Pages

Wednesday, June 22, 2011

Configuring SSL for JBoss Application Server


Configuring SSL for JBoss Application Server

To configure SSL on JBoss® Application Server, you need an SSL credential for authentication. You can use the Java keytool to create a credential or request and import a credential from a certificate authority (CA). You must then enable SSL on JBoss.
You can run keytool by using a single command that includes all of the information needed to create the keystore.
In this procedure:
  • [appserver root] is the home directory of the application server running LiveCycle ES2.
  • [type] is a folder name that varies, depending on the type of install you performed. It may be lc_turnkeylc_mysqllc_oraclelc_oracle_cl,lc_sqlserver, or lc_sqlserver_cl.

Create an SSL credential

  1. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to create the credential and keystore:
        keytool -genkey -dname "CN=Host Name, OU=Group Name, O=Company Name,L=City Name, S=State, C=Country Code" -alias "LC Cert" -keyalg RSA -keypass key_password -keystore keystorename.keystore
        Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment. Host Name is the fully qualified domain name of the application server.
  2. Enter the keystore_password when prompted for a password. The password for the keystore and the key must be identical.
    Note: The keystore_password entered at this step may be the same password (key_password) that you entered in step 1, or it may be different.
  3. Copy the keystorename.keystore to the [appserver root]/server/[type]/conf directory by typing one of the following commands:
    • (Windows) copy keystorename.keystore [appserver root]\server\[type]\conf
    • (Linux) cp keystorename.keystore [appserver root]/server/[type]/conf
  4. Export the certificate file by typing the following command:
        keytool -export -alias "LC Cert" -file LC_cert.cer -keystore[appserver root]\server\[type]\conf\keystorename.keystore
  5. Enter the keystore_password when prompted for a password.
  6. Copy the LC_cert.cer file to the [appserver root] conf directory by typing the following command:
    • (Windows) copy LC_cert.cer [appserver root]\server\[type]\conf
    • (Linux) cp LC_cert.cer [appserver root]/server/[type]/conf
  7. View the contents of the certificate by typing the following command:
        keytool -printcert -v -file [appserver root]\server\[type]\conf\LC_cert.cer
  8. To provide write access to the cacerts file in [JAVA_HOME]\jre\lib\security, if required, perform the following task:
    • (Windows) Right-click the cacerts file and select Properties, and then deselect the Read-only attribute.
    • (Linux) Type chmod 777 cacerts
  9. Import the certificate by typing the following command:
        keytool -import -alias "LC Cert" -file LC_cert.cer -keystore JAVA_HOME\jre\lib\security\cacerts
  10. Type changeit as the password. This password is the default password for a Java installation and may have been changed by the system administrator.
  11. When prompted for Trust this certificate? [no]:, type yes. The confirmation "Certificate was added to keystore" is displayed.
  12. If you are connecting over SSL from LiveCycle Workbench ES2, install the certificate on the Workbench ES2 server.
  13. In a text editor, open the server.xml file from the directory:
    • (JBoss Application Server 4.0.3) [appserver root]/server/[type]/deploy/jbossweb-tomcat55.sar
    • (JBoss Application Server 4.2) [appserver root]/server/[type]/deploy/jboss-web.deployer
  14. In the server.xml file, uncomment the following section:
        <!-- SSL/TLS Connector configuration using the admin devl guide keystore <Connector port="8443" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/keystoreFile.keystore" keystorePass="keystorePass" sslProtocol = "TLS" />
        -->
  15. Change the value for the keystoreFile attribute and the keystorePass attribute to the keystore password that you specified when you created the keystore (shown in the example above).
  16. Save the server.xml file.
  17. Restart the application server:
  • For turnkey installations:
    • From the Windows Control Panel, click Administrative Tools, and then click Services.
    • Select JBoss for Adobe LiveCycle ES2.
    • Select Action > Stop.
    • Wait for the status of the service to appear as stopped.
    • Select Action > Start.
  • For Adobe preconfigured or manually configured JBoss installations:
    • From a command prompt, navigate to [appserver root]/bin.
    • Stop the server by entering the following command:
      • (Windows) shutdown.bat -S
      • (Linux) ./shutdown.sh -S
    • Wait until the JBoss process has fully shut down (when the JBoss process returns control to the terminal it was started in).
    • Start the server by entering the following command:
      • (Windows) run.bat -c all
      • (Linux) ./run.sh -c all
  1. To access LiveCycle Administration Console using SSL, type https://[host name]:[port]/adminui in a web browser:
        The default SSL port for JBoss is 8443. From here on, specify this port when accessing LiveCycle ES2.

Request a credential from a CA

  1. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to create the keystore and the key:
        keytool -genkey -dname "CN=Host Name, OU=Group Name, O=Company Name, L=City Name, S=State, C=Country Code" -alias "LC Cert" -keyalg RSA -keypass key_password -keystore keystorename.keystore
        Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
  2. Type the following command to generate a certificate request to send to the certificate authority:
        keytool -certreq -alias "LC Cert" -keystore keystorename.keystore -file LCcertRequest.csr
  3. When your request for a certificate file is fulfilled, complete the next procedure.

Use a credential obtained from a CA to enable SSL

  1. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to import the root certificate of the CA with which the CSR has been signed:
        keytool -import -trustcacerts -file rootcert.pem -keystore keystorename.keystore -alias root
        If the root certificate is not in the browser, also import it there.
        Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
  2. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to import the credential into the keystore:
        keytool -import -trustcacerts -file CACertificateName.crt -keystore keystorename.keystore
        Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
        Note: The imported CA signed certificate will replace a self-signed public certificate if it exists.
    1. Set Basic Authentication to Supported, set Client Certificate Authentication to Supported, and then click OK.
    2. Navigate to CSIv2 Outbound Authentication and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Outbound Authentication.
    3. Set Basic Authentication to Supported, set Client Certificate Authentication to Supported, and then click OK.
    4. Navigate to CSIv2 Inbound Transport and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Inbound Transport.
    5. Set Transport to SSL-Supported and SSL Settings to localhost/AdsSSL, and then click OK.
    6. Navigate to CSIv2 Outbound Transport and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Outbound Transport.



Suggestions are always welcome...! Without signing also you can send your comments.                                                                                       

No comments: