HTTPS in JBoss 6/Tomcat 6

Security is an important part of any application and, in an environment such as the Internet, web applications are specially vulnerable to attacks from outsiders or insiders to the networks in which the system is deployed. Authentication is a first level of protection to intruders but by itself is not sufficient to ensure security. The only way to ensure a higher level of security is by making use of a encryption protocol such as HTTPS. This will ensure that user credentials and other vulnerable data will not be easily accessible by any possible intruder.

The configuration example uses a self-signed certificate, but if you intend to have your application exposed to the internet, then you might want to get a certificate from a CA (Certificate Authority) such as VeriSign.

To enable HTTPS using TLS, follow the steps below.

1 Creating the keystore and private key:

. In your command or terminal window, move into the JBOSS_HOME/server/default/conf (change ‘default’ to whatever server configuration you are currently using).
. keytool -genkey -alias jbosskey -keypass change_this -keyalg RSA -keystore server.keystore
. Answer the questions but ensure to use your hostname when asked for first/last name (e.g. localhost).
. Notice that server.keystore is generated in the current directory.
. keytool -list -keystore server.keystore
. You should now see the PrivateKeyEntry named jbosskey in the printed list

2 Generating and storing the certificate (self-signed)

. keytool -export -alias jbosskey -keypass change_this -file server.crt -keystore server.keystore
. Note that server.crt is generated in current directory.
. keytool -import -alias jbosscert -keypass change_this -file server.crt -keystore server.keystore
. You will receive a warning notifying that it already exists in the keystore. Ignore it. It is because Java expects separate keystore and trustore files and we are using only one.
. keytool -list -keystore server.keystore
. You should now see a TrustedCertEntry named jbosscert in the printed list.

3 Update server start script to include:
. -c default -b”JBOSS_HOME/server/default/conf/server.keystore”
Where -c specfies your server type
Where -b is required to use the server as anything but localhost, with a server name if you only have 1 network card, with if you have multiple network cards specifies the location of your truststore file.

. In Windows you may place these parameters in a shortcut you use to execute run.bat.
. In Unix you may place them in your startup script.
. In Eclipse, RAD or any other Eclipse-derivative your best bet is to use the jBossTools plugin.
Go to the jBossServer view
Double-click on the server
Verify that your hostname is set to myHostname
Click OpenLaunchConfiguration
Add to the program arguments.

4 Enable jBoss’ Tomcat for HTTPS:
. Edit “JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml”
. Add or uncomment HTTPS connector to look like:

      <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->

5 Test it:

The following tests should succeed. If they don’t, then revisit the instructions above. The browser will warn about untrusted sites/certificates, and this is just fine since you are using a self-signed certificate. To get of the warnings, then you must get a certificate from a certificate authority.

Normal access to JBoss’ home page: http://myHostname:8080
HTTPS access to JBoss’ home page: https://myHostname:8443

6 Securing web apps contexts

If we leave a web app that you’d normally access without SSL without any modification then, at this stage, the application will be accessed through both HTTP and HTTPS. In some cases this is not enough and we might need to force HTTPS on or OFF of a given web app.

For example, consider a ear that deploys two war contexts, one for the main app at ‘/webapp’ and another for the publicly exposed REST interface at ‘/webapp/rest’.

For the webapp.war web.xml we’ll ensure that the contents are CONFIDENTIAL:

	Unsecured Context


For the webapp_rest.war web.xml we’ll ensure that the contents require no confidentiality (NONE):

	Unsecured Context


7 Test it:

Access to http://myHostname:8080/webapp will be automatically redirected to https://myHostname:8443/webapp.
Access to http://myHostname:8080/webapp/rest will be open as required.


About CrazyPenguin

Software Engineer
This entry was posted in JBoss and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s