JBOSS 6.0 设置HTTPS

This tutorial makes the following assumptions:

• That you are running JBoss under a 'jboss' user whose home directory is /home/jboss/

For the following examples the string "<server-name/ip>" should be replaced with the domain name, or ip address from which the site will be accessed via https. Also the path to your installed JDK is likely different.

• Create a new keystore using the jdk provided binary:

# /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -genkey -alias your_alias -keyalg RSA -keystore keystore.jks

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: <server-name/ip>
What is the name of your organizational unit?
[Unknown]: Your Unit
What is the name of your organization?
[Unknown]: Your Organization
What is the name of your City or Locality?
[Unknown]: Your City
What is the name of your State or Province?
[Unknown]: MD
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=<server-name/ip>, OU=Your Unit, O=Your Organization, L=Your City,
ST=MD, C=US correct?
[no]: yes

Enter key password for <your_alias>
(RETURN if same as keystore password):
Re-enter new password:

. When propmted for the key password, you must enter the same password as you first entered, when going through the keystore prompts.
. Put the keystore file in the /home/jboss directory

• Export the generated server certificate in .keystore to server.cer

# /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -export -alias your_alias -storepass password -file server.cer -keystore keystore.jks

• Create a trust-store file and add the server cert to it

# /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -import -v -trustcacerts -alias your_alias -file server.cer -keystore cacerts.jks -keypass password -storepass password

It will display the following:

Owner: CN=<server-name/ip>, OU=Your Unit, O=Your Organization,
L=Your City, ST=MD, C=US
Issuer: CN=<server-name/ip>, OU=Your Unit, O=Your Organization,
L=Your City, ST=MD, C=US
Serial number: 4e20527c
Valid from: Fri Jul 15 10:45:16 EDT 2011 until: Thu Oct 13 10:45:16 EDT 2011
Certificate fingerprints:
MD5: B9:25:A0:89:B9:A3:62:44:38:DD:B7:13:2C:05:C5:8C
SHA1: 3C:F9:54:2D:96:0C:D7:F9:C5:DA:24:54:A3:29:41:98:5E:01:2C:97
Signature algorithm name: SHA1withRSA
Version: 3

. Enter 'yes'
Trust this certificate? [no]: yes
Certificate was added to keystore

• Edit the JBOSS config file $JBOSS_HOME/server/server_profile/deploy/jbossweb.sar/server.xml

. Make a copy of the following block of XML

<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->

. Make the following changes:

<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${user.home}/jboss_as_keys/keystore.jks"
keystorePass="password"
truststoreFile="${user.home}/jboss_as_keys/cacerts.jks"
truststorePass="password"
sslProtocol = "TLS" />

. Disable unencrypted http/8080 access to the server by commenting out the following:

<!--
<Connector protocol="HTTP/1.1" port="${jboss.web.http.port}"
address="${jboss.bind.address}"
redirectPort="${jboss.web.https.port}" />
-->

• Set up port forwarding for port 443 to 8443 via iptables Use the following iptables commands, replacing $IPADDR with the IP of your web server
  
  # iptables -t nat -A OUTPUT --destination localhost -p tcp --dport 443 -j REDIRECT --to-ports 8443
  # iptables -t nat -A OUTPUT --destination $IPADDR -p tcp --dport 443 -j REDIRECT --to-ports 8443
  # iptables -t nat -A PREROUTING --destination $IPADDR -p tcp --dport 443 -j REDIRECT --to-ports 8443
  
  # /etc/init.d/iptables save
  # /etc/init.d/iptables restart