How do I setup SSL with mutual authentication between Apache and JBoss using mod_proxy?

Solution Verified - Updated -

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 4.x
    • 5.x
  • JBoss Enterprise Web Server (EWS)
    • 1.x
  • Apache
    • 2.2.x

Issue

  • How do I setup SSL with mutual authentication between Apache and JBoss using mod_proxy?

Resolution

JBoss configuration:

  <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true"
       keystoreFile="/home/dehort/dev/tickets/612163_ssl_multiple_domains/PROXY_TEST/jboss.keystore"
       keystorePass="123456"
       truststoreFile="/home/dehort/dev/tickets/612163_ssl_multiple_domains/PROXY_TEST/jboss.truststore"
       truststorePass="123456"
       clientAuth="true"
       sslProtocol="TLS" />
  • keystore - public/private key used by jboss
  • truststore - public key of the "proxy side" of the apache server (ie, the cert used in SSLProxyMachineCertificateFile)
  • clientAuth - tell JBoss to require a trusted certificate

Apache configuration:

SSLProxyEngine On
SSLProxyVerify On
SSLProxyCACertificateFile certs/jboss\_cert.pem
SSLProxyMachineCertificateFile certs/apache\_proxy.pem
ProxyRequests Off
ProxyPass / https://192.168.1.2:8443/
ProxyPassReverse / https://192.168.1.2:8443/
  • SSLProxyCACertificateFile - can be either the cert of the JBoss server (when using self-signed certs) or the CA that signed the JBoss cert
  • SSLProxyMachineCertificateFile - contains the public/private key pair (PEM formatted, concatenated)

Here is a script (build_proxy_keys.sh) that will generate the required certs, keys, keystores and truststores:

#!/bin/sh

function create_keystore
{
  KEY_FILE=$1
  ALIAS=$2
  DN=$3
  PASS=$4
  keytool -genkey -alias $ALIAS -keyalg RSA -keystore $KEY_FILE -storepass $PASS -keypass $PASS -dname $DN
}

function export_cert
{
  KEY_FILE=$1
  ALIAS=$2
  EXPORT_FILE=$3
  PASS=$4
  keytool -export -alias $ALIAS -keystore $KEY_FILE -storepass $PASS -file $EXPORT_FILE
}

function import_cert
{
  KEY_FILE=$1
  ALIAS=$2
  IMPORT_FILE=$3
  PASS=$4
  keytool -import -noprompt -alias $ALIAS -keystore $KEY_FILE -storepass $PASS -file $IMPORT_FILE
}

PASSWORD="123456"
APACHE_CN="/C=US/ST=AR/L=Somewhere/CN=apache"
JBOSS_CN="CN=localhost"
JBOSS_KEYSTORE="jboss.keystore"
JBOSS_CERT="jboss.cert"
JBOSS_KEY_ALIAS="server"
JBOSS_TRUSTSTORE="jboss.truststore"

create_keystore $JBOSS_KEYSTORE $JBOSS_KEY_ALIAS $JBOSS_CN $PASSWORD

export_cert $JBOSS_KEYSTORE $JBOSS_KEY_ALIAS $JBOSS_CERT $PASSWORD

echo "Add the following to server.xml"
echo "  keystoreFile=\"\${jboss.server.home.dir}/conf/$JBOSS_KEYSTORE\"
  keystorePass=\"$PASSWORD\"
  truststoreFile=\"\${jboss.server.home.dir}/conf/$JBOSS_TRUSTSTORE\"
  truststorePass=\"$PASSWORD\"
  clientAuth=\"true\""

echo "Building public/private key to be used with Apache"
#openssl req -x509 -subj $APACHE_CN -nodes -days 365 -newkey rsa:1024 -keyout apache_key.pem -out apache_cert.pem
openssl genrsa -out apache_key.pem 1024
openssl req -new -key apache_key.pem -x509 -subj $APACHE_CN -out apache_cert.pem -days 365
cat apache_key.pem apache_cert.pem > apache_proxy.pem

import_cert $JBOSS_TRUSTSTORE "apache" "apache_cert.pem" $PASSWORD

openssl x509 -in $JBOSS_CERT -inform DER -out jboss_cert.pem -outform PEM

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.