This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I did a configuration in jboss to enable https authentication.
Check out below steps to enable https in jboss :
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.
At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore
Fill in all the information that is asked.
A keystore with the name name.keystore is generated.
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate
Enter the keystore password.
A < CSR file name>.csr file is generated.
If you are getting the CSR signed by a certifying authority, then skip the next step.
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:
(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:
Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/
Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)
Create the certificates for Certification Authority:
chmod 744 CA.sh (only if necessary)
Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate
cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:
openssl x509 -inform pem -outform der < cacert.pem > cacert.cer
We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):
Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
# List of providers and their preference orders (see above):
And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.
Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
Add the below lines after the paragraph mentioned above in jboss-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443
Add the following lines:
<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>
When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.
Ujjwal B Soni <baroda, gujarat, india> <+918866008962>
"Helping hands are better than praying lips......"