Linux – Setting up SSL on JBoss 5

httpsjbosslinuxssl

How can I enable SSL on JBoss 5 on a Linux (Red Hat – Fedora 8) box?

What I've done so far is:

(1) Create a test keystore.

(2) Placed the newly generated server.keystore in $JBOSS_HOME/server/default/conf

(3) Make the following change in the server.xml in $JBOSS_HOME/server/default/deploy/jbossweb.sar to include this: 

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
  <Connector protocol="HTTP/1.1" SSLEnabled="true"
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false"
       keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       keystorePass="mypassword" sslProtocol = "TLS" />

(4) The problem is that when JBoss starts it logs this exception (during start-up) (but I am still able to view everything under http://localhost:8080/): 

03:59:54,780 ERROR [Http11Protocol] Error initializing endpoint

java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:456)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:139)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:498)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:175)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1029)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:683)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:821)
at org.jboss.web.tomcat.service.deployers.TomcatService.startService(TomcatService.java:313)

I do know that's there's more to be done to enable full SSL client authentication….

Best Answer

This may not be the most direct answer you're looking for, but after years of setting up a lot of Tomcat based infrastructure I always front-end them now with Apache and mod_ssl, using mod_jk (ajp13) to connect them. This is beneficial for many, many reasons:

  • you can offload all static file processing to Apache for better performance
  • you get access to all of the mod_rewrite (and other awesome modules) features
  • setting up SSL w/Apache is a no brainer, Tomcat never even knows it's an SSL channel

...and on and on. While the java engine can handle SSL it's just not one of it's strong points in life and tends to be more of a hassle than what it's worth. Let java handle the webapps and their java code, let Apache do what it does best. You will also find that mod_jk has a lot of great options for making sure your app engine doesn't get overloaded; using the right combination of parameters you can have your users temporarily redirected in a clean, good looking manner when the Tomcat instances are not responding fast enough (or crash/lock up).

Related Topic