Hello, I'm trying to setup and configure JBoss 3.2.5 to run over SSL and NOT standard port 8080.
I've looked all over the net and have found a 'few' guides, only to be kinda off from what I"m doing. Also, all the research shows that Tomcat 4.0 is in 2.3.5. However, I "believe" mine's got TomCat 5.0 (downloaded from jboss.com). Here's what I did and what not. However, no such luck. Any advice would be GREATLY appricated. The "actual" values are left out for company reasons. However, the exacty 'step' was performed. Okay the steps performed were the ones located at: http://www.theserverside.com/discussions/thread.tss?thread_id=22243 Steps included: Step 1) First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA. The value alias name was replaced with "company" At the selected directory: keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore Fill in all the information that is asked. A keystore with the name name.keystore is generated. Step 2) Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr Enter the keystore password. A < CSR file name>.csr file is generated. If you are getting the CSR signed by a certifying authority, then skip the next step. Step 3) If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are: (This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL) To Sign the certificate: Make a new directory: cd usr/local/ mkdir newCA Copy openssl.cnf and CA.sh from the OpenSSL apps directory to your new directory (newCA) cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/ cp ../../openssl-0.9.6a/apps/CA.sh newCA/ Edit your new copy of openssl.cnf and CA.sh: Set the dir variable to the current directory dir . # (... Specifies current directory where everything is kept) Set the CATOP variable to the current directory: CATOP=. # (... Specifies current directory where everything is kept) Create the certificates for Certification Authority: cd newCA chmod 744 CA.sh (only if necessary) CA.sh .newca ls -l Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate cp < CSR file name>.csr /usr/local/newCA or ftp the < CSR file name>.csr file to the m/c acting as CA. cd /usr/local/newCA Create the certificate openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM Optionally convert the server certificate from PEM encoding to DER for distributing to Clients: openssl x509 -inform pem -outform der < cacert.pem > cacert.cer We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!): ****This is where shit gets interesting**** Step 4) keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore The file name "cacert.der" isn't created from ANY of the above commands. Not sure what crack pipe they smoke from. However, it 'does' create the file "cacert.cer". Thinking this is a possible typo I did the above command with cacert.cer instead of cacert.der. Volia it worked! Step 5) keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore Okay, I did this and it complained that the "alias name" has already been added. So, I went ahead and made a "company2" alias which added fine. It asks you to move the following files: jcert.jar jnet.jar jsse.jar Into the $JAVA_HOME/jre/lib/ext directory. Now, there's 'three' versions of these files all which reside in the : $JBOSS_HOME/server/all/lib/*.jar $JBOSS_HOME/default/lib/*jar $JBOSS_HOME/client/lib/*.jar All of which are the same size. So, I decided to use the 'default' one to copy over. Tomcat over SSL (HTTPS) If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files: 1. $JBOSS_DIST/server/default/conf/jboss-service.xml We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file: <!-- JAAS security manager and realm mapping --> org.jboss.security.plugins.JaasSecurityDomain 2. $JBOSS_DIST/server/default/conf/jboss-service.xml Add the below lines after the paragraph mentioned above in jboss-service.xml jboss.security:service=JaasSecurityManager put the path to your name.keystore file here put your name.keystore password here 3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443 Which DOES NOT exist that's a bogus deal. I *believe* /opt/jboss-3.2.5/server/default/deploy/jbossweb-tomcat50.sar is the directory you want to look at and the file: server.xml Now this is what "the guide" has: After: <!-- A HTTP Connector on port 8080 --> Which looks different then what was in the actual file. Which is: <!-- A HTTP/1.1 Connector on port 8080 --> <!-- A AJP 1.3 Connector on port 8009 --> <!-- SSL/TLS Connector configuration using the admin devl guide keystore --> When I start it I get the following errors: 14:03:11,314 WARN [JaasSecurityManagerService] Failed to locate auth CachePolicy at: java:/timedCacheFactory for securityDoma in=TomcatSSL It's accessable via http://:8080 just not via https at either 8080 or 8443. Thanks for any help on this! -Puddle [EMAIL PROTECTED] View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3851673#3851673 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3851673 ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
