I have a problem with Jboss SSL connection. When I try to connect to the JBOSS by using changing client's windows host file (192.168.80.115 zimbrax.com) with my browser, I cant access. I am getting "Unable to connect" error. But when I try to connect on the server by using 127.0.0.1 zimbrax.com so I can access.
There is no firewall or other tool between my client and jboss server.
Below is my SSL configurations. (by the way there is no same problem with http:// but only https://)
server.xml :
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:\jboss-5.1.0.GA\server\zimbrax\conf\zimbrax.com.jks"
keystorePass="6v4xse32a096be4x" useBodyEncodingForURI="true" sslProtocol = "TLS" />
binding-jboss-beans.xml
<!-- For services like those listed above that need to know the
port of the HTTPS connector -->
<bean class="org.jboss.services.binding.ServiceBindingMetadata">
<property name="serviceName">jboss.web:service=WebServer</property>
<property name="bindingName">HttpsConnector</property>
<property name="port">443</property>
<property name="description">JBoss Web HTTPS connector socket</property>
</bean>
<xsl:variable name="portHttps" select="443"/>
<xsl:when test="(name() = 'port' and . = '443')">
<xsl:attribute name="port"><xsl:value-of select="$portHttps" /></xsl:attribute>
</xsl:when>
and this is my jboss startup :
d:
cd D:\JBoss-5.1.0.GA\bin
run.bat -b 0.0.0.0 -c zimbrax -Djavax.net.ssl.keyStore="D:/jboss-5.1.0.GA/server/zimbrax/conf/zimbrax.com.jks"
where should I check?
Could you please help me?
Are you saying it works over http ? What url do you use for that ?
Please try https://ipaddress/ and let us know what you find.
Related
I am trying to configure ssl into my web app. Generated the .jks file from .cer file using java keytool and configured it in server.xml
But Tomcat refuses to start in port 443 or port 8443 after this configuration.
server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
and
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
URL used in browser:
https://10.111.77.66/MY-APP
and https://10.111.77.66:8443/MY-APP
Both URL not working.
Error message in Browser:
This site can’t provide a secure connection
10.111.77.66 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Before SSL configuration, Application was running fine in port 8082. ( http://10.111.77.66:8082/MY-APP )
What is wrong here? Stuck up badly. Please help.
Server is Linux.
Tomcat Logs:
java.net.SocketException: Permission denied
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
We have a Local Service Fabric Cluster running. We are using Windows Security to control who can administer the cluster.
When connecting to the Gateway Endpoint to use the configuration manager, we are currently connecting over HTTP, but we'd like to connect over HTTPS.
We have added an SSL Certificate that we use for connecting to the reverse proxy, and we'd like to use that same certificate to connect to the Gateway Endpoint.
I can see in the generated config on the cluster that the HttpApplicationGatewayEndpoint port is using https, which I think turned on because I set the "ReverseProxyCertificate" setting.
<NodeType Name="NodeType0">
<Endpoints>
<ClientConnectionEndpoint Port="19000" />
<LeaseDriverEndpoint Port="19002" />
<ClusterConnectionEndpoint Port="19001" />
<HttpGatewayEndpoint Port="19080" Protocol="http" />
<HttpApplicationGatewayEndpoint Port="19081" Protocol="https" />
<ServiceConnectionEndpoint Port="19003" />
<ApplicationEndpoints StartPort="20001" EndPort="20031" />
<EphemeralEndpoints StartPort="49152" EndPort="65535" />
</Endpoints>
<PlacementProperties>
<Property Name="NodeTypeName" Value="NodeType0" />
</PlacementProperties>
</NodeType>
How can I make the HttpGatewayEndpoint have Protocol="https" instead of "http"?
I have Spring MVC App running on JBoss AS 7.1.1. I need to turn off SSLv3 to protect against Poodle vulnerability. JBoss documentation at https://access.redhat.com/solutions/1232233 suggests I need to make sure that SSLv3 is not listed in the SSL Protocol attributes.
I have tried that but I can still connect to my website after only enabling SSL in Internet explorer options displayed below. Below is my standalone.xml configuration:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1"/>
</connector>
Can someone suggest what I'm missing here?
I finally figured a way to fix it. If you change 'protocol' to 'protocols' in the above mentioned configuration and make sure sslv3 is not in the protocol list then it disables SSLv3.
Notice the protocols attribute in the config below
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>
After making this change, if you open IE and disable all other protocols except SSL 3.0 - and then try to access the web page, you should not be able see the web page.
More details available here: http://abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/
I want to configure CAS server 4.0 with ApacheDS LDAP. I followed the bellow steps:
1- Based on this Link I modify the deployerConfigContext.xml file. The following beans added to this file:
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution mechanism.
| Keys are LDAP attribute names, values are CAS attribute names.
| Use this facility instead of a PrincipalResolver if LDAP is
| the only attribute source.
-->
<entry key="member" value="member" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
</map>
</property>
</bean>
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler" />
<!--
| The following DN format works for many directories, but may need to be
| customized.
-->
<bean id="dnResolver"
class="org.ldaptive.auth.FormatDnResolver"
c:format="uid=%s,${ldap.baseDn}" />
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="pooledLdapConnectionFactory" />
<bean id="pooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="connectionPool" />
<bean id="connectionPool"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="${ldap.pool.blockWaitTime}"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy"
p:connectionFactory-ref="connectionFactory" />
<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="${ldap.pool.minSize}"
p:maxPoolSize="${ldap.pool.maxSize}"
p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
p:validatePeriodically="${ldap.pool.validatePeriodically}"
p:validatePeriod="${ldap.pool.validatePeriod}" />
<bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="connectionConfig" />
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
p:ldapUrl="${ldap.url}"
p:connectTimeout="${ldap.connectTimeout}"
p:useStartTLS="${ldap.useStartTLS}"
p:sslConfig-ref="sslConfig" />
<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="${ldap.trustedCert}" />
</property>
</bean>
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="${ldap.pool.prunePeriod}"
p:idleTime="${ldap.pool.idleTime}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
Also the bellow properties added to the cas.properties:
#========================================
# General properties
#========================================
ldap.url=ldaps://localhost:10636
# LDAP connection timeout in milliseconds
ldap.connectTimeout=30000
# Whether to use StartTLS (probably needed if not SSL connection)
ldap.useStartTLS=true
#========================================
# LDAP connection pool configuration
#========================================
ldap.pool.minSize=3
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=3000
# Frequency of connection validation in seconds
# Only applies if validatePeriodically=true
ldap.pool.validatePeriod=3000
# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=3000
# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=6000
#========================================
# Authentication
#========================================
ldap.baseDn=dc=example,dc=com
# Base DN of users to be authenticated
ldap.authn.baseDn=dc=example,dc=com
# Manager DN for authenticated searches
ldap.authn.managerDN=uid=admin,ou=system
# Manager password for authenticated searches
ldap.authn.managerPassword=secret
# Search filter used for configurations that require searching for DNs
#ldap.authn.searchFilter=(&(uid={user})(accountState=active))
ldap.authn.searchFilter=(uid={0})
# Search filter used for configurations that require searching for DNs
#ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org
ldap.authn.format=uid=%s,ou=system
ldap.trustedCert=file:/D:/ApacheDS.cer
Also I used InstallCert to add the port of localhosr:8443 (tomcat) and localhost:10636 (ApacheDS) to the cacers file. And with Portecle export the ApacheDS.cer from ApacheDs certification from cacers.
My server.xml file of tomcat modified as bellow:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="50" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Program Files/Java/jdk1.7.0_60/jre/lib/security/cacerts"
keystorePass="changeit"
/>
Also the following Jars add to the apache-tomcat-8.0.8\webapps\cas-server-webapp-4.0.0\WEB-INF\lib :
cas-server-support-ldap-4.0.0.jar
spring-ldap-core-2.0.2.RELEASE.jar
spring-ldap-1.2.1.jar
ldaptive-1.0.5.jar
Finally! After lots of struggling tries I get the bellow error:
Caused by: java.lang.IllegalStateException: Could not initialize pool size
at org.ldaptive.pool.AbstractConnectionPool.initialize(AbstractConnectionPool.java:258)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1638)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1579)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1509)
... 70 more
Caused by: [org.ldaptive.provider.ConnectionException#3778440::resultCode=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, providerException=javax.naming.ServiceUnavailableException: localhost:10636; socket closed]
at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:95)
at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:37)
at org.ldaptive.provider.AbstractProviderConnectionFactory.create(AbstractProviderConnectionFactory.java:99)
at org.ldaptive.DefaultConnectionFactory$DefaultConnection.open(DefaultConnectionFactory.java:295)
at org.ldaptive.pool.AbstractConnectionPool.createConnection(AbstractConnectionPool.java:482)
at org.ldaptive.pool.AbstractConnectionPool.createAvailableConnection(AbstractConnectionPool.java:523)
at org.ldaptive.pool.AbstractConnectionPool.grow(AbstractConnectionPool.java:363)
at org.ldaptive.pool.AbstractConnectionPool.initialize(AbstractConnectionPool.java:252)
... 77 more
Caused by: javax.naming.ServiceUnavailableException: localhost:10636; socket closed
at com.sun.jndi.ldap.Connection.readReply(Connection.java:454)
at com.sun.jndi.ldap.LdapClient.extendedOp(LdapClient.java:1202)
at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3206)
at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:183)
at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.startTLS(JndiStartTLSConnectionFactory.java:134)
at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:92)
... 84 more
Could you possibly help me to solve this issue! I really don't know the main reason of my problem?
I don`t know is it late to answer or not, but to day I had same problem and after reading the ldaptive project source, I found the answer as below:
just add the p:failFastInitialize="false" parameter to your connectionPool bean just like
<bean id="connectionPool"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="${ldap.pool.blockWaitTime}"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy"
p:connectionFactory-ref="connectionFactory" p:failFastInitialize="false" />
Finally I can find the solution! Listed bellow are the steps that help you to connect to AacheDS through CAS server 4.
Download cas-server-4.0.0-release.zip
Download Tomcat 8 and run it
Extract the cas-server-4.0.0-release.zip and copy cas-server-webapp-4.0.0.war into apache-tomcat-8.0.8\webapps of your tomcat. Wait till Tomcat extract the War file and make cas-server-webapp-4.0.0
Stop Tomcat Server
Go to conf folder of your Tomcat and edit the server.xml file. You should uncomment the HTTPS part of this file.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Program Files/Java/jdk1.7.0_60/jre/lib/security/cacerts"
keystorePass="changeit"
/>
As you can see , the certification of HTTPS Tomcat should be added to the cacerts file. You can check the following link to do this:
A Simple Step-By-Step Guide To Apache Tomcat SSL Configuration
Go to the apache-tomcat-8.0.8\webapps\cas-server-webapp-4.0.0\WEB-INF and replace deployerConfigContext.xml content with the following:
Go to my Blog to copy the content of file
Go to the apache-tomcat-8.0.8\webapps\cas-server-webapp-4.0.0\META-INF\maven\org.jasig.cas\cas-server-webapp and add the following to the pom.xml:
Add the following jar files into apache-tomcat-8.0.8\webapps\cas-server-webapp-4.0.0\WEB-INF\lib
cas-server-support-ldap-4.0.0.jar
spring-ldap-core-2.0.2.RELEASE.jar
spring-ldap-1.2.1.jar
ldaptive-1.0.5.jar
Run ApacheDS
Connect to your ApacheDS with Apache Directory Studio and create a user in dc=example,dc=com
Start Tomcat
Go to the http://localhost:8080/cas-server-webapp-4.0.0/login
Type username and password that you made in the Apache Directory Studio. You can login to CAS with ldap user now!
I'm using successfully Moghadam's solution above, but I had to make a small adjustment in deployerConfigContext.xml:
<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" >
<constructor-arg ref="authenticator" />
<property name="principalAttributeMap">
<map>
<entry key="mail" value="mail" />
<entry key="cn" value="cn" />
</map>
</property>
</bean>
Please notice I removed the p:principalIdAttribute="uid" property.
I am attempting to get SSL set up in JBoss Application Server 7. I want http and https so I added:
<connector name="https" scheme="https" protocol="HTTP/1.1" secure ="true" socket- binding="https"/>
I created a jsse element as directed by https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration
Where do I put this jsse element in standalone.xml and how do I tie it to the https connector?
Okay, I figured it out after searching for "Jboss 7" and https together. http://community.jboss.org/message/625454
and
http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html were helpful resources.
A jsse element is not necessary in this case, all I needed to do was add
<ssl key-alias="<alias>" password="<password>" certificate-key-file="<path>" verify-client="true" ca-certificate-file="<path>"/>
Although there is a bug, https://issues.jboss.org/browse/AS7-1680, in which the value of ca-certificate-file is ignored. I order to get client authentication the truststore has to be passed a different way, either through standalone.conf or
<system-properties>
<property name="javax.net.ssl.trustStore" value="<path to truststore file>"/>
</system-properties>