The problem: Replace Apache-as-load-balancer with an external load balancer. Since we were using Apache to host our SSL certificate, we now need to make JBoss/Tomcat handle that functionality directly.
Problem 1: Tomcat requires it's certificates in a Java "keystore", not as the freestanding X509 certificates Apache likes.
Broken solution attempt 1: Import the certificates into a keystore using Sun's keytool. The syntax is clear and obvious:
Of course, the
Place catt55.sar\server.xml, set the "keystoreFile" and "keystorePass" attributes for the SSL connector, and start JBoss. It starts without error, and claims to be listening on port 8443.
Internet Explorer reports "Cannot find server". Telneting in, I get SOMETHING. Not sure how that something is, since I am not quite 1337 enough to do RSA encryption in my head. Firefox is a bit more helpful, reporting that it has "no common encryption algorithms" with the server. A quick test proves that JBoss+IE and JBoss+Firefox work fine with the self-signed certificates EVERY tutorial describes, so the problem MUST be with my keystore. Probably the fact that I have no signature, but no private key.
I look for ways to import the public key into a keystore, and discover that THERE IS NONE. This is why EVERY example involves generating a certificate and key from scratch, then exporting the request. Let me repeat that: Sun's keytool does not provide ANY way to import an existing X509 certificate and it's key.
Jetty has some code for creating a Java-style keystore from a PKCS12 keystore, so if I could combine the existing certificate and key into a PKCS12 keystore, that should be useful. Fortunately, I have the openssl command-line tool available, so this was a simple matter of:
Now, I could download and compile the Jetty utility to turn this pkcs12 keystore into a "Java Keystore, but I got lazy. While poring my hair out over the JBoss SSL documentation, I saw a "keystoreType" option. A little testing with keytool proved that the JDK tools could read a PKCS12 keystore jsut fine. SO, I dropped this one into JBoss without translation, fired it up, and it worked fine.
HOWTO without story
1. You will need three input files, suitable for use in Apache mod_ssl:
a. my.cert, the X509 certificate file used by Apache as SSLCertificateFile.
b. my.key, the key to my.cert used by Apache as SSLCertificateKeyFile.
c. chain.cert, the certificate chain used by Apache as CCLCertificateChainFile.
2. Using openssl, build a PKCS12 keystore with the command
3. Copy the file
4. Edit your jboss\
a. Uncomment the
b. Set the port to what you want (443)
c. Change the keystoreFile from
d. Change the keyStorePass
e. Add an attribute "keystoreType" set to "PKCS12"
Problem 1: Tomcat requires it's certificates in a Java "keystore", not as the freestanding X509 certificates Apache likes.
Broken solution attempt 1: Import the certificates into a keystore using Sun's keytool. The syntax is clear and obvious:
keytool -import -v -keystore my.keystore -file my.cert
Of course, the
keytool -import
function ONLY supports importing X509 certificates, not keys, and I don't see a clear way of doing any sort of a certificate chain... I'll worry about that later.Place
my.keystore
into the jboss\server\default\conf
folder, uncomment the SSL section in jboss\server\default\deploy\jbossweb-tomInternet Explorer reports "Cannot find server". Telneting in, I get SOMETHING. Not sure how that something is, since I am not quite 1337 enough to do RSA encryption in my head. Firefox is a bit more helpful, reporting that it has "no common encryption algorithms" with the server. A quick test proves that JBoss+IE and JBoss+Firefox work fine with the self-signed certificates EVERY tutorial describes, so the problem MUST be with my keystore. Probably the fact that I have no signature, but no private key.
I look for ways to import the public key into a keystore, and discover that THERE IS NONE. This is why EVERY example involves generating a certificate and key from scratch, then exporting the request. Let me repeat that: Sun's keytool does not provide ANY way to import an existing X509 certificate and it's key.
Jetty has some code for creating a Java-style keystore from a PKCS12 keystore, so if I could combine the existing certificate and key into a PKCS12 keystore, that should be useful. Fortunately, I have the openssl command-line tool available, so this was a simple matter of:
openssl pkcs12 -export -inkey my.key -in my.cert -certfile certchain.cert -out my.pkcs12
Now, I could download and compile the Jetty utility to turn this pkcs12 keystore into a "Java Keystore, but I got lazy. While poring my hair out over the JBoss SSL documentation, I saw a "keystoreType" option. A little testing with keytool proved that the JDK tools could read a PKCS12 keystore jsut fine. SO, I dropped this one into JBoss without translation, fired it up, and it worked fine.
HOWTO without story
1. You will need three input files, suitable for use in Apache mod_ssl:
a. my.cert, the X509 certificate file used by Apache as SSLCertificateFile.
b. my.key, the key to my.cert used by Apache as SSLCertificateKeyFile.
c. chain.cert, the certificate chain used by Apache as CCLCertificateChainFile.
2. Using openssl, build a PKCS12 keystore with the command
openssl pxcs12 -export -inkey my.key -in my.cert -certfile certchain.cert -out my.pkcs12
3. Copy the file
my.pkcs12
to your jboss\server\default\cond\
directory.4. Edit your jboss\
server\default\deploy\jbossweb-tomcat55.s ar\server.xml
a. Uncomment the
Connector
element in the comment starting "SSL/TLS Connector configuration"b. Set the port to what you want (443)
c. Change the keystoreFile from
${jboss.server.home.dir}/conf/chapter8.k eystore
to ${jboss.server.home.dir}/conf/my.pkcs12
d. Change the keyStorePass
e. Add an attribute "keystoreType" set to "PKCS12"
2 comments | Leave a comment