Miscellaneous: Using SSL Certificates with JBoss 4 and Tomcat 5

(last edit: 2007-03-07)


You want to use CA (Certificate Authority) signed SSL certificate in your JBoss setup. This document describes how I got it to work with JBoss 4 and the integrated Tomcat 5.5 server. There are a few documents on JBoss and SSL, I found not one telling me exactly what to do but got information from each document. Tips: - You don't need to setup openssl as described in many documents - You don't need to alter allot of files, just comment out one part in server.xml (see below) - You can and should use other aliases then 'tomcat' - Skip documentation about JBoss and SSL look at the Jakarta Tomcat documentation.

Setting up JBoss 4

The installation is beyond the scope of this document. Make sure JBoss is installed, running and that you have a application deployed (and working)

Make the keystore

Java uses a keystore to .... store the keys (duh?). You need one so create one using the Java keytool: Note: the alias name you use here is for the first cert you are going to use so choose carefully # keytool -genkey -alias [alias name] -keyalg RSA -keystore [server.keystore] -validity 3650 Enter keystore password: [password] What is your first and last name? [Unknown]: www.myhost.com What is the name of your organizational unit? [Unknown]: Some dot com What is the name of your organization? [Unknown]: Security What is the name of your City or Locality? [Unknown]: SomeCity What is the name of your State or Province? [Unknown]: SomeState What is the two-letter country code for this unit? [Unknown]: US Is CN=www.myhost.com, OU=Some dot com, O=Security, L=SomeCity, ST=SomeState, C=US correct? [no]: yes Enter key password for (RETURN if same as keystore password): !!!! YOU MUST USE THE SAME KEYSTORE PASSWORD AS KEY PASSWORD DO NOT USE DIFFERENT PASSWORDS !!!!!! (this is a bug in Tomcat) The CN part (first and last name) is strangely where you need to put your domain name because your browser will check it against the domain name entered. So this needs to exactly match the domain name for which you are requesting a certificate. Make sure you create the keystore in a useful place or copy it afterwards. We will use this location as example: /usr/local/jobss4/server/[project]/conf

Enabling SSL for your project

Edit /usr/local/jboss4/server/[project]/deploy/jbossweb-tomcat55.sar/server/xml and uncomment the following section, <!-- SSL/TLS Connector configuration --> <Connector className = "org.apache.coyote.tomcat4.CoyoteConnector" address="${jboss.bind.address}" port = "8443" scheme = "https" secure = "true"> <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory" keystoreFile="[keystore location]" keystorePass="[password]" protocol = "TLS"/> </Connector> update (6 march 2007) --- Last time I checked the config looked like this: <Connector port="443" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" enableLookups="false" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" scheme="https" secure="true" clientAuth="false" keystoreFile="[keystore location]" keystorePass="[password]" protocol = "TLS"/> ---

Creating the CSR

Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate keytool -certreq -keystore [keystore location] -alias [alias like above] -file [filename.csr] Enter the keystore password. Send this CSR file to your CA.

Importing the CRT reply from your CA

- Get the root certificate from your CA (google for [CA] root certificate, e.g. 'geotrust root certificate'), the file wasn't named .pem (just renamed it) and I downloaded the DER encoded version - Get the CRT file from your CA # keytool -import -alias root -keystore server.keystore -trustcacerts -file /usr/local/jboss4/certs/geotrustca.pem Enter keystore password: [password] Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore haven't tried it without the root cert, might just work because it sais there is already a system wide one # keytool -import -alias [your alias] -keystore server.keystore -trustcacerts -file /usr/local/jboss4/certs/[filename].crt Enter keystore password: [password] Enter key password for <>[password] Certificate reply was installed in keystore Check and see if it got imported: # keytool -list -keystore server.keystore Enter keystore password: [password] Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries root, Aug 15, 2006, trustedCertEntry, Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 [your alias], Aug 15, 2006, keyEntry, Certificate fingerprint (MD5): 1C:D7:6F:14:EF:B9:BD:01:BE:46:DB:AD:A7:19:25:06

Finishing things

- stop and start Jboss (redirect output to error log file and check) - see if port 8443 is running - go to https://[domainname]:8443 to test the cert

Click here to go back to the index.