If you are developing Java web application, you should consider deploying it on open source JBoss AS Java application server.
This tutorial explains how to install JBoss with SSL support on Linux.
1. Download JBoss AS 7
The current stable version of Jboass AS is 7.1.1. Download it from here.
Or, use wget to download it directly as shown below:
cd /usr/save wget http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip unzip jboss-as-7.1.1.Final.zip
2. Set JBOSS_HOME
I like to keep the jboss under /home directory, and set the JBOSS_HOME accordingly as shown below.
cd /usr/save mv jboss-as-7.1.1.Final /home export JBOSS_HOME=/home/jboss-as-7.1.1.Final
Also, make sure you add the JBOSS_HOME to your ~/.bash_profile directory.
3. Verify Java Version
You need JDK 1.6 or above to run the Java AS 7. If you don’t have JDK installed on your system, download it from here.
On my system, I already have the JDK installed.
# java -version java version "1.6.0_31" ..
4. Start and Stop JBoss Server
Use the standalone.sh script to start the JBoss server as shown below. Use nohup and & to run the JBoss server in the background.
# nohup sh $JBOSS_HOME/bin/standalone.sh &
After you star the JBoss server, you should be able to access http://localhost:8080 to access the JBoss server.
If you want to access the JBoss from using ip-address, you should allow JBoss AS to accept remote connection.
To shutdown the JBoss server, don’t simply kill the background process. Instead, use the following jboss-cli.sh script and send the shutdown command to the JBoss server as shown below.
$JBOSS_HOME/bin/jboss-cli.sh --connect --command=:shutdown
5. Create Java Key Store
Let us create the keys required for JBoss under /usr/save/keystore
mkdir /usr/save/keystore cd /usr/save/keystore
Use the java keytool genkey command to create the RSA keypair and self-signed certificate as shown below.
# /usr/java/jdk1.6.0_31/bin/keytool -v -genkey -alias jbosskeys -keyalg RSA -keysize 1024 -keystore jbosskeys.jks -keypass SecretPwd -storepass SecretPwd -validity 365 -dname "CN=localhost" Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 365 days for: CN=localhost
6. Export and Import Certificate
Export the certificate to a crt file.
# /usr/java/jdk1.6.0_31/bin/keytool -v -export -rfc -alias jbosskeys -file localfile.crt -keystore jbosskeys.jks -keypass SecretPwd -storepass SecretPwd Certificate stored in file <localfile.crt>
Import the crt file to the keystore.
# /usr/java/jdk1.6.0_31/bin/keytool -v -import -keypass SecretPwd -noprompt -trustcacerts -alias localhost -file localfile.crt -keystore cacerts.jks -storepass SecretPwd Certificate was added to keystore [Storing cacerts.jks]
7. Modify standalone.conf
Modify the /home//jboss-as-7.1.1.Final/bin/standalone.conf file and add the following JAVA_OPTS parameters.
JAVA_OPTS="$JAVA_OPTS \-Djavax.net.ssl.keyStorePassword=SecretPwd" JAVA_OPTS="$JAVA_OPTS \-Djavax.net.ssl.trustStorePassword=SecretPwd" JAVA_OPTS="$JAVA_OPTS \-Djavax.net.ssl.keyStoreType=JKS" JAVA_OPTS="$JAVA_OPTS \-Djavax.net.ssl.trustStoreType=JKS" JAVA_OPTS="$JAVA_OPTS \-DCLIENT_KEY_ALIAS=jbosskeys" JAVA_OPTS="$JAVA_OPTS \-Djavax.net.ssl.keyStore=/usr/save/keystore/jbosskeys.jks" JAVA_OPTS="$JAVA_OPTS \-Djavax.net.ssl.trustStore=/usr/save/keystore/cacerts.jks"
8. Add SSL Entries in standalone.xml
Modify the /home//jboss-as-7.1.1.Final/standalone/configuration/standalone.xml as shown below.
First, in the standalone.xml file, add the following SSL connecter information, after this line: <connector name=”http” protocol=”HTTP/1.1″ scheme=”http” socket-binding=”http”/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="connect" secure="true">
<ssl name="ssl"
protocol="TLSv1"
password="SecretPwd"
certificate-key-file="/usr/save/keystore/jbosskeys.jks"
ca-certificate-file="/usr/save/keystore/cacerts.jks"
verify-client="true" />
</connector>
Next, in the standalone.xml file, add the following line, after this line: <socket-binding name=”txn-status-manager” port=”4713″/>
<socket-binding name="connect" port="8181"/>
Finally, after you restart the JBoss, you should be able to access JBoss SSL from port 8181.
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
Comments on this entry are closed.
I love Jboss, but for SSL prefer to set Apache in front of it.
There are many benefit of it and it is pretty easy to set mod_cluster or proxy_ajp
Hi Ramesh,
Thank you ramesh for posting this article.
Could you please let me know how to install a basic JBOSS AS7 without SSL Support.
Regards,
Prashant
Good article. Would be nice since this is a tutorial to explain who uses JBOSS and why, so that we can learn without much googling
Good Article ….Thanks
Certificate-based authentication failed
ERR_BAD_SSL_CLIENT_AUTH_CERT
This server requires a certificate for authentication, and didn’t accept the one sent by the browser. Your certificate may have expired, or the server may not trust its issuer. You can try again with a different certificate, if you have one, or you may have to obtain a valid certificate from elsewhere.
where we need to add java_opts ?
please mention that one
Hi Ramesh,
That’s a very clear explanation of how to Setup SSL. Being a newbie to both JBOSS and SSL, I was struggling with the SSL setup. I have my web application hosted in JBOSS. It need to invoke 2 diff web services hosted on different tomcat servers. And only one of them requires that we send our certificate for client authentication. We don’t need a mutual authentication from our end. Could you please let me know if the above configuration helps in this scenario ?
hi Ramesh, this is really helpful. but i am using windows . i have done similar changes to standalone.conf.bat as you mentioned ( replaced $ to % ) , but with that changes , standalone.bat is throwing error.
Any idea ?
i am using jboss7.1.1 and jdk 1.7.0_79