11.12. SSL Encryption

11.12.1. Implement SSL Encryption for the JBoss EAP 6 Web Server

Introduction

Many web applications require an SSL-encrypted connection between clients and server, also known as a HTTPS connection. You can use this procedure to enable HTTPS on your server or server group.

Warning

Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all affected packages.

Prerequisites

  • A set of SSL encryption keys and an SSL encryption certificate. You may purchase these from a certificate-signing authority, or you can generate them yourself using command-line utilities. To generate encryption keys using utilities available on Red Hat Enterprise Linux, see Section 11.12.2, “Generate a SSL Encryption Key and Certificate”.
  • The following details about your specific environment and setup:
    • The full directory name where the certificate files are stored.
    • The encryption password for your encryption keys.
  • Management CLI running and connected to your domain controller or standalone server.
  • Select appropriate cipher suites.
Cipher Suites

There are a number of available cryptographic primitives used as building blocks to form cipher suites. The first table lists recommended cryptographic primitives. The second lists cryptographic primitives which, while they may be used for compatibility with existing software, are not considered as secure as those recommended.

Warning

Red Hat recommends selectively whitelisting a set of strong ciphers to use for cipher-suite. Enabling weak ciphers is a significant security risk. Consult your JDK vendor's documentation before deciding on particular cipher suites as there may be compatibility issues.

Table 11.9. Recommended Cryptographic Primitives

RSA with 2048 bit keys and OAEP
AES-128 in CBC mode
SHA-256
HMAC-SHA-256
HMAC-SHA-1

Table 11.10. Other Cryptographic Primitives

RSA with key sizes larger than 1024 and legacy padding
AES-192
AES-256
3DES (triple DES, with two or three 56 bit keys)
RC4 (strongly discouraged)
SHA-1
HMAC-MD5
For a full listing of parameters you can set for the SSL properties of the connector, see Section 11.12.3, “SSL Connector Reference”.

Note

This procedure uses commands appropriate for a JBoss EAP 6 configuration that uses a managed domain. If you use a standalone server, modify Management CLI commands by removing the /profile=default from the beginning of any management CLI commands.

Warning

Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all affected packages.

Procedure 11.39. Configure the JBoss Web Server to use HTTPS

  1. Add a new HTTPS connector.

    Create a secure connector, named HTTPS, which uses the https scheme, the https socket binding (which defaults to 8443), and is set to be secure.
    /profile=default/subsystem=web/connector=HTTPS/:add(socket-binding=https,scheme=https,protocol=HTTP/1.1,secure=true)
    
  2. Configure the SSL encryption certificate and keys.

    Configure your SSL certificate, substituting your own values for the example ones. This example assumes that the keystore is copied to the server configuration directory, which is EAP_HOME/domain/configuration/ for a managed domain.
    /profile=default/subsystem=web/connector=HTTPS/ssl=configuration:add(name=https,certificate-key-file="${jboss.server.config.dir}/keystore.jks",password=SECRET, key-alias=KEY_ALIAS, cipher-suite=CIPHERS)
    
  3. Set the protocol to TLSv1.

    /profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=protocol,value=TLSv1)
    
  4. Deploy an application.

    Deploy an application to a server group which uses the profile you have configured. If you use a standalone server, deploy an application to your server. HTTPS requests to it use the new SSL-encrypted connection.