Friday, October 12, 2007

Setting up SSL in JBoss/Tomcat

For whatever reason, I think setting up SSL in JBoss is a major pain. It's hard to find good documentation, and the steps that are required seems over-complicated.

For now, JBoss / tomcat only supports JKS (the format java had to invent) and PKCS12 format (which is somewhat of the general standard). JKS is better supported in java tools, PKCS better supported generally outside java. So, ptobably painful either way. I'd recommend PKCS12.

REQUIRED TOOLS:
openssl -- for windows users, i installed this tool under cygwin

REQUIRED FILES:
cert and key files from these will need to be converted into a keystore file for jboss/tomcat.

HOWTO:

1. convert these two files into a pkcs12 file ... this will prompt for a password.

openssl pkcs12 -export \
-in YOUR_CERT_FILE.cert \
-inkey YOUR_KEY_FILE.key \
-out keystore.pkcs12


2. config jboss/tomcat.

you'll need to edit this file (tomcat 5)

jboss/server/default/deploy/jbossweb-tomcat50.sar/server.xml

and uncomment the lines that refer to SSL.
note, ny default, jboss is configured for port 8443.
by default, https: goes over 443, similar to http over 80.
The configured settings might look like:

<Connector port="443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/keystore.pkcs12"
keystoreType="PKCS12" keystorePass="" sslProtocol = "TLS" />

3. meta security

save any copies of the key and cert as root:root, with 400 permissions.

the keystore file should have as few permissions as needed to run.


In Linux, as a security precaution built into the kernel, only the root user can bind to a port below 1024. this means that either,

A. you leave the port set at 8443. of course, since this is not the defualt port, it will need to be specified in all URL requests. or,
B. configure the server for 443, and run the server as root, (not recommended for production server) or
C. might use iptables to route traffic from 8443 to 443.

FOR MORE EXAMPLES SEE:
http://mortbay.com/jetty/faq?s=400-Security&t=ssl
http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html
http://mail-archives.apache.org/mod_mbox/tomcat-users/200409.mbox/%3C4150BB34. 3010905@ddai.net%3E

No comments: