How to enable SSL for Jboss/User Application using eDirectory certificate.

  • 3038898
  • 30-Jul-2007
  • 27-Nov-2012

Environment


Novell Identity Manager 3.6.1
Novell Identity Manager 3.5

Novell Identity Manager 3.01

Situation

How to enable SSL with Jboss/User Application using eDirectory server certificate.

Resolution

1) Export the Certificate Authority from your eDirectory server using iManager
1. Go to: http:///nps/iManager
2. Login with eDirectory admin username and password.
3. Go to eDirectory Administration > Modify Object
4. Browse to the CA object in the Security container called CA.Security (Ex: IDMTESTTREE CA.Security)
5. Click the Certificates tab > Self Signed Certificate
6. Click the Export button
7. Select "No" for "Do you want to export the private key with the certificate?"> Click Next.
8. Select "File in DER format ."> Click Next.
9. Click "Save the exported certificate to a file.”
10. Choose a location to save the file. File will be saved as CA.der (Ex: IDMTESTTREE CA.der) .
11. Click Close.

2) Create a keystore
In a command prompt cd to your.../jboss/server/IDM/conf and create the keystore. To create the keystore use the following command:
/opt/novell/idm35/jboss-mysql/jboss/server/IDM/conf>keytool -genkey -alias [keystore name] -keyalg RSA -keystore [your keystore name.keystore] -validity 3650
You will be promted for your password, first and last name, etc...
A few important Key points:
-When asked for your first and last name you should supply the fully quialified name of server for example... MyJBossServer.Novell.com
-Spelling is very important, if things are incorrectly spelled in these step you will receive errors when generating your signed certificate from the signing authority.
-Always a good idea to save a copy of the information you supplied in a simple text file, this comes in handy when you apply to the signing authority and when importing your certificate, this will ensure you are supplying the same information.

3) In your jboss/server/IDM/conf, create a simple text file to store your keystore .csr file. Once this file is created return to a command prompt and create the .csr with the following command:

/opt/novell/idm/jboss-mysql/jboss/server/IDM/conf>keytool -certreq -v -alias [Keystore name you created when creating your keystore] -file [your.csr] -keypass [password you created in keystore] -keystore [your.keystore] -storepass [your password]

4) Issue a certificate using iManager
1. Go to Certificate Server ---> Issue Certificate
2. Browse the .csr file created on step 3. Click next, next.
3. Select 'Unsepecified' certificate type. Click next, next.
4. Click Finish and save in DER format.

5) Import your Root CA

/opt/novell/idm/jboss-mysql/jboss/server/IDM/conf>keytool -import -trustcacerts -alias root -keystore your.keystore -file yourRootCA.cer

**yourRootCA.cer is the cert that you exported on step 1 in .der format
**please make sure you specify "root" as your alias in this step
If all goes well you should see a"Certificate was added to keystore" message

6) Import your "Signed" certificate
/opt/novell/idm/jboss-mysql/jboss/server/IDM/conf>keytool -import -alias [alias you used when creating the .csr] -keystore [your.keystore] -file [your DER converted Signed Cert.cer]
If all goes well you should receive"Certificate reply was installed in keystore"

7) To verify the signed certificate was imported correctly you can run the following command in a command prompt from your /JBoss/server/IDM/conf directory

/opt/novell/idm/jboss-mysql/jboss/server/IDM/conf>keytool -list -v -alias idm -keystore idm.keystore
You should see your self signed and signed certificates listed in the output.

8) Enable SSL in JBoss
-locate jbossweb-tomcat55.sar file under [IDM]/jboss/server/IDM/deploy.
-In it, find server.xml and open that file in a text editor.
-Enable SSL by uncommenting or adding the following section section:

< Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/mykeystore.keystore"
keystorePass="changeit" sslProtocol ="TLS" />

**Note 1: Remember to point "keystoreFile" to the keystore you created. example: ${jboss.server.home.dir}/conf/server.keystore
**Note 2: Remember to change the keystorePass="changeit" to your keystore password

For Identity Manager 3.6.1, the jboss version has been updated.

In jboss-4.2.2 the web container has its configuration in the deploy/jboss-web.deployer/server.xml descriptor.
Add this to the file
 
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
strategy="ms" address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/.keystore"
keystorePass="password"
truststoreFile="${jboss.server.home.dir}/conf/.keystore"
truststorePass="password"
sslProtocol="TLS"/>

change .keystore and password to your values.

9) Restart your JBoss Server and test
When restarting the JBoss Server you should see the server running on ports 8082 and 8443
16:35:51,062 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8082
16:35:51,343 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
16:35:51,359 INFO [JkMain] Jk running ID=0 time=0/156 config=null
16:35:51,375 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8443
16:35:51,390 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build: CVSTag=JBoss_4
_0_2 date=200505022023)] Started in 1m:32s:94ms


Additional Information

Please note that if your eDirectory CA has been re-created, it is not necessary to follow all the steps outlined in this TID. After the CA is re-created all that needs to be done is to stop JBoss, import the new trusted root certificate from the CA as outlined in step 5 above (export it first as outlined in step 1), then start JBoss back up.