Skip to content
/ jboss-7-enable-ssl-server-auth Public

Server authentication through SSL certificate in JBoss AS 7.1.1.Final

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

antoniopaolacci/jboss-7-enable-ssl-server-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
README.md
README.md
 
 

Repository files navigation

Glossary

The digitally signed certificate(s) returned by the CA can be in any accepted format but the PEM format (usually have extensions such as .pem, .crt, .cer, .key ) is the most common format that CA issue certificates in.
They PEM are Base64 encoded ASCII files and contain “ -----BEGIN CERTIFICATE -----” and “-----END CERTIFICATE -----” statements.
SSL certificates, root anf intermediate CA certificates, and private keys can all be put into the PEM format.

A Keystore file is used to store cryptographic keys and certificates. There are three kinds of entries that can be stored in a Keystore file depending upon the type of Keystore file it is:

Private Key: This is a type of key that is used in asymmetric cryptography. It is usually protected with a password because of its sensitivity. It can also be used to sign a digital signature.

Certificate: A certificate contains a public key that can identify the subject claimed in the certificate. It is usually used to verify the identity of a server.

Secret Key: A key entry that is used in symmetric cryptography.

Obtain SSL certificate

https://gethttpsforfree.com/

Or self signed SSL certificate

go to related section

Common file related certificate gethttpsforfree.com

If you will have the following PEM-encoded files:

  • cert.pem: Your domain's certificate
  • chain.pem: The Let's Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate's private key

Common file related to jboss and ssl certificate

  • account.key
  • domain.key
  • intermediate.crt
  • domain.crt
  • domain.p12
  • domain.jks

NOTE:
The password of the P12-Certifcate and the password of the Keystore has to be the same.
To avoid: Unable to start service Caused by: java.security.UnrecoverableKeyException: Cannot recover key

Create PKCS12 keystore from private key and public certificate.

openssl pkcs12 -export -name domain -in domain.crt -inkey domain.key -out domain.p12

Enter Export Password: ...
Verifying - Enter Export Password: ...

Convert PKCS12 keystore into a JKS keystore

keytool -importkeystore -srckeystore domain.p12 -srcstoretype pkcs12 -destkeystore domain.jks -deststoretype JKS

Immettere la password del keystore di destinazione: ...
Immettere nuovamente la nuova password: ...
Immettere la password del keystore di origine: ...
La voce dell' alias domain è stata importata.
Importazione completata: 1 voci importate, 0 voci non importate o annullate

Import intermediate certificate

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore domain.jks

Immettere la password del keystore:
Considerare attendibile questo certificato? [no]: si
Il certificato è stato aggiunto al keystore

Import domain certificate

keytool -import -trustcacerts -alias domain -file domain.crt -keystore domain.jks

Immettere la password del keystore:
Considerare attendibile questo certificato? [no]: si
Il certificato è stato aggiunto al keystore

Verify the contents of the JKS

keytool -list -v -keystore domain.jks

Immettere la password del keystore:

Tipo keystore: JKS
Provider keystore: SUN
Il keystore contiene 2 entry

Editing configuration/standalone.xml

 <security-realms>
	<security-realm name="SslRealm">
	  <server-identities>
		<ssl>
		  <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeme"/>
		</ssl>
	  </server-identities>
	</security-realm>
</security-realms>

Adding listener for https by editing standalone.xml

<subsystem xmlns="urn:jboss:domain:undertow:1.2">
	<buffer-cache name="default"/>
	<server name="default-server">
		<http-listener name="default" socket-binding="http"/>
		<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
		...

Verify https port binding

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <socket-binding name="https" port="${jboss.https.port:8443}"/>
	...

NOTE:
Add a unix redirect, because port 80 is open only by root user
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Self signed certificate

Generate self-signed ssl cert with keytool:

keytool -keystore ssl-server.jks -genkey -alias testssl -keyalg RSA


Enter keystore password: --the keystore password--
Re-enter new password:
What is your first and last name?
[Unknown]: Marco Rossi
What is the name of your organizational unit?
[Unknown]: Net
What is the name of your organization?
[Unknown]: ACN
What is the name of your City or Locality?
[Unknown]: Rome
What is the name of your State or Province?
[Unknown]: RM
What is the two-letter country code for this unit?
[Unknown]: IT
Is CN=Marco Rossi, OU=Net, O=ACN, L=Rome, ST=RM, C=IT correct?
[no]: y


Use it, for example, on spring-boot project:
  • copy the file on /src/main/resources classpath directory of a java project
  • write on application.properties file the following configuration parameters
server.ssl.enabled=false
server.ssl.key-store=classpath:ssl-server.jks
server.ssl.key-store-password= --the keystore password--
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

About

Server authentication through SSL certificate in JBoss AS 7.1.1.Final

Topics

java jboss

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published