Environment
Situation
Resolution
To install a signed certificate into the JBoss Application Server with the IDM3 User Application follow these steps:
1) Create a keystore
- In a command prompt cd to …\IDM3\jboss\server\[Your sever name]\conf
**(please note for example purposes the server name used is "IDMProv" so any command you see IDMProv please insert your server name) and create the keystore
-To create the keystore use the following command:
C:\IDM3\jboss\server\IDMProv\conf>keytool -genkey -alias [keystore name] -keyalg RSA -keystore [your keystore name.keystore] -validity 3650
You will be prompted for your password, first and last name, etc...
A few important Key points:
-When asked for your first and last name you should supply the fully quialified name of server for example... MyJBossServer.Novell.com
-Spelling is very important, if things are incorrectly spelled in these step you will receive errors when generating your signed certificate from the signing authority.
-Always a good idea to save a copy of the information you supplied in a simple text file, this comes in handy when you apply to the signing authority and when importing your certificate, this will ensure you are supplying the same information.
2) In your IDM3\jboss\server\IDMProv\conf create a simple text file to store your keystore .csr file
Once this file is created return to a command prompt and create the .csr with the following command:
C:\IDM3\jboss\server\IDMProv\conf>keytool -certreq -v -alias [Keystore name you created when creating your keystore] -file [your.csr] -keypass [password you created in keystore] -keystore [your.keystore] -storepass [your password]
3) Submit your .csr file to your Certificate Authority (CA) such as VeriSign, Entrust etc....
Once you have received your "Signed Certificate” from your CA you need to import it into your JBoss Server.
To import your signed certificate:
1) Place a copy of your certificate on your \IDM3\JBoss\server\IDMProv\conf directory
**please create a backup copy of this certificate and store it in a safe location
2) Covert the root CA to DER format
-Double click on your certificate stored in the \IDM3\JBoss\server\IDMProv\conf directory
-This will open a pop-up Certificate dialog screen
-Click on Certificate Path tab
-Highlight the root certificate (the certificated issue by the signing authority, example: Entrust, Verisign etc...)
-Click on View Certificate this will open a new Certificate dialog for the root certificate
-Click on the details tab
-Click "copy to file" this will open the Export Certificate Wizard
-Click next when the Export Certificate Wizard opens
-Select"DER encoded binary for X.509 (.CER)" and click next
- create a new file to store the newly formated certificate and store it in your\IDM3\JBoss\Server\conf
- Click "Finish"
3) Covert the "Signed" certificate into DER format
-Double click on your certificate stored in the \IDM3\JBoss\server\IDMProv\conf directory
-This will open a pop-up Certificate dialog screen
-Click on the "Details" tab
-Click "copy to file" this will open the Export Certificate Wizard
-Click next when the Export Certificate Wizard opens
-Select"DER encoded binary for X.509 (.CER)" and click next
- Create a new file to store the newly formated certificate and store it in your\IDM3\JBoss\Server\conf
- Click "Finish"
4) Open a command prompt and cd to your \IDM3\JBoss\server\IDMProv\conf directory
5) Import your
C:\IDM3\jboss\server\IDMProv\conf>keytool -import -trustcacerts -alias root -keystore your.keystore -file yourRootCA.cer
**please make sure you specify "root" as your alias in this step
If all goes well you should see a "Certificate was added to keystore" message
6) Import your "Signed" certificate
C:\IDM3\jboss\server\IDMProv\conf>keytool -import -alias [alias you used when creating the .csr] -keystore [your.keystore] -file [your DER converted Signed Cert.cer]
If all goes well you should receive "Certificate reply was installed in keystore"
7) To verify the signed certificate was imported correctly you can run the following command in a command prompt from your \IDM3\JBoss\server\IDMProv\conf directory
C:\IDM3\jboss\server\IDMProv\conf>keytool -list -v -alias idm -keystore idm.keystore
You should see your self signed and signed certificates listed in the output.
8)Enable SSL in JBoss
-locate jbossweb-tomcat55.sar file under [IDM]\jboss\server\IDM\deploy.
-In it, find server.xml and open that file in a text editor.
-Enable SSL by uncommenting or adding the following section section:
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/spitfire/conf/jboss.jks"
keystorePass="changeit" sslProtocol ="TLS" />
**Note 1: Remember to point "keystoreFile" to the keystore you created. example: ${jboss.server.home.dir}/conf/server.keystore
**Note 2: Remember to change the keystorePass="changeit" to your keystore password
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" SSLEnabled="true" protocol="HTTP/1.1"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/cacerts"
keystorePass="changeit" sslProtocol="TLS" />
9) Restart your JBoss Server and test
When restarting the JBoss Server you should see the server running on ports 8082 and 8443
16:35:51,062 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8082
16:35:51,343 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
16:35:51,359 INFO [JkMain] Jk running ID=0 time=0/156 config=null
16:35:51,375 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8443
16:35:51,390 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build: CVSTag=JBoss_4
_0_2 date=200505022023)] Started in 1m:32s:94ms
