I am struggling to configure SSL in Jboss, on our production server. The production server is running Linux. I generated the CSR and sent it to the certificate issuer. They sent me the SSL certificate. I imported it into the "keystore".
Â
Now what do I do ?
Can anyone help me ?
Which version of JBoss are you using? You need to edit a configuration file and point JBoss to the java keystore to get the SSL certificate for encryption.
I am using JBoss version 5.0. The certificate is capable of 256-bit encryption.
The Linux is using CentOs 5.0.
The configuration for the SSL is in the server.xml in JBoss 5.0.
You need to edit the server.xml file that is found inside the default directory.
/server/default/deploy/jbossweb.sar/server.xml
If you have a custom server configuration, you need to edit the correct server.xml inside the jbossweb.sar directory.
Locate the SSL connector inside the server.xml. There you put the correct directory and the password to the java keystore file. The following code segment assumes you have placed the keystore in the server's configuration directory.
  <Connector protocol="HTTP/1.1" SSLEnabled="true"
          port="8443" address="${jboss.bind.address}"
          scheme="https" secure="true" clientAuth="false"
          keystoreFile="${jboss.server.home.dir}/conf/keystorefile.jks"
          keystorePass="password" sslProtocol = "TLS" />
You will then need to stop the JBoss service and then start it again.
Thank you TekGirl. I followed your instructions and restarted the service. Â But the problem is when I attempt to access the website on port 8080 using the HTTPS prefix, it says page cannot be displayed!
Why is this? There are no exceptions in the server log either.
Diana, can you check again, this time giving port 8043 instead ? This is because the connector for SSL loads on port number 8443 by default.
You would have noticed this port in the code that TekGirl has posted.
It works on port 8443! That is weird!
I normally do not put a port number if I want to use the SSL!
Why is this?
Diana, in reality your browser is actually transparently switching the ports for you.
For websites that are running on the default port number 80, all Internet Browsers and Web Servers are hardwired to use port 443 as the default SSL port.Â
Port numbers 80 and 443 are in the set of "well known" ports. Therefore, the Internet Browser automatically suffixes your website domain with port 80 when you request for standard content.
The Internet Browser automatically suffices your website domain with port 443 when you request encrypted content.
Since the browser is doing it for you, you would not see this suffix on the URL box.
However, if your website is on a non-standard port number, such as 8080 in your case, there is no global standard for the corresponding HTTPS port.
Therefore you need to put the correct port number to check if HTTPS is working for websites that are not configured for default ports.
I might add that port numbers can only be bound to one type of a Listener.
If port 80 is listening and servicing non-encrypted data, it cannot double up to listen for encrypted data.
Â
I might add that port numbers can only be bound to one type of a Listener.
If port 80 is listening and servicing non-encrypted data, it cannot double up to listen for encrypted data.
Thank you TekGirl and DimaZ for your valuable advise.
I will tell my network admin to do some port forwarding to redirect the port 8080 to 80 and the port 8443 to port 443.
Thank you again for helping me solve the SSL problem!
You need to add a new parameter to server.xml to specify the alias to use to lookup the certificate in the server.keystore. So if your certificate alias was 'localhost' then you need to add keyAlias="localhost" to server.xml so it will look like this:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false"
       keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       keystorePass="mypassword" sslProtocol = "TLS"
       keyAlias="localhost"/>
*You can replace the localhost with whatever alias name you like for the certificate in the server.xml.
 btw – depending on your specific requirements I tend to agree with Tactical Vim that using mod_ssl is a better option.
