Enabling SSL


Now we will shift gears and look at a completely different security issue. If you expect your applications to need secure HTTP communication, you'll need to enable SSL support.

How do I do that?

Before you can enable SSL, you will need to install a valid certificate on the server side. You can get one from a certification authority such as Thawte or VeriSign (and they come at a hefty price). Although you'll need a valid certificate before taking an application into production, For development purposes you can generate a certificate for your own use using the Java keytool command.

To generate a key, go to the conf directory of your server configuration and execute the following command:

     [conf]$ keytool -genkey -keystore ssl.keystore -storepass mypassword \     -keypass mypassword -keyalg RSA -validity 3650  -alias testkey1 \     -dname "cn=testkey,o=jbossnotebook" 


Note: The key password should always be the same as the keystore password. If they are different, Tomcat won't be able to read the key.

This command produces a self-signed certificate. Self-signed certificates are signed only by the owner of the key (you), and not by a trusted certification authority. Since we aren't trying to generate a production certificate, you don't have to worry about the specifics of the type of key being generated. The important thing is that now you have an SSL-ready certificate in the ssl.keystore file.

To enable SSL, you'll need to point Tomcat to your keystore. This is quite simple to do. Just edit deploy/jbossweb-tomcat55.sar/server.xml and add the following connector:

     <Connector port="8443" address="${jboss.bind.address}"                maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"                emptySessionPath="true" scheme="https"                secure="true" clientAuth="false"                keystoreFile="${jboss.server.home.dir}/conf/ssl.keystore"                keystorePass="mypassword" keyAlias="testkey1"                sslProtocol="TLS" /> 

The keystore file, password, and alias should match the values you used when creating the keystore. After restarting JBoss, you should see the connector listening on port 8443 for HTTPS connections:

     00:30:27,295 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8443 

Now you can access the application securely using HTTPS on port 8443. To access the ToDo application, use https://localhost:8443/todo/.

There is one small gotcha here, which you'll quickly notice when you try to access the application. Because the SSL certificate used wasn't signed by a trusted certification authority, your browser will complain that it can't verify the server's certificate. You can still communicate with the server over HTTPS, but you can't be certain that you are truly communicating with the server you think you are.


Note: Using a self signed certificate leaves you vulnerable to the classic man-in-the-middle attack.

The solution is easy, but not free. It usually costs a good bit of money to get a certificate signed by a trusted certification authority. If you've generated a key using the keytool command, the first step is to generate a certificate signing request (CSR) to send to the certification authority. Here is how you generate a CSR with the keytool command:

     [conf]$ keytool -certreq -keystore ssl.keystore -alias testkey1 \     -storepass mypassword -keypass mypassword  -keyalg RSA \     -file testreq.csr 

You should send the testreq.csr file to your certification authority, along with a check covering the cost, at which point they'll respond with a signed certificate. If you save the certificate reply in a file called cert.txt, the following command will import it back into your keychain:

     [conf]$ keytool -import -keystore ssl.keystore -alias testkey1 \     -storepass mypassword -keypass mypassword -file cert.txt     Top-level certificate in reply:     Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES  ONLY, C=ZA     Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES  ONLY, C=ZA     Serial number: 0     Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 15:59:59 CST 2020     Certificate fingerprints:              MD5:  5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4              SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA     Certificate reply was installed in keystore 

If your browser recognizes your chosen certification authority, you should be able to access your application over HTTPS without your web browser complaining that it can't validate the certificate.



JBoss. A Developer's Notebook
JBoss: A Developers Notebook
ISBN: 0596100078
EAN: 2147483647
Year: 2003
Pages: 106

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net