« LiveCycle Install-Config Toolbox | Main | Running Multiple JBoss Instances On Same Server »

Configuring JBoss 3.2.5 With A Real (CA-signed) SSL Certificate

1) Create a keystore as well as a certificate-key pair using the following command:
$JAVA_HOME\jre\bin\keytool -genkey -keystore [keystore_filename]
-storepass [keystore_password] -keypass [keystore_password] -keyalg RSA
-validity 365 -alias [alias_name] -dname
"cn=[fully_qualified_DNS_name_of_server], OU=[department_name],
O=[company_name], ST=[complete_state_or_province_name], C=[two-letter_country_code]"

note: the quotes are required. -storepass and -keypass should be the same. Make sure you get the fully_qualified_DNS_name_of_server exactly right, if not you'll regret it later. The country_name should be the two-letter code for the country. You can get the IANA-provided two-letter TLD codes for all countries here: http://www.iana.org/root-whois/index.html. IANA is the Internet Assigned Names Authority. TLD = Top Level Domain.

2) Create a Certificate Signing Request (CSR) for the certificate in the certificate-key pair you just created with the following command:
$JAVA_HOME\jre\bin\keytool -certreq -keystore
[full_path_to_the_keystore_filename] -alias [alias_name] -storepass
[keystore_password] -keypass [keystore_password] -keyalg RSA -file
[filename_for_the_CSR]

3) Get the customer's IT person in charge of the customer's SSL certificates to login to their Certificate Authority's website to request the Certificate Authority to sign the new certificate with their own certificate. Copy-paste the contents of the [filename_for_the_CSR]. It'll look like gobbledygook. The Certificate Authority can be VeriSign, Entrust, Thawte or any other.

4) Get the customer's IT person in charge of the customer's SSL certificates to forward to you the response from the Certificate Authority. If it is in the body of an e-mail, copy-paste the contents (including the BEGIN CERTIFICATE and END CERTIFICATE lines) into a text file, save as "All Files" with any filename like CA_signed_cert.cer

5) Import the CA-signed certificate back into your keystore with the following command:
$JAVA_HOME\jre\bin\keytool -import -trustcacerts -keystore
[keystore_filename] -storepass [keystore_password] -alias [alias_name]
-keypass [keystore_password] -file [filename_for_the_CA_signed_cert]

If you fail to add the -trustcacerts parameter, you will get a "failed to establish chain from reply" error. This is because the file cacerts in $JAVA_HOME\jre\lib\security\ contains the public certificates of all the popular CAs like VeriSign, Entrust and Thawte. To determine the contents of the cacerts file (to verify if your CA is listed there), use the following command:
$JAVA_HOME\jre\bin\keytool -list -keystore $JAVA_HOME\\jre\lib\security\cacerts -storepass changeit

6) Copy the keystore file to $JBOSS_HOME\conf\

7) Edit server.xml in $JBOSS_HOME\server\all\deploy\jbossweb-tomcat50.sar\ to point the SSL/TLS Connector to the new keystore file like this:
keystoreFile="${jboss.server.home.dir}/conf/" keystorePass=""

8) re-start JBoss.

9) Access it with the URL https://[fully_qualified_DNS_name_of_server]:8443. It should work and there should be no warning dialogs.

Posted by Jayan Kandathil on October 5, 2006 11:28 PM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)