I've been trying to get this working for a while now and am just about at the end of my rope. I'm trying to add the certificate that I obtained from a secure site to a local keystore and truststore, and then have a JBoss 7.1 configuration pick it up. The documentation I have primarily been attempting to follow is here: http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html.
Here is what I'm executing:
keytool -genkey -alias myalias.com -keypass changeit -storepass changeit -keystore keystore.jks
keytool -import -trustcacerts -keystore keystore.jks -storepass changeit -noprompt -alias myalias.com -file downloaded-certificate.pem
keytool -export -alias myalias.com -file cacerts.cer -keystore keystore.jks
This is the relevant portion of my JBoss 7.1 standalone.xml file:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="changeit" key-alias="myalias.com" certificate-key-file="${JBOSS_HOME}/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="${JBOSS_HOME}/keystore.jks"/>
</connector>
And finally, this is the top of the stacktrace written in the logs when JBoss starts:
15:39:35,882 ERROR [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-2) Error initializing endpoint: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:788) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:493) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:168) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:977) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:190) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.13.Final.jar:]
etc...
Any help would be greatly appreciated!
If you provide a keystore, you need to specify an alias such as the following in the ssl section
key-alias="myalias.com"
Also, I think the certificate-file is ca-certificate-file.
Certificate/Keystore Configuration Issue - JBoss AS 7
Step 1: Add this line in standalone.xml file
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="name" certificate-key-file="../standalone/configuration/test.keystore" protocol="TLSv1" certificate-file="../standalone/configuration/intermediate.cer"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="test.com"/>
</virtual-server>
</subsystem>
Step 2
Add this line in web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPs test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Related
I'm currently trying to fix in issue in our JBOSS Deployment with different SOAP Endpoints, we trying to close the Webservice Interface over https(port 8443) to only allow it via CA Authentication (port 8444).
We are Using JBOSS 7.4.7 and JDK 11
Here are the JBOSS Standalone Configurations:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="https" port="8443"/>
<socket-binding name="httpsca" port="8444"/>
</socket-binding-group>
[...]
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" max-post-size="0" secure="true" ssl-context="ssl"/>
<https-listener name="httpsca" socket-binding="httpsca" max-post-size="0" secure="true" ssl-context="sslca"/>
</server>
[...]
<subsystem xmlns="urn:jboss:domain:webservices:2.0" statistics-enabled="${wildfly.webservices.statistics-enabled:${wildfly.statistics-enabled:false}}">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<wsdl-port>8444</wsdl-port>
<wsdl-secure-port>8444</wsdl-secure-port>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config"/>
<client-config name="Standard-Client-Config"/>
</subsystem>
<tls>
<key-stores>
<key-store name="test">
<credential-reference clear-text="****"/>
<implementation type="JKS"/>
<file path="ssl_keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="test-trusted">
<credential-reference clear-text="****"/>
<implementation type="JKS"/>
<file path="ssl_truststore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="serverssl" key-store="test">
<credential-reference clear-text="****"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="serverssl-ca" key-store="test-trusted"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="test-ssl" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" key-manager="serverssl"/>
<server-ssl-context name="test-sslca" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" need-client-auth="true" key-manager="serverssl" trust-manager="serverssl-ca"/>
</server-ssl-contexts>
</tls>
We are having trouble setting only one Port for the WSDL Endpoint.
1. If I don't set <wsdl-secure-port>, then the JBOSS throws an error because it trys to create a http endpoint which is not active at all.It also occurs if I only set the <wsdl-secure-port> and not the <wsdl-port>.
Are we doing something wrong or is that a bug from JBOSS ?
Thanks for any help and tips in advice.
I am trying to enable HTTP2 on wildfly 10.1 .
According to official declarations all I had to do was point the browser to port 8443. I did so and indeed the test certs were automatically created.
From the logs:
[org.jboss.as.domain.management.security] (default I/O-3) WFLYDM0113:
Generated self signed certificate at
C:\wildfly-10.1.0.Final\standalone\configuration\application.keystore.
Please note that self signed certificates are not secure, and should
only be used for testing purposes. Do not use this self signed
certificate in production.
The listeners are configured to allow HTTP2.
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
When I use developer tools to inspect the transfer protocol of the first page I see tha it is still using http/1.1
I have enabled https changing standalone.xml as follows:
<security-realms>
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="./ed.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="ed" key-password="secret" />
</ssl>
</server-identities>
</security-realm>
...
and:
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" />
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" />
Both the following links work:
http://localhost:8080
https://localhost:8443
the second actually is a secure connection.
Unfortunately, the first link doesn't redirect to the https protocol.
What have I missed?
Thank you.
Make sure you add this in your web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will allow the redirection for any URL.
I am trying to redirect the traffic on non-SSL port 8080 to SSL port 8443( on Jboss 4.2.3.GA version), but its not working. when I access my webapplication on this port it stays on that port and the page gets displayed. Here is my configuration in server.xml file
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="conf/sds/keystore"/>
and here is web.xml configuration
<security-constraint>
<web-resource-collection>
<web-resource-name>SUCTR</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I have tried using default port 80 and 443 and also using the specific path in the url-pattern but still its not working. I am not sure what is it i am doing wrong here, can you please point me in the right direction.
thanks.
edit in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>App_nmae</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
edit in sever.xml
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/apache-tomcat-6.0.13/.keystore"
keystorePass="changeit"/>
it is working for me ..you can try it
That looks right. I am assuming you are closing the security-constraint tag. Try changing the url pattern to "/APP_URI/*" and see if it makes a difference while accessing the app.
How is it possible to configure Jasig's CAS to listen only on HTTPS port (8443)?
We have application divided into two parts, portal and SSO authority (JASIG CAS). Both are running on JBoss AS7 and different machines. Portal and SSO authority are configured to redirect from HTTP (8080) port to HTTPS (8443) port by
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" secure="true">
<ssl name="https" password="pass" certificate-key-file="/path_to_keystore.jks"/>
</connector>
<virtual-server name="default-host">
<alias name="myapp.domain.com"/>
</virtual-server>
</subsystem>
...
<socket-binding name="http" port="8080" fixed-port="true" interface="public"/>
<socket-binding name="https" port="8443" fixed-port="true" interface="public"/>
Port redirection works well on portal part, but CAS ignores the redirection and works at http (8080) as well (shows information about non-secured access).
For correct java web app SSL configuration is necessary to make some part of application secured in web.xml file. Then redirect works flawless.
<security-constraint>
<web-resource-collection>
<web-resource-name>sso secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>