common Name is an IP not a hostname. Therefore, you must have a registred domain name for your server machine which is mapped to your IP address.
But if you don’t want to buy a domain name and check out your SSL configuration in action locally then, You can set up a DNS Server on your linux machine and configure your client machines to use this DNS Server for hostname to IP resolution. Now, whenever you hit
https:<your_jbosss_server_ip>:<port>/<application_context_path> in your browser from a client machine. It will resolve the entered hostname to its corresponding IP.
Thereafter, you can use hostname as first and last name while generating CSR.