<< Up | < Previous Page

Secure Sockets Layer Setup for JBoss

This section describes the process of setting up JBoss to allow @task to run through SSL (Secure Sockets Layer) for encrypted network communications.

Setup

Secure Sockets Layer, or SSL, is the standard for encrypted communication over the web. @task is designed to operate through SSL.

There are two necessary components to setup SSL:

1. Secure Certificate
2. JBoss Configuration

Secure Certificate

SSL requires a signed certificate (X509 Certificate) to verify to clients the identity of the server. These signed certificates are obtained from a Certificate Authority, or CA.

If you want to generate your own "unsigned" certificate (keystore) file here is the command:

keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl -keyalg RSA -alias chapter8

N O T E : JBoss uses `chap8' as a default name feel free to change it. You may also change the alias `chapter8' The chap8.keystore needs to be placed in the conf folder such as `jboss-4.0.5/server/default/conf'

JBoss Configuration

Server.xml

Inside of the deploy/jbossweb-tomcat55.sar/ folder there is a server.xml file. You will need to edit this file to enable the https connector.

1. Inside of the server.xml file, you will need to find the SSL/TLS Connector configuration. It will look similar to the code below

<Connector port="8443" address="${jboss.bind.address}"

maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

emptySessionPath="true"

scheme="https" secure="true" clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"

keystorePass="rmi+ssl" sslProtocol = "TLS" />

2. Uncomment the Connector code.
3. If your certificate keystore is not the default, "chap8.keystore", then change the keystoreFile to point to your keystore file.
Testing Configuration

After restarting JBoss, you should see something in the JBoss log that looks like this:

12:14:02,667 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8443

SSL should now be working with jboss on port 8443.

Example: https://235.46.18.79:8443/jmx-console/

FAQ

Q: Is it possible to only use SSL?

A: No, but you can set up what is known as a redirect that allows you to channel all requests through the SSL socket. The following is a very high level description of how to accomplish this.

To set up a redirect to your SSL socket:

Requirements

Apache 2.2 or greater (Latest version is preferable)

Apache modules enabled:

<!-- A AJP 1.3 Connector on port 8009 -->

 

<Connector port="8009" address="${jboss.bind.address}"

emptySessionPath="true" enableLookups="false" redirectPort="8443"

protocol="AJP/1.3"/>

2. Configure Apache to use SSL. A good step by step guide can be found at http://www.securityfocus.com/infocus/1818
3. Under the SSL config section place:

<IfModule proxy_ajp_module>

ProxyPass / ajp://localhost:8009/

</IfModule>

4. To redirect from HTTP to HTTPS place this line in the default *:80 config section:

Redirect permanent / https://(IP OR HOST)/

Q: Is it possible to change the port SSL is on?

A: Yes, just change the port="8443" to the desired port number. Remember some systems require special permissions to open ports below 1024.