How to configure external vendor SSL certs into JBoss 7.1 - java

I am converting from Websphere 8.x to JBoss 7.1 but I am having trouble getting SSL certificates into JBoss 7.1. We utilize external vendor web services via SSL.
In Websphere I would do this:
Add Vendor to the local WAS trust store:
Use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem.
Complete the following steps:
Log into the administrative console.
Expand Security and click SSL certificate and key management.
Under Configuration settings, click Manage endpoint security configurations.
Select the appropriate outbound configuration to get to the (cell):E4GT82WNode03Cell:(node):E4GT82WNode03 management scope.
Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
Under Additional Properties, click Signer certificates and Retrieve From Port.
In the Host field, enter services.vendor.com in the host name field, enter 443 in the Port field, and services.vendor.com_cert in the Alias field.
Click Retrieve Signer Information.
Verify that the certificate information is for a certificate that you can trust.
Click Apply and Save.
But in JBoss it doesn't look like there is this kind of capability. I have been playing with openssl, keytool for creating, adding certs to a keystore and tried making changes to the standalone.xml file. I've tried so many different things that have been suggested on different search results I've tried and spent countless hours trying to figure this out.
I'm getting this error:
13:08:50,801 ERROR [org.jboss.as.controller.management-operation]
Operation ("add") failed - address: ([
("subsystem" => "web"),
("connector" => "https"),
("ssl" => "configuration") ]) - failure description: "JBAS014803: Duplicate resource [
(\"subsystem\" => \"web\"),
(\"connector\" => \"https\"),
(\"ssl\" => \"configuration\") ]"
Throws error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor1.com_cert" password="secret" certificate-key-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor2.com_cert" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Doesn't throw error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
My question is this:
How can I configure multiple SSL certs in JBoss like Websphere does?

You will need to add system-properties for this. So basically add the following piece of code to your standalone.xml just after <extensions>....</extensions> tag:
<system-properties>
<property name="javax.net.ssl.trustStore" value="<location of cert>"/>
</system-properties>
<location of cert> is the location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). Note that on Windows, the specified pathname must use forward slashes, /, in place of \.

Related

JBoss 1-way and 2-way SSL symultaneously

I have a JBoss application with multiple endpoints. All these endpoints should be available to any user over one way SSL (HTTPS), except for a specific endpoint (let's call it /app/sensitive) which should only be accessed by a specific machine (ie. 2-way SSL).
Is there a way to configure JBoss for 1/2-way SSL at the same time, differentiated by what endpoint has been requested?
I'm not sure, because did not test it, but it seems like you can have
one-way SSL on one port and two-way SSL on another port.
from standalone.xml (or domain.xml):
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
...
<connector name="one-way-https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="one-way-https" enable-lookups="false" secure="true">
</connector>
<connector name="two-way-https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="two-way-https" enable-lookups="false" secure="true">
<ssl name="two-way-ssl" key-alias="my-identity" password="${VAULT::Jboss_config::store_password::1}" certificate-key-file="../standalone/configuration/cert/JBoss_Identity.jks"/>
</connector>
...
</subsystem>
<socket-binding-group name="standard-sockets" ...>
...
<socket-binding name="one-way-https" port="8443"/>
<socket-binding name="two-way-https" port="8453"/>
...
</socket-binding-group>
If you will test it, please let me know is it solution or not, because in near future I have to do the same, just do not have a time right now to check it... Thanks.
BTW in <ssl> element you can define other than default Trust store and Key Store to use on that port.
I hope it will work.

How many connection can be created in jboss by default config?

For http this config in standalone.xml
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Its the default config.
I would like to know how many connections this server can handle both incoming and out going.
Like 3000 users(clients) and this server is communicating with other web services, so overall how many http/https connections can this handle at a time, also is there a way to find out the current number of connections

Configuring SSL on JBoss 7

I am trying to add SSL support for my JBoss 7 installation. I followed the directions for the pure java solution on: JBoss AS 7.1 SSL Setup Guide
Here is my standalone.xml subsystem configuration
<subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" />
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
<connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ps-ssl" password="mypw" protocol="TLSv1" key-alias="ps" certificate-key-file="../standalone/configuration/ps.keystore" />
</connector>
</subsystem>
When I start up the application, I get the firefox problem loading page message. I have configured web.xml to require https for the entire app. The application works fine when I remove the constraint, so I guess I missed something in setting up ssl. Does anybody see anything that I missed?

need help to create Webservice with HTTPS

I have written my webservice with https. but as per requirement I should provide authentication. so thought of going with SSL (HTTPs). Could anyone help me with steps like moving HTTP to HTTPs and SSL certification part with step by step.
i did by adding below in service and axis xml files:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/my_workspace/server.keystore" keystorePass="changeit"/>
<transportReceiver name="http" class= "org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8080</parameter>
</transportReceiver>
<transportReceiver name="https" class= "org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8443</parameter>
</transportReceiver>
but I don't want to access through HTTP. How can I restrict?
Also I created the WDSL request via eclipse, the value tag starts with "q0" and response has return tag as well. so how can avoid and go with custom req/response?
Making your Http connection over SSL i.e. Https , you need to enable SSL in your application server by providing a certificate (either self-signed or CA provided). It is not related to the application code.Please refer the documentation of your application server to enable SSL.For example, this link provides information about how to configure SSL in tomcat 7

Get current user on GateIn 3.3/Jboss AS 7 from AJAX

I wanna get current user from AJAX query. For this obvious I have to use the code:
String user = request.getRemoteUser();
but I have null value for authenticated portal user.
I googled it a much and found this article: https://community.jboss.org/wiki/GWTGadgetAccessingPortalServices/version/2
where the author describes how to resolve this issue. But the article contains information about enabling SSO for jboss6.x, here it is:
Uncomment the single sign on authenticator valve: for
JBoss located in server/default/deploy/jbossweb.sar/server.xml
Official GateIn documentations also describes SSO for JBoss 6.x and older.
How I can do the same in JBoss AS 7?
I've enabled SSO by adding <sso reauthenticate="false"/> to the subsystem configuration:
<subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
<sso reauthenticate="false"/>
</virtual-server>
</subsystem>
Getting current user is working for me now.

Categories