May 31, 2012

How to install install and configure SSL on JBoss 5.1

The reason for installing SSL (Secure Socket Layer) is to protected the data received and sent to be read in clear text and instead received and sent encrypted.

The first you need is a Server Certificate. You can get a valid Certificate from Certification Authority (CA) like Thwate, Verisign and many more. But here I will use a self-signed certificate but the process is quite similar for the ones from a Certification Authority (CA). 
$ keytool -genkey -alias rsatest -keyalg RSA -keystore server.keystore -keysize 2048 -validity 60
...
Is CN=localhost, OU=MSC, O=MSC, L=Stockholm, ST=Stockholm, C=SE correct?
  [no]:  yes
Remember that the first and last name should be either your domain address or machine name.

And to view your self-signed certificate: 
$ keytool -list -v -keystore server.keystore
Now you need configure your HTTPS Connector.

$JBOSS_HOME/server/$JBOSS_CONF/deploy/jbossweb.sar/server.xml: 
    <Connector protocol="HTTP/1.1" SSLEnabled="true" 
        port="8443" address="${jboss.bind.address}" 
        scheme="https" secure="true" clientAuth="false"
        keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
        keystorePass="changeit" sslProtocol="TLS" />
There are several more configuration for the Connector which you can read more about here for JBoss 5.1:
http://docs.jboss.org/jbossweb/2.1.x/config/http.html

And the latest documentation is found here:
http://docs.jboss.org/jbossweb/latest/config/http.html

The last thing we need is a test application I will leave that as a practice, but I will show one interesting part and that is the web.xml 
<web-app>

    ...

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Security Demo</web-resource-name>
            <url-pattern>/*</url-pattern>
            <!-- Do not specify http-method, since then only specified 
                 http-method will be authenticated, not e.g. JUNK (attack) -->
        </web-resource-collection>

        <auth-constraint>
            <description>These are the roles who have access.</description>
            <role-name>ROLE_FOO</role-name>
        </auth-constraint>

        <user-data-constraint>
            <description>This is how the user data must be transmitted.</description>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>foo-realm</realm-name>
    </login-config>

    <security-role>
        <role-name>ROLE_FOO</role-name>
    </security-role>

    <session-config>
        <!-- Session timeout after X MINUTES after no user interaction. -->
        <session-timeout>15</session-timeout>
        <cookie-config>
            <!-- XSS attack: make sure that cookie cannot be accessed via 
                 client side scripts -->
            <http-only>true</http-only>
            <!-- CSRF attack, session hijack attack: require cookie can 
                 only be used for SSL communication. -->
            <secure>true</secure>
        </cookie-config>
        <!-- Do not use URL, since then it can be stored in numerous places: 
             browser history, proxy server log, referrer logs, web logs, etc. -->
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>

    ...

</web-app>


Now open you web browser and test your application. To do the same for Tomcat is quite similiar, read more about it in my next blog - http://magnus-k-karlsson.blogspot.se/2012/06/how-to-install-install-and-configure.html.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)