javassljboss

How to configure external vendor SSL certs into JBoss 7.1


I am converting from Websphere 8.x to JBoss 7.1 but I am having trouble getting SSL certificates into JBoss 7.1. We utilize external vendor web services via SSL.

In Websphere I would do this:
Add Vendor to the local WAS trust store:
Use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem.
Complete the following steps:

  1. Log into the administrative console.
  2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations.
  3. Select the appropriate outbound configuration to get to the (cell):E4GT82WNode03Cell:(node):E4GT82WNode03 management scope.
  4. Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
  5. Under Additional Properties, click Signer certificates and Retrieve From Port.
  6. In the Host field, enter services.vendor.com in the host name field, enter 443 in the Port field, and services.vendor.com_cert in the Alias field.
  7. Click Retrieve Signer Information.
  8. Verify that the certificate information is for a certificate that you can trust.
  9. Click Apply and Save.

But in JBoss it doesn't look like there is this kind of capability. I have been playing with openssl, keytool for creating, adding certs to a keystore and tried making changes to the standalone.xml file. I've tried so many different things that have been suggested on different search results I've tried and spent countless hours trying to figure this out.

I'm getting this error:

13:08:50,801 ERROR [org.jboss.as.controller.management-operation] Operation ("add") failed - address: ([ ("subsystem" => "web"), ("connector" => "https"), ("ssl" => "configuration") ]) - failure description: "JBAS014803: Duplicate resource [ (\"subsystem\" => \"web\"), (\"connector\" => \"https\"), (\"ssl\" => \"configuration\") ]"

Throws error:

    <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
      <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
      <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
        <ssl key-alias="vendor1.com_cert" password="secret" certificate-key-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
        <ssl key-alias="vendor2.com_cert" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
      </connector>          
      <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <alias name="example.com"/>
      </virtual-server>
    </subsystem>

Doesn't throw error:

    <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
      <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
      <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
      </connector>          
      <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
         <alias name="example.com"/>
      </virtual-server>
    </subsystem>

My question is this: How can I configure multiple SSL certs in JBoss like Websphere does?


Solution

  • You will need to add system-properties for this. So basically add the following piece of code to your standalone.xml just after <extensions>....</extensions> tag:

    <system-properties>
            <property name="javax.net.ssl.trustStore" value="<location of cert>"/>
    </system-properties>
    

    <location of cert> is the location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). Note that on Windows, the specified pathname must use forward slashes, /, in place of \.