If you plan to use the Apache Portable Runtime for Tomcat/JBoss with SSL, you have to use the OpenSSL cryptographic library to create the server’s private key, and if needed, a self-signed certificate.
1) Download OpenSSL for Windows. Choose the zip file for “Binaries”. Unzip it to your Programs folder.
2) Create a configuration file (openssl.cnf) for OpenSSL and save it in the OpenSSL folder. You can use this sample.
3) Create a private key for the server. From a command prompt, change directory to the \bin folder of OpenSSL and run a command such as this:
openssl genrsa -out C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem 1024
The command will create a 1,024-bit RSA key and save it in the file rsa-private-key.pem
Verify the private key with the command:
openssl rsa -check -in C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem
4) Create a self-signed certificate valid for 10 years. Use a command such as this:
openssl req -config C:\Programs\openssl-0.9.8h-1-bin\openssl.cnf -new -x509 -nodes -sha1 -days 3650 -key C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem -out C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem
You will be prompted for several responses. The most important one is the full DNS name of the server (eg: server.company.com). The -nodes argument causes the key to be not encrypted.
Once complete, verify the self-signed certificate with a command such as this:
openssl x509 -noout -subject -issuer -enddate -in C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem
In the output:
- the “subject” field’s value should be the full name of the server
- the “issuer” field’s value should also be the full name of the server since this is a self-signed certificate
- the “notAfter” field’s value will be the expiry date of the certificate (10 years from the date of its creation)
More OpenSSL commands available here.
5) Edit %JBOSS_HOME%\server\<jboss_configuration_name>\deploy\jboss-web.deployer\server.xml
6) Make sure that the APR Listener’s SSLEngine attribute is set to “on”
7) Uncomment the SSL HTTP/1.1 Connector
8) Change the protocol to org.apache.coyote.http11.Http11AprProtocol
9) Add two additional attributes to the Connector, SSLCertificateKeyFile and SSLCertificateFile (these paths would be different for you).
10) Save server.xml and re-start JBoss
11) Make sure that you can now connect to the LiveCycle AdminUI https://server.company.com:8443/adminui
The browser will complain about the fact this is a self-signed certificate.
Test connecting to the server using SSL from a command line with this command:
openssl s_client -showcerts -connect server.company.com:8443
Ctrl-C will terminate the connection and return you to the command prompt.