I am converting from Websphere 8.x to JBoss 7.1 but I am having trouble getting SSL certificates into JBoss 7.1. We utilize external vendor web services via SSL.
In Websphere I would do this:
Add Vendor to the local WAS trust store:
Use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem.
Complete the following steps:
But in JBoss it doesn't look like there is this kind of capability. I have been playing with openssl, keytool for creating, adding certs to a keystore and tried making changes to the standalone.xml file. I've tried so many different things that have been suggested on different search results I've tried and spent countless hours trying to figure this out.
I'm getting this error:
13:08:50,801 ERROR [org.jboss.as.controller.management-operation] Operation ("add") failed - address: ([ ("subsystem" => "web"), ("connector" => "https"), ("ssl" => "configuration") ]) - failure description: "JBAS014803: Duplicate resource [ (\"subsystem\" => \"web\"), (\"connector\" => \"https\"), (\"ssl\" => \"configuration\") ]"
Throws error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor1.com_cert" password="secret" certificate-key-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor2.com_cert" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Doesn't throw error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
My question is this: How can I configure multiple SSL certs in JBoss like Websphere does?
You will need to add system-properties for this. So basically add the following piece of code to your standalone.xml just after <extensions>....</extensions> tag:
<system-properties>
<property name="javax.net.ssl.trustStore" value="<location of cert>"/>
</system-properties>
<location of cert> is the location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). Note that on Windows, the specified pathname must use forward slashes, /, in place of \.