Thursday, July 1, 2010

Getting Flex and JBoss to use SSL

I have spent the last 7 or so hours at work trying to configure our Flex client to connect to our JBoss 4.2.3 server using SSL.

Now that I have figured it out here are the steps to make it work. The assumption is you have JBoss 4.2.3 installed and are able to access a web app on port 8080 over plain old http.

Types of SSL
JBoss supports at least two implementations of SSL:
Java Secure Socket Extension (JSSE) which uses the Java Runtime.
Apache Portable Runtime (APR) which uses OpenSSL.

Based on my version I am going to go out on a limb and say by default JBoss 4.2.3 uses APR out of the box.  You can verify this by looking in the server.xml found in your JBoss installation at /server/default/deploy/jboss-web.deployer/server.xml. At the very top of the file is a Listener tag for the AprLifecycleListener, which by default has the SSLEngine turned on. Below are the instructions for installing using both APR and JSSE.



APR SSL Setup Instructions
Generating a Private Key and Certificate
In order for all this SSL craziness to work you need to generate a private key and a certificate.  These can be generated using the OpenSSL command line tool.  All can be generated locally, but typically the certificate is generated by a Certificate Authority.  The following instructions show you how to create a self signed certificate. The private key and certificate will be kept in the /server/default/conf directory.

1. Open  a command line tool and navigate to /server/default/conf
2. Generate a private key: Execute openssl genrsa -des3 -out server.key 1024
3. Generate a certificate request: openssl req -new -key server.key -out server.csr
4. Generate a self signing certificate: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
5. Voila you now have a private key and certificate in the conf directory called server.keystore

Configuring JBoss For SSL
The {jboss}/server/default/deploy/jboss-web.deployer/server.xml file now needs to be modified to connect on https.  This requires the addition of a Connector tag in the file specifying the port, keystore location and also the keystore password.  

1. Open {jboss}/server/default/deploy/jboss-web.deployer/server.xml in your favourite text editor.
2. By default the Connector for https is commented out (you can find it by searching for 8443)
3. Add a new Connector to the file:
<Connector port="8443" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    SSLCertificateFile="${jboss.server.home.dir}/conf/casenet.crt" 
    SSLCertificateKeyFile="${jboss.server.home.dir}/conf/casenet.key"
    clientAuth="false" sslProtocol="TLSv1" />

4. You can modify the port as you like and also update the SSLCertificateFile and SSLCertificateKeyFile as is appropriate.
5. Save the file.


JSSE SSL Setup Instructions
Generating a KeyStore
In order for all this SSL craziness to work you need to generate a keystore for your server.  This keystore is created using the Java keytool executable.  The keystore will be kept in the /server/default/conf directory.

1. Open  a command line tool and navigate to /server/default/conf
2. Execute keytool -genkey -alias tomcat -keyalg RSA -keystore server.keystore
3. Enter '123456' as the password when prompted.
4. You will also be prompted to enter your name, organizational unit, organiation, city, state and country. Enter the appropriate values for you.
5. When prompted to enter the key password just hit enter to make it the same as the keystore password.
6. Voila you now have a key in the conf directory called server.keystore

Configuring JBoss For SSL
The {jboss}/server/default/deploy/jboss-web.deployer/server.xml file now needs to be modified to connect on https.  This requires the addition of a Connector tag in the file specifying the port, keystore location and also the keystore password.  In order to use JSSE we need to override the default protocol with org.apache.coyote.http11.Http11Protocol. This will cause it to override the APR SSL

1. Open {jboss}/server/default/deploy/jboss-web.deployer/server.xml in your favourite text editor.
2. By default the Connector for https is commented out (you can find it by searching for 8443)
3. Add a new Connector to the file:
<Connector port="8443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="123456" clientAuth="false" sslProtocol="TLS" />

4. You can modify the port as you like and also update the keystoreFile and keystorePass as is appropriate.
5. Save the file.




Verify Results for Either SSL
Now that you have created a keystore and also added a new connector you should be able to start up JBoss without errors. To verify you can now go to https://{server name}:{port}/{webapp}. You will be prompted to accept the certificate and once you accept the page should load.

Here are two very helpful sources: Steps for Building A Hello World Web App,  Apache Tomcat SSL How ToJBoss Community SSL Config, and How To Create a Self Signed Certificate

Updating the Flex Client
We use Granite and Gravity for transferring objects between the Flex client and the JBoss server.  All you need to do is update the services-config.xml Granite file.

Locate the channeldefinition tags and update them to use the secure channel classes and also update the URL to include https.
<channel-definition id="myApp-graniteamf" class="mx.messaging.channels.SecureAMFChannel">
<endpoint uri="https://localhost:8443/myApp/graniteamf/amf"
class="flex.messaging.endpoints.SecureAMFEndpoint" />
</channel-definition>

No comments:

Post a Comment