This week's book giveaway is in the Flex forum. We're giving away four copies of Flex 4 in Action and have Tariq Ahmed, Dan Orlando, John C. Bland II & Joel Hooks on-line! See this thread for details.
I did a configuration in jboss to enable https authentication.
Check out below steps to enable https in jboss :
Step 1)
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.
At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore
Fill in all the information that is asked.
A keystore with the name name.keystore is generated.
Step 2)
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate
Enter the keystore password.
A < CSR file name>.csr file is generated.
If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:
(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:
cd usr/local/
mkdir newCA
Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/
Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)
Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh –newca
ls -l
Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate
cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA
Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:
openssl x509 -inform pem -outform der < cacert.pem > cacert.cer
We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):
Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.
Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
<attribute name="SecurityManagerClassName">
org.jboss.security.plugins.JaasSecurityDomain
</attribute>
</mbean>
2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml
<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>
</mbean>
3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443
<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>
When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.
Cheers!!!
Ujjwal B Soni <baroda, gujarat, india> <+919998971048>
"Helping hands are better than praying lips......"
![[Logo]](/templates/default/images/moosefly.gif)
![[Post New]](/templates/default/images/icon_minipost_new.gif){kind=icon}
![[Up]](/templates/default/images/icon_up.gif){kind=icon}
