HOWTO Configure JBoss for HTTPS
This HOWTO walks you through the HTTPS configuration using a self-signed certificate on a JBoss server.
It was tested on JBoss EAP 4.3 but should work on other versions. Tomcat users should refer to the excellent instructions contained in the CAS Demo. To install a certificate from a recognized certificate authority you will need to modify these steps slightly.
Self-signed certificate on JBoss:
- Â The instructions assume a virgin jBoss install.
- Identify the hostname for the computer hosting the server. I.e.: myHostname for these instructions
- Identify the jBoss server type (all, default, production). I.e.: default for these instructions
- jBoss recommends using the same file as both keystore and trustore. This will be server.keystore. In a virgin install there should be no server.keystore in the default/conf folder. If you have one, you must decide whether to delete it (to use these instructions) or whether to adapt the instructions to suit your situation.
- Creating the keystore and private key:
- Open a command prompt or shell and go to the default/conf folder.
- keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore
- Answer the prompts. Use myHostname when asked for first/last name. This is critical.
- server.keystore is generated.
- keytool -list -keystore server.keystore
- You should see the PrivateKeyEntry named jbosskey in the listing.
- Generating and storing the certificate.
- keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore server.keystore
- server.crt is generated.
- keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore
- You receive a warning that it already exists in the keystore. Ignore it. It is because Java expects separate keystore adn trustore files and we are using only one.
- keytool -list -keystore server.keystore
- You should see a TrustedCertEntry named jbosscert in the listing.
- Ensure that you start the server with:
- -c default -b 0.0.0.0 -Djavax.net.ssl.trustStore="<C:/yourServerLocation>/server/default/conf/server.keystore"
- Where -c specfies your server type
- Where -b is required to use the server as anything but localhost, with a server name if you only have 1 network card, with 0.0.0.0 if you have multiple network cards
- -Djavax.net.ssl.trustStore specifies the location of your truststore.
- In Windows you may place these parameters in a shortcut you use to execute run.bat.
- In Unix you may place them in your startup script.
- In Eclipse, RAD or any other Eclipse-derivative your best bet is to use the jBossTools plugin.
- Go to the jBossServer view
- Double-click on the server
- Verify that your hostname is set to myHostname
- Click OpenLaunchConfiguration
- Add to the program arguments.
- Enable jBoss' Tomcat for HTTPS:
- Edt "<C:/yourServerLocation>/server/default/deploy/jboss-web.deployer/server.xml"
- Uncomment the section that begins with <Connector port="8443"
- At the end of the section (but still inside of it) add:
- keystoreFile="/conf/server.keystore"
- keystorePass="changeit"
- Post-setup tests:
- All of these test should succeed. If they fail, you probably made a mistake in the previous steps. Your browser will warn you about untrusted sites/certificates - this is OK, you are using a self-signed certificate. If you want to get rid of the warnings you must get a certificate from a certificate authority.
- Vanilla access to jBoss' home page:Â Â _http://myHostname:8080_
- HTTPS access to jBoss' home page:Â _https://myHostname:8443_
- Vanilla access to a non-CAS application:Â _http://myHostname:8080/myApp_
- HTTPS access to a non-CAS application:Â https://myHostname:8443/myApp
- Vanilla access to CAS:
- Access a CAS-enabled application:Â
- _http://myCAS-enabledApp_
- Unprotected pages should be accessible without going to CAS.
- You should be redirected to the CAS login the first time you access a protected page. After the login you should reach the page.
- Subsequent accesses to protected pages should not redirect you to the CAS login unless you time out or close your browser.
 Certificate from a Certificate Authority (CA):
 Needed. Please consider contributing it if you tweak these instructions to install a certificate from a CA.