Configure two way SSL on JBoss EAP 5 or 6

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform
    • 5.x
    • 6.x

Issue

  • How to configure a two way SSL in JBoss
  • Is there a way to configure a specific server/JVM to utilize a specific keystore file without using the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword properties in a two way SSL configuration?
  • How to configure two way SSL between JBoss EAP and a browser?
  • We are going to migrate an application from WebSphere to JBoss and want to configure the keystore and truststore in JBoss.WebSphere includes the CA certificates for client in trust.p12 and the application has its own certificates stored in .jks file.
  • In JBoss EAP 5 we use to pass -Dtomcat.https.clientAuth=true to enable mutual authentication on JBoss side. Also, from tomcat: Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. How can I do the same on JBoss EAP 6.4.0 after upgrading to it?
  • How to make sure Mutual authentication configured and its working?

Resolution

Please make sure you have completed the necessary PRE-REQUISITE and have properly Set up the Certificate Store and the Truststore1

JBoss EAP 5.x

  • Configuring $JBOSS_HOME/server/PROFILE/deploy/jbossweb.sar/server.xml:
    • Place the created keystore.jks file under /jboss-as/server/PROFILE/conf/ directory
    • Place the created truststore.jks file under /jboss-as/server/PROFILE/conf/ directory
    <Connector protocol="HTTP/1.1" SSLEnabled="true" 
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="true" 
           keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
           keystorePass="password" 
           truststoreFile="${jboss.server.home.dir}/conf/truststore.jks"
           truststorePass="password" />

JBoss EAP 6.x

  • Configuring $JBOSS_HOME/[standalone|domain]/configuration/[standalone.xml|domain.xml]:
    • Place the created keystore.jks file under $JBOSS_HOME/[standalone|domain]/configuration/ directory
    • Place the created truststore.jks file under $JBOSS_HOME/[standalone|domain]/configuration/ directory
  • In the JBoss Web subsystem configure another connector that resembles the following2:
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https">
        <ssl name="ssl" key-alias="jboss" password="password" ca-certificate-password="password"
             certificate-key-file="${jboss.server.config.dir}/keystore.jks"
             ca-certificate-file="${jboss.server.config.dir}/truststore.jks"
             verify-client="true"/>
    </connector>

For a domain install you will need to replace ${jboss.server.config.dir} with ${jboss.domain.config.dir} and the connector should be added to the profile configured in the server-group.

Remember to Start/Restart the server after making the SSL configuration.

Please see the following link for information on setting up one way SSL with JBoss.

  1. https://access.redhat.com/knowledge/solutions/202263 can also be used to set up the Truststore. ↩︎

  2. The connector can also be configured using the jboss-cli ↩︎

Diagnostic Steps

You can test the SSL configuration1, by using your browser, simply brows to https://localhost:8443/ or https://HOSTNAME:8443/.

  • Keep in mind that you may need to import the certificate in the browser, which may mean that it needs to be converted to a PKCS12 file.
    keytool -importkeystore -srckeystore identity.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore browser_key.p12

    Enter destination keystore password:  
    Re-enter new password: 
    Enter source keystore password:  
    Entry for alias mykey successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

  • Your browser may ask to add an exception, and then it should take you to your JBoss server.

  • Verify-client attribute specifies mutual authentication configuration.

    • Set to true to require a valid certificate chain from the client before
      accepting a connection.
    • Set to want if you want the SSL stack to request a client Certificate,
      but not fail if one is not presented.
    • Set to false (the default) to not require a certificate chain unless the
      client requests a resource protected by a security constraint that
      uses CLIENT-CERT authentication.Documentation link
/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:read-resource-description
  • Command to enable mutual authentication:
/profile=default/subsystem=web/connector=HTTPS/ssl=configuration/:write-attribute(name=verify-client,value=true)

Note:Change the profile name to the one you wish to configure, for a managed domain, or omit the /profile=default portion of the command, for a standalone server.

  1. You can Test the SSL configuration using a stand alone java client having the trust store specified as -Djavax.net.ssl.trustStore=/certs/identity.jks -Djavax.net.ssl.trustStorePassword=password for the java client. ↩︎

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments