From time to time you might have the need of running a web application over https, or there can be requests of having Single-Sign-On between multiple web applications running on your server. This small jboss-guide will give you some clues on how to solve tasks like this, with configurations for both jboss-4.0.4.GA and jboss-4.2.2.GA. Since the name of the server instance might differ and it’s also possible to use custom names, I’ll refer to it as jboss/server/<NAME>/, but what I mean here is for example jboss/server/default/.
Changing the port that jboss runs on
For 4.0.4 you should locate the server.xml inside jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/, and then change the port=”8080″ parameter in the HTTP Connector to your wishes, for example port 80 as I have done it here.
<!-- A HTTP/1.1 Connector on port 8080 --> <Connector port="80" address="${jboss.bind.address}" maxThreads="250" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>
For 4.2.2 you do exactly the same, but the server.xml is located inside jboss/server/<NAME>/deploy/jboss-web.deployer/ instead.
Make tomcat able to compile java5 – by default it doesn’t
If you have the need of using java5 (jdk 1.5), you need to set the source-level of the compiler. If you don’t do this and have deployed web-applications with java5 code, you will get exceptions during startup. For 4.0.4 edit the web.xml in jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/conf. Locate the jsp servlet by searching for <servlet-name>jsp</servlet-name>, and uncomment the section that enables jdk1.5 features:
<!-- Uncomment to use jdk1.5 features in jsp pages --> <init-param> <param-name>compilerSourceVM</param-name> <param-value>1.5</param-value> </init-param>
For 4.2.2 you find the web.xml inside jboss/server/<NAME>/deploy/jbossweb-deployer/conf. Locate the same servlet, and make sure that the parameters both for source & target compiler are set like this:
<servlet> <servlet-name>jsp</servlet-name> <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> <init-param> <param-name>fork</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>xpoweredBy</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>compilerSourceVM</param-name> <param-value>1.5</param-value> </init-param> <init-param> <param-name>compilerTargetVM</param-name> <param-value>1.5</param-value> </init-param>
Activate support for Single Sign-On
For both versions, locate server.xml (4.0.4 = jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/, 4.2.2 = jboss/server/<NAME>/deploy/jboss-web.deployer/). Find the “Host” section, and uncomment the following Valve:
<!-- Uncomment to enable single sign-on across web apps deployed to this host. Does not provide SSO across a cluster. If this valve is used, do not use the JBoss ClusteredSingleSignOn valve shown below. A new configuration attribute is available beginning with release 4.0.4: cookieDomain configures the domain to which the SSO cookie will be scoped (i.e. the set of hosts to which the cookie will be presented). By default the cookie is scoped to "/", meaning the host that presented it. Set cookieDomain to a wider domain (e.g. "xyz.com") to allow an SSO to span more than one hostname. --> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
Then in your jboss-web.xml it’s important that all the web applications that are going to “exchange” credentials points to the same security-domain:
<jboss-web> <security-domain>java:/jaas/USE_THE_SAME_APPLICATION_POLICY_HERE</security-domain> <context-root>/YOUR_APPLICATION_ROOT</context-root> </jboss-web>
If you now open and logon to one application, going to another one running on the same server should not prompt you for username/password again. Note that there are alternatives also if you have applications running on different servers/locations – check the other Valves.
Enable SSL on JBoss
In this example I’m only using a self-signed certificate, but the procedure would be more or less the same even if you are going to use a certificate from a Certification Authority.
- Generate the keystore with the following command
keytool -genkey -alias tomcat -keyalg RSA -keystore NAME_OF_KEYSTORE -validity NUMBER_OF_DAYS
- Copy the file into the jboss/server/<NAME>/conf/ directory
- Edit the server.xml (4.0.4 = jboss/server/<NAME>/deploy/jbossweb-tomcat55.sar/, 4.2.2 = jboss/server/<NAME>/deploy/jboss-web.deployer/).For 4.0.4 the SSL-connector should be configured like:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector port="THE_PORT_YOU_LIKE" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME" keystorePass="PASSWORD_FOR_THE_KEYSTORE" sslProtocol = "TLS" />
For 4.2.2, configure it like this:
<Connector port="THE_PORT_YOU_LIKE" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" strategy="ms" address="${jboss.bind.address}" keystoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME" keystorePass="PASSWORD_FOR_THE_KEYSTORE" truststoreFile="${jboss.server.home.dir}/conf/THE_KEYSTORE_NAME" truststorePass="PASSWORD_FOR_THE_KEYSTORE" sslProtocol="TLS"/>
- Now you should be able to access your application through https. Remember to use https:// instead of http:// in your browser-url, or else it will fail.
- Remember that if you want to disable the non-secured port 8080 (or custom), making sure that people can only access through https, comment and disable that connector in the same server.xml.
Tell jboss 4.2.2 to not use the bundled JSF 1.2 implementation
By default this version of jboss comes bundled with the Glassfish JSF 1.2 implementation. If you deploy web applications that use other implementations, like myfaces, you should tell jboss to use the implementations(s) deployed together with the web applications instead. Do this by adding the following to the web.xml of your application(s):
<context-param> <param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name> <param-value>true</param-value> </context-param>
Access jboss-4.2.2GA using ip address instead of localhost – use the “-b” parameter
I’ve been using the 4.0.4 version for some time, and I could start it on my machine (accessing it through localhost:8080), and access it from other machines in my network it by using the ip-address of my machine instead of localhost. With 4.2.2, you can start it the same way and it will work from your machine by going localhost. But trying to start the application remotely from other machines by using the ip-address would fail, giving you a 404.
This is because before 4.2.2.GA, jboss was always bound to the any address “0.0.0.0”. But this was considered a security issue, and this default behavior was removed. It’s now up to the user to explicitly configure this.
What you need to do to solve it is to start the jboss with another parameter, you need to set the bind address for the jboss services. The following command would start a jboss server named “myserver” on ip 192.168.100.100:
run.bat -c myserver -b 192.168.100.100
If you now try to start the application from other machines by using this IP it works! If you use the server named default you can leave out the -c parameter. It’s also possible to revert back to the “old configuration” by using -b 0.0.0.0, but this is not recommended.Ok, I hope that this small guide might be of help to someone! 🙂
16.01.2008 at 14:01:40
Hi,
I’m trying your trick on my jboss 4.2.2GA on windows, but i got an UnknownHostException.
I just set a -b 192.168.2.165 parameter in the startup.
Any solution would be very appreciated.
Here’s the stack trace of the error.
Failed to setBindAddress= 192.168.2.165 on socket factory
java.net.UnknownHostException: 192.168.2.165
at java.net.InetAddress.getAllByName0(InetAddress.java:1157)
at java.net.InetAddress.getAllByName(InetAddress.java:1083)
at java.net.InetAddress.getAllByName(InetAddress.java:1019)
16.01.2008 at 17:01:07
Hi!
I’ve never expreienced this error, so I’m a bit on thin ice here, but:
It’s my understanding that you’ve run the command “run-bat -b 192.168.2.165”.
Since it’s the InetAddress.getAllByName that throws the UnknownHostException, my guess is that the IP you tried to bind your jboss server to is wrong?
This might be a very “stupid” question, but if you do an ‘ipconfig’ in command-line, do you have a network adapter with this IP (192.168.2.165)? You can only bind jboss to ip-adresses that exists on the host-machine that jboss itself runs on.
A nice test could be to do the “old” type of binding, and use “run.bat -b 0.0.0.0 ” If it is able to start with no exceptions doing it like this, and you can access the application(s) from other machines in the network, then you know that there was a mismatch between the IP you set and the possible IPs of your machine.
You could also check if you are running other servers like tomcat e.g, as these might be running at the same port as jboss tries to do (8080 by default). You should get an error in the log/console then saying that the “bind address is already in use ” or something, but since I don’t have your full stack trace I don’t kow if this could be the case.
Another option I might think of is if you have multiple network cards? I don’t, so it’s a bit hard for me to test, but in windows there are settings for in which order network cards are accessed by other network services. If you go to Control Panel -> Network Connections -> Advanced -> Advanced Settings, you se a list of network interfaces. Push the network card you try to use all the way to the top, and eventually try again.
I don’t know if this helps you, but these are my thoughts for the moment at least 🙂
18.01.2008 at 09:01:39
Thank’s for your reply, my problem was in the way I set the run parameters.
In windows you have to add string parameter in the windows registry (-b192.168.2.165).
I didn’t know that this parameters must be set witout a blank space in the middle(-b 192.168.2.165).
Are you aware of other methods to set this param in windows?
18.01.2008 at 17:01:48
I don’t understand why you have to add the parameter to the windows registry?? Are you trying to run jboss as a windows service?
Anyway, it’s possible to “hardcode” the bind address inside the jboss/server//deploy/jboss-web.deployer/server.xml by modifying the connectors like this
<Connector port=”8080″ address=”192.168.2.165″ ………
Perhaps this would work for you then 🙂
But just to say it, if I start my server from the command-line, I have a white space between the b and the IP address:
C:jboss\bin\run.bat -b 192.168.2.165
06.02.2008 at 09:02:28
Yes, I need to run jboss as a service. Your tip (modifing server.xml) is working quite well, but if I set an IP address, then I can’t use http://localhost:8080 to run jboss. The other way around, if I set -b0.0.0.0 in the windows registry, I can run jboss both with localhost and with the IP address.
I appreciated very much your help, and I need to ask you another question; is there any way to run two instances of jboss (for example 402 and 422) in the same server? I get have troubles with ports and this kind of stuff.
Thank you again.
GIANNI
14.02.2008 at 00:02:57
Hi gianni, sorry for my late answer, I’ve been away for some days. 🙂
I really don’t have any experience of running multiple instances of jboss in the same machine. It is doable though, but of course you would need to think about available memory to be able to guarantee the performance you might want (each of the two jbosses might run with -Xms512m -Xmx1024m e.g.)
I would need to forward you to this page, maybe you would find the answer to your port conflicts here:
http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfiguringMultipleJBossInstancesOnOneMachine
Sorry I couldn’t be of more help.
21.07.2008 at 23:07:54
Do you know how to enable both https & https, so the client can use http:// or https:// .
Regards.
28.07.2008 at 10:07:53
Nait,
Sorry for not having answered before, have been away on vacation. 🙂
I believe if you enable the https and do not disable the http connector it should answer on both??
– E –
31.07.2008 at 16:07:51
[…] this guide, until “Enable SSL on JBoss”: – don’t read about Tomcat… – don’t […]
01.10.2008 at 16:10:19
Can you write about how to set up a JBoss 4.2.2 cluster on Windows? I can’t get the JGroups config to work and the docs don’t provide any troubleshooting info except “talk to your administrator.”
03.10.2008 at 23:10:32
Chris,
I’m sorry but I have no experience in running Jboss in clusters, so I apologize for not being able to help you in that.. 🙂
13.11.2008 at 15:11:09
Hi,
i’m trying to enabled ssl no jboss 4.2.2, i’ve followed all the steps by i’m getting this error “Cannot recover key at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init….”, do you have any idea what coudl be the problem?
14.11.2008 at 12:11:12
after i login to CAS,it is not redirecting to application .
i browsed the many forums where i found that certificates
need to be added to keysore . i tried and created .but it is not working properly.please,can any one assist me regarding this problem?
Thanks
19.11.2008 at 11:11:05
Nait,
When you do the above, https becomes enabled, but http remains accessible. It isn’t one or the other.
Diwant
19.11.2008 at 15:11:20
Diwant,
If you only want to have the https and not http you can disable the HTTP connection, only having the HTTPS connector enabled.
– Eivind –
20.11.2008 at 19:11:18
How about U want to login
with https
once you login you move back to http
Example :
http://mainPage.com
You want to login ..I have a button on the page Login.
On Clicking
https://mainPage/auth/
Once ur username and password is authenticated
How do u refresh the page to http.
How do you configure this with JBOSS
09.12.2008 at 20:12:46
@NewWithJbossSecurity: I’ve found that if you enable the SSO valve in the tutorial, you can then send the browser to an https://securesite URL that is protected (via web.xml) thus forcing a login page to appear using https.
Once auth succeeds, JBoss will redirect the browser to the orginally requested page (in this case, https://securesite).
Inside the JSP for ‘securesite’, you can detect whether the scheme is https or http. If it’s https, you can redirect to the same page, but with an http scheme (you can determine the URL information from the HttpServletRequest object accessible in the JSP or servlet).
Keep in mind that if you don’t enable the SSO valve, then https authentications will not work to view http resources that have a web.xml auth constraint (JBoss show you a 2nd login page in the http scheme, because http and https don’t share cookies). If you enable the SSO valve, then JBoss only requires one login.
14.01.2009 at 09:01:05
David,
Thanks for sharing
– E –
14.01.2009 at 00:01:48
Can I somehow enable http and https on jboss, both protocols to listen on same port for example port 8080 an then define only one secured pege to be https address …
Is there a way to do somthin lije that?
14.01.2009 at 09:01:54
Rale,
Sorry, but you cannot enable both http and https on the same port. You can have both active at the same time, but you would have to use different ports I believe.
– E –
20.02.2009 at 12:02:31
Hi roneiv,
I am using JBoss Portal Server 2.7.1 and i did exactly what you told to enable SSL, but i must use CAS for SSO. Whenever i start loggin in to JBoss Portal, it shows the CAS login screen, thats fine which is desired, but it fails to validate and the login screen of portal apears which is not desired, as the feature of CAS suggest to login directly into the portal admin control without admin login screen after the login of CAS screen.
The error is as follows
17:21:37,548 ERROR [CASReceipt] edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas-server-webapp-3.3.1/serviceValidate] ticket=[ST-2-5kcz2oDD1ft4CuzKkUnM-cas] service=[http%3A%2F%2Flocalhost%3A8080%2Fportal%2Fauth%2Fportal%2Fdefault%2Fj_security_check] renew=false]]
So if you know some links or u know the solution, plz guide me .
19.03.2009 at 00:03:34
Thanks, Roneiv!
You solved my problem.
I was trying to bind a jboss webservice with:
-b 192.168.1.190 (my local network IP).
But my network has a proxy server, wich one doesn’t know how to resolve 192.168.1.190 address.
IE and Mozilla knows because I set to not use proxy for local adresses (intranet). But jboss is not aware of this information.
So I made the bind to -b 0.0.0.0, and jboss deployed the service on . And everything worked fine.
Thank you very much!
15.05.2009 at 21:05:06
I followed the above steps and trying to use
https://servername:port/portal/
I get the below error:
Secure Connection Failed
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Any solution would be very appreciated. Thanks in advance.
09.11.2009 at 10:11:19
Thank you very much! This helped me in the 4.2.2 GA version.
08.12.2009 at 13:12:28
Hi,
My machine has an external ip address as well as internal ip.
When i use my internal ip and run command
run.bat -b 192.168.11.216
everything works fine
But when i run
run.bat -b 210.7.68.169
Server gives bind exception.
Please tell me how i can use external ip.
It is necessary to access my application from outside.Tell me how can it be done.
Regards
Virendra
08.12.2009 at 13:12:06
Hi Virendra,
As far as I know it’s not possible to bind your jboss to an external ip – as this address is not “known” for your jboss.
You would need an apache/tomcat that can handle requests from the “world”/outside and which forwards to your local jboss through proxypass or something.
Regards,
Eivind
05.05.2010 at 11:05:11
Hi,
I am new to whole keystore scenario and using your trick to generate KEYSTORE. Now my jboss is SSL enabled. But how will I anyways send the certificate from my client.
– Can you recommend some page where i can understand how my client certificate be sent to server (and server understands it)
Thanks & Regards,
Arpit
14.06.2010 at 05:06:18
Great post.. thanks for sharing 😀
19.09.2010 at 22:09:08
Is anyone having any problems with the 2048 bit certs with JBoss. Web page does not come up. No problem with 1024 bit version. Any suggestions??????
18.01.2011 at 10:01:40
Hi Eivind,
I am getting following exception while starting JBoss… any suggestions?
I have verified(multiple times) the keystore and keystorepass.
15:06:54,768 ERROR [Http11Protocol] Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)
at java.security.KeyStore.load(KeyStore.java:1150)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
Factory.java:319)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
ketFactory.java:259)
……………..
21.03.2011 at 11:03:36
The above settings give Error “java.io.IoException: keystore was tampered with, or password was incorrect”. This error occurs during installation. It is because the password should be in the factory className, not in the Connector className.
To fix this issue, please insure your Connector is in the following format:
#
#
#
13.12.2011 at 14:12:06
is it necessary to give keystore file path in jboss server.xml?
14.08.2012 at 10:08:43
try this
http://kuchipudi.wordpress.com/2009/07/24/enabling-ssl-on-jboss-as-4-2-x/