Installing SSL certificate on JBoss

Question

I have a server that runs JBoss. When I type bad URL to that server it gives me version like this: JBossWeb/2.0.1.GA - what version of JBoss that would be? A SSL certificate will be bought and provided for me so that I could install it in JBoss. I would really appreciate any HOWTO or any information how to install ready SSL certificate on JBoss. Do I need to generate any files with openssl, when this SSL certificate will be bought from some other company that sells SSL certificates?

Thanks in advance for any help.

Answer 1

You can generate your own SSL certificate:

First off you need to create a self-signed certificate. You do this using the keytools application that comes with Java. Open a command prompt and run the following command. You will need to change the path to your Jboss conf directory to reflect your install:

C:\>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\jboss-2.0.1.GA\server\default\conf\localhost.keystore

When prompted use a password of changeit everywhere. It’s important that you answer localhost to the first question:

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  NZ
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=NZ correct?
  [no]:  yes

Enter key password for
        (RETURN if same as keystore password): changeit
Re-enter new password: changeit
Next up you need to configure tomcat to create a SSL connector.

Edit C:\jboss-2.0.1.GA\server\default\deploy\jboss-web.deployer\server.xml and find the commented out SSL connector example, uncomment it and tweak it as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>

Finally add two System properties to your Jboss startup command to get the javax.net.ssl library to use your new keystore. These are only needed if you need to make SSL calls back to yourself. I needed them because I had CAS and 3 apps authenticating with CAS all running in the same dev Jboss instance:

-Djavax.net.ssl.trustStore=C:\jboss-2.0.1.GA\server\default\conf\localhost.keystore
-Djavax.net.ssl.trustStorePassword=changeit

Ok now browse to http://localhost:8443/

Your browser will complain about a self-signed certificate. Just follow your browser’s instructions to add this certificate as a security exception so you won’t be prompted again and you are all done.

Answer 2

I know this post is quite old, bui i want to share the steps needed for a much more recent version of Wildfly (JBoss AS in early times).

First of all you need to create your self-signed certificate. If you already have a keystore, you can skip this steps.

• Go to your Wildfly/ Jboss home folder and create a new directory called "keystore"
• Download the KeyStore Explorer application.
• Open it and choose "Create a new KeyStore"
• In the dialog that appears, choose JKS. In most cases it is fine, but in other platform for example on Android you need to use the BKS format type.
• Now right click and choose 'Create new Key Pair'. You can safely accept the default. (RSA/2048)
• In the dialog that appears, customize it to your needs. Anyway i suggest to use the Version 3 and SHA-256 with RSA.
• Click on the 'Edit name' button in the bottom-right area of the dialog, that corresponds to the Name field. Fill all fields and click ok.
• Click ok on the other dialog.
• Now it will be asked to insert a neme for an alias. Type jbossWildfly and click ok, and then insert the password that will be used to unlock this alias. I highly suggest to save this data somewhere in your computer.
• Now you have successfully generated a key pair. Save it with the name keystore.jks in the keystore folder that we have created previously, then insert a new password that will be used to unlock the keystore. You can use the same of the previously one if you want.

Now open the standalone.xml file located in:

$WILDFLY_HOME$\standalone\configuration

And add a new Security Realm inside the <security-realms> tag:

<security-realm name="MyNewSecurityRealm">
       <server-identities>
            <ssl>
                <keystore path="$WILDFLY_HOME$\keystore\keystore.jks" keystore-password="keystore_password" alias="jbossWildfly" key-password="alias_password"/>
            </ssl>
       </server-identities>
</security-realm>

Again change $WILDFLY_HOME$ with the real path to the home dir and change the password to what you've typed.

Now you need to assign your new Security realm to the HTTPS listener of the default-server:

<server name="default-server">
            <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
            <https-listener name="https" socket-binding="https" security-realm="MyNewSecurityRealm" enable-http2="true"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                <http-invoker security-realm="MyNewSecurityRealm"/>
            </host>
        </server>

Remember that by default the HTTPS listener is binded to the 8443 port:

<socket-binding name="https" port="${jboss.https.port:8443}"/>

So your calls to the server would be something like this: (accessing on localhost)

https://localhost:8443/

Hope it can help! :)