博客首页 注册 建议与交流 排行榜 加入友情链接
推荐 投诉 搜索: 帮助

剑心通明的资料库

文章均为转载,本人不负因参考它所导致的一切后果,请谨慎参考!如您的文章不愿被转载,请点击此处联系本人!
  jxtm.cublog.cn

关于作者
姓名:剑心通明
职业:高级工程师(专修灵魂^_^)
年龄:20出头30不到
位置:网络上一节点
个性介绍:努力学习每一天!
倾心打造:http://www.bsdlover.cn
http://bbs.bsdlover.cn
BSD爱好者的乐园!
|| << >> ||
我的分类

Using SSL Certificates with JBoss 4 and Tomcat 5

Introduction


You want to use CA (Certificate Authority) signed SSL certificate in your JBoss setup.
This document describes how I got it to work with JBoss 4 and the integrated Tomcat 5.5
server.

There are a few documents on JBoss and SSL, I found not one telling me exactly what to do
but got information from each document.

Tips:
- You don't need to setup openssl as described in many documents
- You don't need to alter allot of files, just comment out one part in server.xml (see below)
- You can and should use other aliases then 'tomcat'
- Skip documentation about JBoss and SSL look at the Jakarta Tomcat documentation.

Setting up JBoss 4


The installation is beyond the scope of this document. Make sure JBoss is installed,
running and that you have a application deployed (and working)

Make the keystore


Java uses a keystore to .... store the keys (duh?). You need one so create one using the
Java keytool:

Note: the alias name you use here is for the first cert you are going to use so
choose carefully

# keytool -genkey -alias [alias name] -keyalg RSA -keystore [server.keystore] -validity 3650

Enter keystore password:  [password]
    What is your first and last name?
      [Unknown]:  www.myhost.com
    What is the name of your organizational unit?
      [Unknown]:  Some dot com
    What is the name of your organization?
      [Unknown]:  Security
    What is the name of your City or Locality?
      [Unknown]:  SomeCity
    What is the name of your State or Province?
      [Unknown]:  SomeState
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=www.myhost.com, OU=Some dot com, O=Security, L=SomeCity, ST=SomeState, C=US correct?
      [no]:  yes

    Enter key password for
            (RETURN if same as keystore password):

!!!! YOU MUST USE THE SAME KEYSTORE PASSWORD AS KEY PASSWORD DO NOT USE DIFFERENT PASSWORDS !!!!!!
(this is a bug in Tomcat)
  

The CN part (first and last name) is strangely where you need to put your domain name
because your browser will check it against the domain name entered. So this needs to
exactly match the domain name for which you are requesting a certificate.

Make sure you create the keystore in a useful place or copy it afterwards. We will use
this location as example:

/usr/local/jobss4/server/[project]/conf

Enabling SSL for your project


Edit /usr/local/jboss4/server/[project]/deploy/jbossweb-tomcat55.sar/server/xml
and uncomment the following section,


<!-- SSL/TLS Connector configuration -->
<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
     address="${jboss.bind.address}" port = "8443" scheme = "https"
     secure = "true">
     <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
         keystoreFile="[keystore location]"
         keystorePass="[password]"
         protocol = "TLS"/>
</Connector>

update (6 march 2007)

---
Last time I checked the config looked like this:

      <Connector port="443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           enableLookups="false" acceptCount="100"
           connectionTimeout="20000" disableUploadTimeout="true"
           scheme="https" secure="true" clientAuth="false"
         keystoreFile="[keystore location]"
         keystorePass="[password]"
         protocol = "TLS"/>
---

Creating the CSR


Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority.
We can get this signed by a certifying authority like verisign or thwate

keytool -certreq -keystore [keystore location] -alias [alias like above] -file [filename.csr]

Enter the keystore password.

Send this CSR file to your CA.

Importing the CRT reply from your CA


- Get the root certificate from your CA (google for [CA] root certificate, e.g. 'geotrust root certificate'),
the file wasn't named .pem (just renamed it) and I downloaded the DER encoded version

- Get the CRT file from your CA

# keytool -import -alias root -keystore server.keystore -trustcacerts -file /usr/local/jboss4/certs/geotrustca.pem

Enter keystore password:  [password]
Certificate already exists in system-wide CA keystore under alias
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

haven't tried it without the root cert, might just work because it sais there is already a system wide one

# keytool -import -alias [your alias] -keystore server.keystore -trustcacerts -file /usr/local/jboss4/certs/[filename].crt

Enter keystore password:  [password]
Enter key password for <>[password]
Certificate reply was installed in keystore

Check and see if it got imported:

# keytool -list -keystore server.keystore
Enter keystore password:  [password]

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

root, Aug 15, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
[your alias], Aug 15, 2006, keyEntry,
Certificate fingerprint (MD5): 1C:D7:6F:14:EF:B9:BD:01:BE:46:DB:AD:A7:19:25:06

Finishing things



- stop and start Jboss (redirect output to error log file and check)

- see if port 8443 is running

- go to https://[domainname]:8443 to test the cert

 原文地址 http://www.freebsdhowtos.com/117.html
发表于: 2008-05-09,修改于: 2008-05-09 08:01,已浏览412次,有评论0条 推荐 投诉


网友评论
 发表评论