Miscellaneous: Using SSL Certificates with JBoss 4 and Tomcat 5
(last edit: 2007-03-07)
                   
Introduction
You want to use CA (Certificate Authority) signed SSL certificate in your JBoss setup. 
This document describes how I got it to work with JBoss 4 and the integrated Tomcat 5.5 
server.

There are a few documents on JBoss and SSL, I found not one telling me exactly what to do
but got information from each document.

Tips:
- You don't need to setup openssl as described in many documents
- You don't need to alter allot of files, just comment out one part in server.xml (see below)
- You can and should use other aliases then 'tomcat'
- Skip documentation about JBoss and SSL look at the Jakarta Tomcat documentation.

Setting up JBoss 4
The installation is beyond the scope of this document. Make sure JBoss is installed, 
running and that you have a application deployed (and working)

Make the keystore
Java uses a keystore to .... store the keys (duh?). You need one so create one using the 
Java keytool:

Note: the alias name you use here is for the first cert you are going to use so 
choose carefully

# keytool -genkey -alias [alias name] -keyalg RSA -keystore [server.keystore] -validity 3650

Enter keystore password:  [password]
    What is your first and last name?
      [Unknown]:  www.myhost.com
    What is the name of your organizational unit?
      [Unknown]:  Some dot com
    What is the name of your organization?
      [Unknown]:  Security
    What is the name of your City or Locality?
      [Unknown]:  SomeCity
    What is the name of your State or Province?
      [Unknown]:  SomeState
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=www.myhost.com, OU=Some dot com, O=Security, L=SomeCity, ST=SomeState, C=US correct?
      [no]:  yes

    Enter key password for
            (RETURN if same as keystore password):

!!!! YOU MUST USE THE SAME KEYSTORE PASSWORD AS KEY PASSWORD DO NOT USE DIFFERENT PASSWORDS !!!!!!
(this is a bug in Tomcat)
   

The CN part (first and last name) is strangely where you need to put your domain name 
because your browser will check it against the domain name entered. So this needs to 
exactly match the domain name for which you are requesting a certificate. 

Make sure you create the keystore in a useful place or copy it afterwards. We will use 
this location as example:

 /usr/local/jobss4/server/[project]/conf

Enabling SSL for your project
Edit /usr/local/jboss4/server/[project]/deploy/jbossweb-tomcat55.sar/server/xml 
and uncomment the following section,


 <!-- SSL/TLS Connector configuration -->
 <Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
     address="${jboss.bind.address}" port = "8443" scheme = "https"
     secure = "true">
     <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
         keystoreFile="[keystore location]"
         keystorePass="[password]"
         protocol = "TLS"/>
 </Connector>

update (6 march 2007)

---
Last time I checked the config looked like this:

      <Connector port="443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           enableLookups="false" acceptCount="100"
           connectionTimeout="20000" disableUploadTimeout="true"
           scheme="https" secure="true" clientAuth="false"
         keystoreFile="[keystore location]"
         keystorePass="[password]"
         protocol = "TLS"/>
---

Creating the CSR
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. 
We can get this signed by a certifying authority like verisign or thwate

keytool -certreq -keystore [keystore location] -alias [alias like above] -file [filename.csr]

Enter the keystore password.

Send this CSR file to your CA.

Importing the CRT reply from your CA
- Get the root certificate from your CA (google for [CA] root certificate, e.g. 'geotrust root certificate'), 
the file wasn't named .pem (just renamed it) and I downloaded the DER encoded version

- Get the CRT file from your CA

# keytool -import -alias root -keystore server.keystore -trustcacerts -file /usr/local/jboss4/certs/geotrustca.pem

Enter keystore password:  [password]
Certificate already exists in system-wide CA keystore under alias 
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

haven't tried it without the root cert, might just work because it sais there is already a system wide one

# keytool -import -alias [your alias] -keystore server.keystore -trustcacerts -file /usr/local/jboss4/certs/[filename].crt

Enter keystore password:  [password]
Enter key password for <>[password]
Certificate reply was installed in keystore

Check and see if it got imported:

# keytool -list -keystore server.keystore
Enter keystore password:  [password]

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

root, Aug 15, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
[your alias], Aug 15, 2006, keyEntry,
Certificate fingerprint (MD5): 1C:D7:6F:14:EF:B9:BD:01:BE:46:DB:AD:A7:19:25:06

Finishing things

- stop and start Jboss (redirect output to error log file and check)

- see if port 8443 is running

- go to https://[domainname]:8443 to test the cert