JBoss SSL configuration


Ok, I just google for “JBoss SSL configuration” and found couple of useful articles, I don’t want to create “yet another guide to JBoss SSL configuration” but will describe particular issues I met.
Here is the links :http://www.jboss.org/community/wiki/SSLSetup is quite informative to configure your SSL. The general idea is to configure your server/${profile}/deploy/jboss-web.deployer/server.xml and define SSL Connector here. That article give some more advanced information on SSL configuration (using SSL Connector with APR – Apache Portable Runtime , etc.)

In practice I’ve found that JBoss port configuration for HTTP/HTTPS is not trivial thing – require a lot of changes. But the workaround exists – you can update your conf/jboss-service.xml and uncomment ServiceBindingmanager which use port-bindings.xml
Here is a way to configure your ports and be able to switch between them relatively fast

Once you have configured your JBoss/Tomcat to use SSL, you have to configure your application to use it. Yes, at this point pages at your application are also available

I also should mention that by default all encryption cyphers supported by JVM will be used. To change it you have to specify ciphers attribute for your SSL Connector.
here is an example which include almost all ciphers with length > 64

<Connector port="8443" address="${jboss.bind.address}"
maxThreads="150" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol = "TLS"
keystoreFile="${jboss.server.home.dir}/conf/keystore/yourkeystore.keystore"
keystorePass="your-keystore-password"
protocol="HTTP/1.1" 
ciphers="SSL_DHE_DSS_WITH_RC4_128_SHA,
SSL_DH_anon_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DH_anon_WITH_AES_128_CBC_SHA,
TLS_DH_anon_WITH_AES_256_CBC_SHA,
TLS_KRB5_WITH_RC4_128_MD5,
TLS_KRB5_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA"
SSLEnabled="true">
</Connector>   

and if you want to make it even more secure – you have to remove anonymous cyphers from that list SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA and TLS_DH_anon_WITH_AES_256_CBC_SHA

Important note: During keystore/private-key generation you MUST use SAME passwords for both. You don’t have the way to specify different passwords for keystore and key in tomcat SSL configuration.
See in the original issue description and Tomcat 5.5 documentation

Advertisements

https://www.facebook.com/achorniy

Tagged with: , , , , ,
Posted in Software Development
One comment on “JBoss SSL configuration
  1. […] It is not always a requirement to have SSL configured for application to have trusted HTTPS protocol, so I’ll put it in a separate post https://achorniy.wordpress.com/2009/07/15/jboss-ssl-configuration/ […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: