Configuring a certificate for Jboss

Admin

=Use a self-signed certificate=

Create create a self-signed certificate
If you have a signed certifcate than jump to the next part.

I just had to set up a test certificate for my local install of Jboss 4.2.3 to try out some SSL code. It wasn’t completely obvious so here are some notes on how to do it.

First off you need to create a self-signed certificate. You do this using the keytools application that comes with Java. Open a command prompt and run the following command. You will need to change the path to your Jboss conf directory to reflect your install:

keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/java/{Version}/jre/lib/security/cacerts

When prompted use a password of changeit everywhere. It’s important that you answer your Domain to the first question:

Enter keystore password: changeit Re-enter new password: changeit What is your first and last name? [Unknown]: DOMAIN What is the name of your organizational unit? [Unknown]: MPDL What is the name of your organization? [Unknown]:MPG What is the name of your City or Locality? [Unknown]:Munich What is the name of your State or Province? [Unknown]:Bayern What is the two-letter country code for this unit? [Unknown]: DE Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=NZ correct? [no]: yes Enter key password for (RETURN if same as keystore password): changeit Re-enter new password: changeit

=Use a signed server certificate=

Create your own server certificate
I explained this part in this article.

Create_a_signed_server_certificate

Import your certificate in the java keystore
Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:

openssl x509 -outform der -in .pem -out cacert.der

Optionally convert the server certificate from PEM encoding to CRT for distributing to Clients

openssl x509 -outform der -in .pem -out cacert.crt

keytool -import -alias -file cacert.der -keystore /usr/java/{Version}/jre/lib/security/cacerts

keytool -import -alias -file .pem -keystore /usr/java/{Version}/jre/lib/security/cacerts

=Edit server.xml=

Next up you need to configure tomcat to create a SSL connector.

Edit {JBOSS-HOME}server/default/deploy/jboss-web.deployer/server.xml and find the commented out SSL connector example, uncomment it and tweak it as follows:



=Add option to run.conf=

Finally add two System properties to your Jboss startup command to get the javax.net.ssl library to use your new keystore. These are only needed if you need to make SSL calls back to yourself. I needed them because I had CAS and 3 apps authenticating with CAS all running in the same dev Jboss instance:

-Djavax.net.ssl.trustStore=/usr/java/{Version}/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit

Ok now browse to https://localhost:8443/

Your browser will complain about a (self-)signed certificate. Just follow your browser’s instructions to add this certificate as a security exception so you won’t be prompted again and you are all done.

=Configure Apache2 server=

Last but not least you need to configure your Apache2-Server.

A description how to configure the Apache2 server you will find it here.

Apache2_SSL_Configuration

You need to add additional a RewriteRule where all requests from Port 8443 will be forwarded to 443.