JBoss 7.1 SSL Configuration

JBoss SSLWhen running JBoss as a stand-alone web server you should consider configuring it to use secure sockets in order to allow sensitive information such as login credentials or credit card numbers to be transmitted through a safe connection.

SSL, or Secure Socket Layer, is a standard security technology which allows web browsers and web servers to communicate over a secured connection establishing an encrypted link between them. That the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.

Another important aspect of the SSL protocol is Authentication process. During your initial attempt to communicate with a web server over a secure connection, the server will present your web browser with a set of credentials, in the form of a “Certificate”, as proof the site is who and what it claims to be. To increase the security even more, the server may also request a Certificate from the web browser, asking for proof that you are who you claim to be. This is known as “Client Authentication,” although in practice this is used more for business-to-business (B2B) transactions than with individual users.

Below you can find all the steps needed to configure the SSL protocol on JBoss 7.1.x

1. Prerequisites

Before proceeding with the tutorial we will need the following:

  • Java 7 (JBoss 7.1 does not work on later versions of java)
  • JBoss 7.1.x
  • Basic knowledge of HTTPS protocol and JBoss web application
  • A web application deployed on Jboss that can respond to GET requests.

We are going to use keytool (provided with the JDK) to manipulate the keys and certificates.

The first step is to create two key pairs:

  • one for the server side (used for SSL)
  • one as a example of client side (used for “trust”, should be performed for each client, on the client side)

Step 1.  Open the command line, navigate to JDK_HOME\jre\bin

We will use the command line to execute the lines in bold described in steps 2 to 6.

Step 2.  Create the client’s private/public key pair

keytool -genkey -alias as7alias -keyalg RSA -keystore client.jks -keypass mypassword -storepass mypassword -validity 365 -dname “CN=localhost,O=Sibiu,C=RO”

This command generates a file called: “client.jks”

!!! Please note that these key are self-signed. In a production system, you should use a Certificate Authority (CA).

Step 3.  Create the server’s private/public key pair

keytool -genkey -alias as7alias -keyalg RSA -keystore server.jks -keypass mypassword -storepass mypassword -validity 365 -dname “CN=localhost,O=Sibiu,C=RO”

This command generates a file called: “server.jks”

Step 4.  Export the client’s public key into the certificate

keytool -export -rfc -alias as7alias -file client.crt -keystore client.jks -keypass mypassword -storepass mypassword

This command generate a file called “client.crt” which contains the client’s public key

Step 5.  Import the client key into the trust-store (this step is needed so that the server knows if the client can be trusted or not)

keytool -import -keypass mypassword -trustcacerts -alias localhost -file client.crt -keystore server.jks -storepass mypassword

Running this command we will be prompted to trust this certificate. we will have to type “yes” to trust the certificate. After typing “yes” the certificate will be added to the server’s keystore

Step 6.  Transform the JKS keystore into a PKCS12 keystore (this file will be used on the browser)

keytool -importkeystore -srckeystore client.jks -srcstoretype JKS -destkeystore client.pfx -deststoretype PKCS12

Running this command we will be prompted to type in the destination and source keystore passwords.

1

This command generates a file called “client.pfx”

At the end of these steps we will end up  having 4 files:

b

Step 7.  Add SSL entries in standalone.xml

Change the {JBOSS_HOME}/standalone/configuration/standalone.xml file as shown in the image below.

We will have to add a new <connector> tag for the HTTPS protocol.

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443" />
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="ssl"
            password="mypassword"
            certificate-key-file="../standalone/configuration/keystore/server.jks"
            protocol="TLSv1"
            verify-client="true"
            ca-certificate-file="../standalone/configuration/keystore/server.jks"
            truststore-type="JKS"/>
    </connector>
    <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <alias name="example.com"/>
    </virtual-server>
</subsystem>

As it can be seen the file “server.jks” is being used in the ssl configuration. This file has been added in a folder named “keystore” inside the configuration folder from the JBoss server.

Step 8.  Redirect requests from http to https

In order to redirect any requests made on http port to https the attribute redirect-port=”8443″ has been added to the connector tag.

In the deployment descriptor (web.xml) the <security-constraint> tag has to be added as following:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
	id="WebApp_ID" version="3.0">

    <display-name>JbossSecurity</display-name>
	<welcome-file-list>
	    <welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SECURE</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
</web-app>

Inside the standalone.xml search for the following tag:  <socket-binding-group name=”standard-sockets”>

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
    <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
    <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
    <socket-binding name="ajp" port="8009"/>
    <socket-binding name="http" port="8080"/>
    <socket-binding name="https" port="8443"/>
    <socket-binding name="osgi-http" interface="management" port="8090"/>
    <socket-binding name="remoting" port="4447"/>
    <socket-binding name="txn-recovery-environment" port="4712"/>
    <socket-binding name="txn-status-manager" port="4713"/>
    <outbound-socket-binding name="mail-smtp">
        <remote-destination host="localhost" port="25"/>
    </outbound-socket-binding>
</socket-binding-group>

We notice that the HTTP defaults to 8080 port HTTPS defaults to 8443.

The socket-binding=”https” attribute from the <connector> tag has to match the one from <socket-binding-group> tag. If the port numbers are not the same then the SSL configuration will not work.

Starting the server and testing from Mozila Firefox will result the following:

e

Confirming the exception (I Understand the Risks option) will lead us to the following error:

f

This is normal because there is no certificate installed into the browser.

In order to import the certificate (client.pfx file) follow the steps below:

1. Open Menu → Options → Advanced → Certificates → View certificates → Import

2. Choose the file client.pfx to be imported.

3. We will be prompted for the password. The password is what we have typed in step 6.

g

Typing in the password and pressing OK:

h

Below we can see the certificate that we have just imported:

i

Reloading again the page we will see the following warning:

j

Pressing “OKand reloading again the page we can see that the request has been completed with success over HTTPS protocol:

2

As it can be seen the URL used in this example is: https://localhost:8443/JbossSecurity/

Any requests made on http://localhost:8080/JbossSecurity will be automatically redirected to https://localhost:8443/JbossSecurity

Resources

  • https://docs.jboss.org/jbossweb/7.0.x/

* – Featured image made by Madebyoliver

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

2 thoughts on “JBoss 7.1 SSL Configuration”

  1. Wwould be interesting to see something like letsencrypt for client authentication.I know that letsencrypt supports only domain validation… but maybe there are other alternatives(free… i mean) that can be used for exposing applications through jboss container

    1. Thank you for your comment.

      We are actually planning to look into “Let’s Encrypt” to see how it would be possible to use it in order to achieve the client authentication without the need of setting up a certificate. We are now working on a new blog post to create the SSL configuration on Wildfly and then we will move onto “Let’s Encrypt”.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen + 17 =