JBoss guide: How to enable SSL (HTTPS) on JBoss, as well as other “nice-to-know” configurations

From time to time you might have the need of running a web application over https, or there can be requests of having Single-Sign-On between multiple web applications running on your server. This small jboss-guide will give you some clues on how to solve tasks like this, with configurations for both jboss-4.0.4.GA and jboss-4.2.2.GA. Since the name of the server instance might differ and it’s also possible to use custom names, I’ll refer to it as jboss/server/<NAME>/, but what I mean here is for example jboss/server/default/.

Changing the port that jboss runs on

For 4.0.4 you should locate the server.xml inside jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/, and then change the port=”8080″ parameter in the HTTP Connector to your wishes, for example port 80 as I have done it here.

 <!-- A HTTP/1.1 Connector on port 8080 -->
      <Connector port="80" address="${jboss.bind.address}"
         maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
         emptySessionPath="true"
         enableLookups="false" redirectPort="8443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true"/>

For 4.2.2 you do exactly the same, but the server.xml is located inside jboss/server/<NAME>/deploy/jboss-web.deployer/ instead.

Make tomcat able to compile java5 – by default it doesn’t

If you have the need of using java5 (jdk 1.5), you need to set the source-level of the compiler. If you don’t do this and have deployed web-applications with java5 code, you will get exceptions during startup. For 4.0.4 edit the web.xml in jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/conf. Locate the jsp servlet by searching for <servlet-name>jsp</servlet-name>, and uncomment the section that enables jdk1.5 features:

  <!-- Uncomment to use jdk1.5 features in jsp pages -->
      <init-param>
         <param-name>compilerSourceVM</param-name>
         <param-value>1.5</param-value>
      </init-param>

For 4.2.2 you find the web.xml inside jboss/server/<NAME>/deploy/jbossweb-deployer/conf. Locate the same servlet, and make sure that the parameters both for source & target compiler are set like this:

   	<servlet>
        <servlet-name>jsp</servlet-name>
        <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
        <init-param>
            <param-name>fork</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>xpoweredBy</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
         <param-name>compilerSourceVM</param-name>
         <param-value>1.5</param-value>
        </init-param>
  	<init-param>
         <param-name>compilerTargetVM</param-name>
         <param-value>1.5</param-value>
        </init-param>

Activate support for Single Sign-On

For both versions, locate server.xml (4.0.4 = jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/, 4.2.2 = jboss/server/<NAME>/deploy/jboss-web.deployer/). Find the “Host” section, and uncomment the following Valve:

   	 <!-- Uncomment to enable single sign-on across web apps
                deployed to this host. Does not provide SSO across a cluster.     

                If this valve is used, do not use the JBoss ClusteredSingleSignOn
                valve shown below. 

                A new configuration attribute is available beginning with
                release 4.0.4:

                cookieDomain  configures the domain to which the SSO cookie
                              will be scoped (i.e. the set of hosts to
                              which the cookie will be presented).  By default
                              the cookie is scoped to "/", meaning the host
                              that presented it.  Set cookieDomain to a
                              wider domain (e.g. "xyz.com") to allow an SSO
                              to span more than one hostname.
             -->

            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

Then in your jboss-web.xml it’s important that all the web applications that are going to “exchange” credentials points to the same security-domain:

<jboss-web>
 	<security-domain>java:/jaas/USE_THE_SAME_APPLICATION_POLICY_HERE</security-domain>
	<context-root>/YOUR_APPLICATION_ROOT</context-root>
</jboss-web>

If you now open and logon to one application, going to another one running on the same server should not prompt you for username/password again. Note that there are alternatives also if you have applications running on different servers/locations – check the other Valves.

Enable SSL on JBoss

In this example I’m only using a self-signed certificate, but the procedure would be more or less the same even if you are going to use a certificate from a Certification Authority.

  1. Generate the keystore with the following command
    keytool -genkey -alias tomcat -keyalg RSA -keystore NAME_OF_KEYSTORE -validity NUMBER_OF_DAYS
  2. Copy the file into the jboss/server/<NAME>/conf/ directory
  3. Edit the server.xml (4.0.4 = jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/, 4.2.2 = jboss/server/<NAME>/deploy/jboss-web.deployer/).For 4.0.4 the SSL-connector should be configured like:
     <!-- SSL/TLS Connector configuration using the admin devl guide keystore     -->
          <Connector port="THE_PORT_YOU_LIKE" address="${jboss.bind.address}"
               maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
               emptySessionPath="true"
               scheme="https" secure="true" clientAuth="false"
               keystoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME"
               keystorePass="PASSWORD_FOR_THE_KEYSTORE" sslProtocol = "TLS" />

    For 4.2.2, configure it like this:

     <Connector port="THE_PORT_YOU_LIKE" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false"
    	       strategy="ms"
                   address="${jboss.bind.address}"
                   keystoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME"
                   keystorePass="PASSWORD_FOR_THE_KEYSTORE"
                   truststoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME"
                   truststorePass="PASSWORD_FOR_THE_KEYSTORE"
                   sslProtocol="TLS"/>
  4. Now you should be able to access your application through https. Remember to use https:// instead of http:// in your browser-url, or else it will fail.
  5. Remember that if you want to disable the non-secured port 8080 (or custom), making sure that people can only access through https, comment and disable that connector in the same server.xml.

Tell jboss 4.2.2 to not use the bundled JSF 1.2 implementation

By default this version of jboss comes bundled with the Glassfish JSF 1.2 implementation. If you deploy web applications that use other implementations, like myfaces, you should tell jboss to use the implementations(s) deployed together with the web applications instead. Do this by adding the following to the web.xml of your application(s):

  <context-param>
     <param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name>
     <param-value>true</param-value>
  </context-param>

Access jboss-4.2.2GA using ip address instead of localhost – use the “-b” parameter

I’ve been using the 4.0.4 version for some time, and I could start it on my machine (accessing it through localhost:8080), and access it from other machines in my network it by using the ip-address of my machine instead of localhost. With 4.2.2, you can start it the same way and it will work from your machine by going localhost. But trying to start the application remotely from other machines by using the ip-address would fail, giving you a 404.

This is because before 4.2.2.GA, jboss was always bound to the any address “0.0.0.0”. But this was considered a security issue, and this default behavior was removed. It’s now up to the user to explicitly configure this.

What you need to do to solve it is to start the jboss with another parameter, you need to set the bind address for the jboss services. The following command would start a jboss server named “myserver” on ip 192.168.100.100:

  run.bat -c myserver -b 192.168.100.100

If you now try to start the application from other machines by using this IP it works! If you use the server named default you can leave out the -c parameter. It’s also possible to revert back to the “old configuration” by using -b 0.0.0.0, but this is not recommended.Ok, I hope that this small guide might be of help to someone! :)

About these ads

33 Responses to “JBoss guide: How to enable SSL (HTTPS) on JBoss, as well as other “nice-to-know” configurations”

  1. gianni Says:

    Hi,
    I’m trying your trick on my jboss 4.2.2GA on windows, but i got an UnknownHostException.
    I just set a -b 192.168.2.165 parameter in the startup.
    Any solution would be very appreciated.

    Here’s the stack trace of the error.
    Failed to setBindAddress= 192.168.2.165 on socket factory
    java.net.UnknownHostException: 192.168.2.165
    at java.net.InetAddress.getAllByName0(InetAddress.java:1157)
    at java.net.InetAddress.getAllByName(InetAddress.java:1083)
    at java.net.InetAddress.getAllByName(InetAddress.java:1019)

  2. roneiv Says:

    Hi!

    I’ve never expreienced this error, so I’m a bit on thin ice here, but:

    It’s my understanding that you’ve run the command “run-bat -b 192.168.2.165″.

    Since it’s the InetAddress.getAllByName that throws the UnknownHostException, my guess is that the IP you tried to bind your jboss server to is wrong?

    This might be a very “stupid” question, but if you do an ‘ipconfig’ in command-line, do you have a network adapter with this IP (192.168.2.165)? You can only bind jboss to ip-adresses that exists on the host-machine that jboss itself runs on.

    A nice test could be to do the “old” type of binding, and use “run.bat -b 0.0.0.0 ” If it is able to start with no exceptions doing it like this, and you can access the application(s) from other machines in the network, then you know that there was a mismatch between the IP you set and the possible IPs of your machine.

    You could also check if you are running other servers like tomcat e.g, as these might be running at the same port as jboss tries to do (8080 by default). You should get an error in the log/console then saying that the “bind address is already in use ” or something, but since I don’t have your full stack trace I don’t kow if this could be the case.

    Another option I might think of is if you have multiple network cards? I don’t, so it’s a bit hard for me to test, but in windows there are settings for in which order network cards are accessed by other network services. If you go to Control Panel -> Network Connections -> Advanced -> Advanced Settings, you se a list of network interfaces. Push the network card you try to use all the way to the top, and eventually try again.

    I don’t know if this helps you, but these are my thoughts for the moment at least :)

  3. gianni Says:

    Thank’s for your reply, my problem was in the way I set the run parameters.
    In windows you have to add string parameter in the windows registry (-b192.168.2.165).
    I didn’t know that this parameters must be set witout a blank space in the middle(-b 192.168.2.165).
    Are you aware of other methods to set this param in windows?

  4. roneiv Says:

    I don’t understand why you have to add the parameter to the windows registry?? Are you trying to run jboss as a windows service?

    Anyway, it’s possible to “hardcode” the bind address inside the jboss/server//deploy/jboss-web.deployer/server.xml by modifying the connectors like this

    <Connector port=”8080″ address=”192.168.2.165″ ………
    Perhaps this would work for you then :)

    But just to say it, if I start my server from the command-line, I have a white space between the b and the IP address:
    C:jboss\bin\run.bat -b 192.168.2.165

  5. gianni Says:

    Yes, I need to run jboss as a service. Your tip (modifing server.xml) is working quite well, but if I set an IP address, then I can’t use http://localhost:8080 to run jboss. The other way around, if I set -b0.0.0.0 in the windows registry, I can run jboss both with localhost and with the IP address.
    I appreciated very much your help, and I need to ask you another question; is there any way to run two instances of jboss (for example 402 and 422) in the same server? I get have troubles with ports and this kind of stuff.
    Thank you again.

    GIANNI

  6. roneiv Says:

    Hi gianni, sorry for my late answer, I’ve been away for some days. :)

    I really don’t have any experience of running multiple instances of jboss in the same machine. It is doable though, but of course you would need to think about available memory to be able to guarantee the performance you might want (each of the two jbosses might run with -Xms512m -Xmx1024m e.g.)

    I would need to forward you to this page, maybe you would find the answer to your port conflicts here:

    http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfiguringMultipleJBossInstancesOnOneMachine

    Sorry I couldn’t be of more help.

  7. nait Says:

    Do you know how to enable both https & https, so the client can use http:// or https:// .

    Regards.

  8. roneiv Says:

    Nait,

    Sorry for not having answered before, have been away on vacation. :)

    I believe if you enable the https and do not disable the http connector it should answer on both??

    – E -

  9. Pentaho’s secrets:Enabling Single Sign On with CAS and JBoss Portal (first step) « il blog di Uskassat Says:

    [...] this guide, until “Enable SSL on JBoss”: – don’t read about Tomcat… – don’t [...]

  10. Chris Says:

    Can you write about how to set up a JBoss 4.2.2 cluster on Windows? I can’t get the JGroups config to work and the docs don’t provide any troubleshooting info except “talk to your administrator.”

  11. roneiv Says:

    Chris,

    I’m sorry but I have no experience in running Jboss in clusters, so I apologize for not being able to help you in that.. :)

  12. Diego Says:

    Hi,
    i’m trying to enabled ssl no jboss 4.2.2, i’ve followed all the steps by i’m getting this error “Cannot recover key at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init….”, do you have any idea what coudl be the problem?

  13. niranjana Says:

    after i login to CAS,it is not redirecting to application .
    i browsed the many forums where i found that certificates
    need to be added to keysore . i tried and created .but it is not working properly.please,can any one assist me regarding this problem?

    Thanks

  14. Diwant Vaidya Says:

    Nait,

    When you do the above, https becomes enabled, but http remains accessible. It isn’t one or the other.

    Diwant

  15. roneiv Says:

    Diwant,

    If you only want to have the https and not http you can disable the HTTP connection, only having the HTTPS connector enabled.

    – Eivind -

  16. NewWithJbossSecurity Says:

    How about U want to login
    with https
    once you login you move back to http

    Example :

    http://mainPage.com

    You want to login ..I have a button on the page Login.
    On Clicking

    https://mainPage/auth/

    Once ur username and password is authenticated
    How do u refresh the page to http.

    How do you configure this with JBOSS

  17. David Says:

    @NewWithJbossSecurity: I’ve found that if you enable the SSO valve in the tutorial, you can then send the browser to an https://securesite URL that is protected (via web.xml) thus forcing a login page to appear using https.

    Once auth succeeds, JBoss will redirect the browser to the orginally requested page (in this case, https://securesite).

    Inside the JSP for ‘securesite’, you can detect whether the scheme is https or http. If it’s https, you can redirect to the same page, but with an http scheme (you can determine the URL information from the HttpServletRequest object accessible in the JSP or servlet).

    Keep in mind that if you don’t enable the SSO valve, then https authentications will not work to view http resources that have a web.xml auth constraint (JBoss show you a 2nd login page in the http scheme, because http and https don’t share cookies). If you enable the SSO valve, then JBoss only requires one login.

  18. Rale Says:

    Can I somehow enable http and https on jboss, both protocols to listen on same port for example port 8080 an then define only one secured pege to be https address …
    Is there a way to do somthin lije that?

    • roneiv Says:

      Rale,

      Sorry, but you cannot enable both http and https on the same port. You can have both active at the same time, but you would have to use different ports I believe.

      – E -

  19. Bimal Thapa Says:

    Hi roneiv,
    I am using JBoss Portal Server 2.7.1 and i did exactly what you told to enable SSL, but i must use CAS for SSO. Whenever i start loggin in to JBoss Portal, it shows the CAS login screen, thats fine which is desired, but it fails to validate and the login screen of portal apears which is not desired, as the feature of CAS suggest to login directly into the portal admin control without admin login screen after the login of CAS screen.

    The error is as follows

    17:21:37,548 ERROR [CASReceipt] edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas-server-webapp-3.3.1/serviceValidate] ticket=[ST-2-5kcz2oDD1ft4CuzKkUnM-cas] service=[http%3A%2F%2Flocalhost%3A8080%2Fportal%2Fauth%2Fportal%2Fdefault%2Fj_security_check] renew=false]]

    So if you know some links or u know the solution, plz guide me .

  20. Bruno Says:

    Thanks, Roneiv!

    You solved my problem.

    I was trying to bind a jboss webservice with:

    -b 192.168.1.190 (my local network IP).

    But my network has a proxy server, wich one doesn’t know how to resolve 192.168.1.190 address.

    IE and Mozilla knows because I set to not use proxy for local adresses (intranet). But jboss is not aware of this information.

    So I made the bind to -b 0.0.0.0, and jboss deployed the service on . And everything worked fine.

    Thank you very much!

  21. JbossUser Says:

    I followed the above steps and trying to use

    https://servername:port/portal/

    I get the below error:

    Secure Connection Failed
    Cannot communicate securely with peer: no common encryption algorithm(s).
    (Error code: ssl_error_no_cypher_overlap)

    Any solution would be very appreciated. Thanks in advance.

  22. humano 10 Says:

    Thank you very much! This helped me in the 4.2.2 GA version.

  23. virendra Says:

    Hi,
    My machine has an external ip address as well as internal ip.
    When i use my internal ip and run command
    run.bat -b 192.168.11.216
    everything works fine
    But when i run
    run.bat -b 210.7.68.169
    Server gives bind exception.
    Please tell me how i can use external ip.
    It is necessary to access my application from outside.Tell me how can it be done.
    Regards
    Virendra

    • roneiv Says:

      Hi Virendra,

      As far as I know it’s not possible to bind your jboss to an external ip – as this address is not “known” for your jboss.

      You would need an apache/tomcat that can handle requests from the “world”/outside and which forwards to your local jboss through proxypass or something.

      Regards,

      Eivind

  24. Arpit Says:

    Hi,
    I am new to whole keystore scenario and using your trick to generate KEYSTORE. Now my jboss is SSL enabled. But how will I anyways send the certificate from my client.

    – Can you recommend some page where i can understand how my client certificate be sent to server (and server understands it)

    Thanks & Regards,
    Arpit

  25. Endy Says:

    Great post.. thanks for sharing :D

  26. CAS Says:

    Is anyone having any problems with the 2048 bit certs with JBoss. Web page does not come up. No problem with 1024 bit version. Any suggestions??????

  27. Sarang Says:

    Hi Eivind,
    I am getting following exception while starting JBoss… any suggestions?
    I have verified(multiple times) the keystore and keystorepass.

    15:06:54,768 ERROR [Http11Protocol] Error starting endpoint
    java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)
    at java.security.KeyStore.load(KeyStore.java:1150)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
    Factory.java:319)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
    ketFactory.java:259)
    ……………..

  28. Sarang Says:

    The above settings give Error “java.io.IoException: keystore was tampered with, or password was incorrect”. This error occurs during installation. It is because the password should be in the factory className, not in the Connector className.
    To fix this issue, please insure your Connector is in the following format:

    #
    #
    #

  29. Surya Says:

    is it necessary to give keystore file path in jboss server.xml?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: