Using SSL with the JBossTomcat Bundle


Using SSL with the JBoss/Tomcat Bundle

There are a few ways you can configure HTTP over SSL for the embedded Tomcat servlet container. The main difference between them is whether you use the JBoss-specific connector socket factory, which allows you to obtain the JSSE server certificate information from a JBossSX SecurityDomain. This requires establishing a SecurityDomain by using the org.jboss.security.plugins.JaasSecurityDomain MBean. These two steps are similar to the procedure used in Chapter 8, "Security on JBoss," to enable RMI with SSL encryption. The following is a server.xml configuration file that illustrates the setup of only an SSL connector via this approach:

 <Server>     <Service name="jboss.web" className= "org.jboss.web.tomcat.tc5.StandardService">         <Connector port="8080" address="${jboss.bind.address}" maxThreads="150"             minSpareThreads="25" maxSpareThreads="75" enableLookups="false"             redirectPort="443" acceptCount="100" connectionTimeout="20000"             disableUploadTimeout="true"/>         <Connector port="443" address="${jboss.bind.address}" maxThreads="100"             minSpareThreads="5" maxSpareThreads="15" scheme="https"             secure="true" clientAuth="false"             keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"             keystorePass="rmi+ssl" sslProtocol="TLS"/>         <Engine name="jboss.web" defaultHost="localhost">             <Realm                 className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"                 certificatePrincipal="org.jboss.securia.Log4jLogger"                 verbosityLevel="WARNING" category= "org.jboss.web.localhost.Engine"/>             <Host name="localhost" autoDeploy="false" deployOnStartup="false"                   deployXML="false">                 <DefaultContext cookies="true" crossContext="true" override="true"/>             </Host>         </Engine>     </Service> </Server> 

This configuration includes the same JaasSecurityDomain setup as in Chapter 8, but because the descriptor is not being deployed as part of a SAR that includes chap8.keystore, you need to copy chap8.keystore to the server/default/conf directory.

You can do a quick test of this configuration by accessing the JMX Console web application, using the URL https://localhost/jmx-console/index.jsp.

Note

If you're running on a Unix system (Linux, Solaris, or OS X) that allows only root to open ports below 1024, you need to change the port number in the preceding code to something like 8443.


The following are the factory configuration attributes:

  • algorithm This is the certificate encoding algorithm to be used. If it is not specified, the default value is SunX509.

  • className This is the fully qualified classname of the SSL server socket factory implementation class. You must specify org.apache.coyote.tomcat4.CoyoteServerSocketFactory here. Using any other socket factory will not cause an error, but the server socket will not be using SSL.

  • clientAuth You set this attribute to TRue if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. A false value (which is the default) does not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

  • keystoreFile This is the pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file.keystore in the operating system home directory of the user who is running Tomcat.

  • keystorePass This is the password used to access the server certificate from the specified keystore file. The default value is changeit.

  • keystoreType This is the type of keystore file to be used for the server certificate. If not specified, the default value is JKS.

  • protocol This is the version of the SSL protocol to use. If not specified, the default is TLS.

Note that if you try to test this configuration by using the self-signed certificate from the Chapter 8 chap8.keystore and attempt to access content over an HTTPS connection, your browser should display a warning dialog indicating that it does not trust the certificate authority that signed the certificate of the server you are connecting to. For example, when we tested the first configuration example, Internet Explorer 5.5 showed the initial security alert dialog listed in Figure 9.2. Figure 9.3 shows the server certificate details. This warning is important because anyone can generate a self-signed certificate with any information desired. Your only way to verify that the system on the other side really represents the party it claims to is by verifying that it is signed by a trusted third party.

Figure 9.2. The Internet Explorer 5.5 security alert dialog.


Figure 9.3. The Internet Explorer 5.5 SSL certificate details dialog.




JBoss 4. 0(c) The Official Guide
JBoss 4.0 - The Official Guide
ISBN: B003D7JU58
EAN: N/A
Year: 2006
Pages: 137

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net