Friday, 3 August 2012

JBoss SSL Installation Procedures


JBoss SSL Installation Procedures

The following procedures were utilized for adding a signed SSL certificate to JBoss for use with the Higher Reach, a package developed by Jenzabar.  These particular instructions were developed for a Windows Server platform but should be identical for Linux platforms by just changing the relevant file paths.

Step 1: Create a keystore for the new SSL certificate (example cert.keystore): 

            keytool -genkey -keyalg RSA -keysize 2048 -keystore cert.keystore -alias certrsakey

Step 2: You will be prompted for a password for the keystore (be sure to record this as you will need it inorder to fully complete the certificate installation process):
           
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

Enter keystore password:
Re-enter new password:

Step 3: Supply server specific data needed for CSR (Enter the FQDN of the server when prompted for first and last name):

What is your first and last name?
  [Unknown]:  myserver.domain.com
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  Luthor Corp
What is the name of your City or Locality?
  [Unknown]:  Metropolis
What is the name of your State or Province?
  [Unknown]:  Kansas
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=myserver.domain.com, OU=IT, O=Luthor Corp, L=Metropolis, ST=Kansas,
C=US correct?
  [no]: yes

Step 4: Once again you will be prompted for a password.  YOU MUST USE THE SAME PASSWORD AS PREVIOUSLY SELECTED:

Enter key password for <certrsakey>
        (RETURN if same as keystore password):
Re-enter new password:

Step 5: Create the CSR request file for use with Verisign or other SSL provider:

            keytool -certreq -keyalg RSA -file cert.csr -keystore cert.keystore -alias certrsakey

Step 6: Perform certificate renewal or order process at Verisign.  Once you receive the cert.cer file save it to the server in the same directory you created your keystore file.  Example: C:/ssl_certs/cert.cer

Step 7: Download the primary and secondary intermediate certificates from Verisign and save them as primaryinter.cer and secondary inter.cer respectively. As of this writing the intermediate certificates can be retrieved from
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

Step 8: Import the primary intermediate certificate into the keystore (you will be prompted for the keystore password):

            keytool -import -trustcacerts -alias primaryIntermediate -keystore cert.keystore -file primaryinter.cer

Step 9: Import the secondary intermediate certificate into the keystore (you will be prompted for the keystore password):

            keytool -import -trustcacerts -alias secondaryIntermediate -keystore cert.keystore -file secondaryinter.cer.txt

Step 10: Import the ssl certificate sent by Verisign (you will be prompted for the keystore password):

            keytool -import -trustcacerts -alias certrsakey -keystore cert.keystore -file cert.cer

Step 11: [optional] Test keystore properly contains all certificates with the follwoing command:

            keytool -list -v -keystore  cert.keystore >test.txt

Verify the following information:

- The SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  If not, please import the certificate into the Private Key alias.

- The Certificate chain length is 4.

Step 12: Modify JBoss to use the new keystore and key password by editing C:\jboss-5.1.0\server\dirname\deploy\jbossweb.sar\server.xml, note: replace dirname with the appropriate folder name for your installation.  The relevant sections are below:

      <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
      <Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="C:/ssl_certs/cert.keystore"
           keystorePass="Password you selected in step 4" sslProtocol = "TLS" />

<!--


<ssl password="changeit" key-alias="tomcat"
                    certificate-key-file="/path/to/keystore.p12"
                    verify-client="true"
                    ca-certificate-file="/path/to/truststore.jks"
                    ca-certificate-password="changeit"
                    keystore-type="PKCS12" truststore-type="JKS" />



-->

Step 13: Restart JBoss using the Windows Services utility.  Note: It takes a few minutes for the web component to restart so do not panic if you get can't connect to site while browsing to https://myserver.domain.com:8443/

=====================
OTHER USEFUL COMMANDS
=====================

•Delete a certificate from a Java Keytool keystore

keytool -delete -alias [alias name] -keystore [keystore name]


Administration Guide :


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)