JBoss AS7 with SSL and certificates signed by a CA

De Eriberto Wiki
Ir para: navegação, pesquisa

by (C) João Eriberto Mota Filho <eriberto (a) eriberto pro br>

Article created at: September 11, 2013.

Last update: see the foot of this page.

Tiny URL or bit.ly: http://bit.ly/jboss_ssl


The objective of this article is show as implement SSL in JBoss AS 7, using certificates signed by a CA (Certificate Authority). Is very common find tutoriais saying about SSL based in self-signed certificates. The problem is that these certificates aren't known by browsers automaticaly. Then, the best option is use an internal CA to sign the certificates.

My wiki is written in Brazilian Portuguese. However, I didn't found a tutorial in Google to make what I need. So, based in some ideas found and in my experience, I had success and decided tell about it to world, using my terrible english. ;-)

This article is based on OpenSSL and will use CA.pl script. Note that I won't teacher how to create a CA nor explain about OpenSSL commands in details. But several commands will be showed and will be possible create the final certificates.

Exclamacao36.png To know as create a CA using CA.pl, see http://darizotas.blogspot.com.br/2013/03/understanding-openssl-capl.html or search for CA.pl create CA. In Brazilian Portuguese you can read the article Autoridade Certificadora (CA) com o OpenSSL in this wiki.

Tip: is very convenient that you edit the openssl.cnf file (at /etc/ssl/ or /usr/lib/ssl/) and change the default values of the countryName_default, stateOrProvinceName_default etc to make your work easier.

Tip2: a CA, generally, is created with validity above 10 years.

Certificates and AS 7

AS 7 uses certificates in PKCS12 or JKS (Java KeyStore) format. The preferred format is JKS. So, we must create the default X509 certificate, convert it to PKCS12, both using CA.pl command from OpenSSL and, finally, convert to JKS employing the keytool command (available by OpenJDK and Oracle Java).

The PKCS12 is a file, known as PKCS12 certificate, that include the X509 certificate, his private key and the CA certificate.

How to create the certificates

1. In OpenSSL tools directory, generally /usr/lib/ssl/misc, create a new certificate request for your JBoss server:

# ./CA.pl -newreq
Exclamacao36.png You will be asked about a passprhase to your certificate. You will be able to use a light passphrase because it will be temporary. When asked about Common Name, inform the FQDN of the your server.

2. Sign your certificate using your CA:

# ./CA.pl -sign

3. Copy the newkey.pem to end of the newcert.pem:

# cat newkey.pem >> newcert.pem

4. Create a PKCS12 certificate:

# ./CA.pl -pkcs12 "jbosscert"
Exclamacao36.png "jbosscert" is the friendly name of the PKCS12 certificate. You will be asked about the passphrase used to create the certificate (pass 1. above, relative to private key newkey.pem of the certificate) and then a passphrase to your PKCS12 certificate. You will be able to use a light passphrase because it will be temporary.

5. In last pass was created the newcert.p12 file. You can use the following command to see the contents of the PKCS12 certificate:

# openssl pkcs12 -info -nodes -in newcert.p12

6. The next step will be remove all human text from CA certificate (demoCA/cacert.pem). The keytool command doesn't support it. You can make it by hand or using the following command:

# openssl x509 -in demoCA/cacert.pem -out demoCA/cacert-pure.pem

7. Use the keytool command to generate a JKS key based on jbosscert and another based on cacert.pem (root certificate of the CA). For each command you will be invited to enter a passphrase. Choose a good passphrase. This passphase will be used by JBoss to access the certificate content. In the case of the newcert.p12, after define the final PKCS12 passphrase, you will need to inform the passphrase generated at the pass 4. above.

# keytool -importkeystore -destkeystore jbosscert.jks -srckeystore newcert.p12 -srcstoretype PKCS12 -alias "jbosscert"

# keytool -import -trustcacerts -keystore cacerts.jks -file demoCA/cacert-pure.pem -alias "jbosscert"

8. In fact, we have two final files now:

  • jbosscert.jks that uses the alias name "jbosscert". This is the certificate to be used by JBoss server.
  • cacert.jks that uses the alias name "jbosscert". This is the CA root certificate that will validate the jbosscert.jks. Remember that you need add in each client browser the cacert.pem as a CA certificate.

How to install the certificates

Initially, on JBoss server, copy the keys to /etc/ssl/certs (or another directory destinated to keep certificates) and set strict permissions to jbosscert.jks. Considering the JBoss user as being jboss, use the commands:

# cp jbosscert.jks cacerts.jks /etc/ssl/certs
# chmod 400 /etc/ssl/certs/jbosscert.jks
# chown jboss /etc/ssl/certs/jbosscert.jks

Open the $JBOSS/standalone/configuration/standalone.xml file and observe the line:

<socket-binding name="https" port="8443"/>

The cited line defines a name and associates a port. This name (https) will be used to activate the SSL in a next line. Then, in the same file, find the following line:

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

and, after this, insert:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="https" key-alias="jbosscert" password="your_jks_key_passphrase" certificate-key-file="/etc/ssl/certs/jbosscert.jks"
     verify-client="false" ca-certificate-file="/etc/ssl/certs/cacert.jks"/>

If you don't want the 8080 port (http without SSL) enabled, remove this line:

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

To test, in a browser, access the site using the FQDN and port 8443. Example: http://www.darknet.com.br:8443.

Access counter


See also the counter below, started at Sep 11, 2013.
Twitter: News about articles, books and presentations, follow me at eribertomota.

Brazilian tags: autoridade certificadora, certificado, criptografia, SSL, TLS, GNU/Linux, Linux, Debian.