I am attempting to get SSL set up in JBoss Application Server 7. I want http and https so I added:
<connector name="https" scheme="https" protocol="HTTP/1.1" secure ="true" socket- binding="https"/>
I created a jsse element as directed by https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration
Where do I put this jsse element in standalone.xml and how do I tie it to the https connector?
Okay, I figured it out after searching for "Jboss 7" and https together. http://community.jboss.org/message/625454
and
http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html were helpful resources.
A jsse element is not necessary in this case, all I needed to do was add
<ssl key-alias="<alias>" password="<password>" certificate-key-file="<path>" verify-client="true" ca-certificate-file="<path>"/>
Although there is a bug, https://issues.jboss.org/browse/AS7-1680, in which the value of ca-certificate-file is ignored. I order to get client authentication the truststore has to be passed a different way, either through standalone.conf or
<system-properties>
<property name="javax.net.ssl.trustStore" value="<path to truststore file>"/>
</system-properties>
Related
I would like to know the correct way of configuring the SSL protocol on wildfly.
On looking at examples, I found two different ways of doing so. I want to know which one is the proper way of doing it -
Adding it in the protocol section as below:
<security-realm name="sslRealm">
<server-identities>
<ssl protocol="TLSv1.2">
Or adding it in the https listener as below :
<https-listener name="https" socket-binding="https" security-
realm="sslRealm" enabled-protocols="TLSv1.2"/>
I'm using wildfly-8.2.0.Final.
Configuration options shown here apply also to Wildfly 9 and 10
The correct way is using both of them. They are intimately related, see below how.
<https-listener ..>
The Wildfly Undertow subsystem support enabled-protocols attribute, which is a comma separated list of protocols to be supported. For example:
enabled-protocols="TLSv1.1,TLSv1.2"
With just TLSv1.2, many vulnerabilities are plugged. However, by default, Wildfly support all versions of TLS (v1.0, v1.1 and v1.2) even though versions below 1.2 are considered weak.
<server-identities />
Here, basically, you can choose one of the previously enabled protocols.
<security-realm name="sslRealm">
<server-identities>
<ssl protocol="TLSv1.2">
The protocol attribute by default is set to TLS and in general does not need to be set.
Note that without any change in the default configuration, you get a https server that supports TLSv1.0, TLSv1.1 and TLSv1.2.
For checking the effects of those configurations, use this:
nmap --script ssl-enum-ciphers -p 8443 <your wildfly IP>
I have Spring MVC App running on JBoss AS 7.1.1. I need to turn off SSLv3 to protect against Poodle vulnerability. JBoss documentation at https://access.redhat.com/solutions/1232233 suggests I need to make sure that SSLv3 is not listed in the SSL Protocol attributes.
I have tried that but I can still connect to my website after only enabling SSL in Internet explorer options displayed below. Below is my standalone.xml configuration:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1"/>
</connector>
Can someone suggest what I'm missing here?
I finally figured a way to fix it. If you change 'protocol' to 'protocols' in the above mentioned configuration and make sure sslv3 is not in the protocol list then it disables SSLv3.
Notice the protocols attribute in the config below
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>
After making this change, if you open IE and disable all other protocols except SSL 3.0 - and then try to access the web page, you should not be able see the web page.
More details available here: http://abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/
I'm trying to configure client authentication for my application running on JBoss. Expected result is that application requests user for certificate and if trusted one is provided, he will be able to work with application.
I've generated certificate and added one into trustore (JBoss.keystore) and also configured standalone.xml file as follow:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ssl" key-alias="ssl alias" password="password" certificate-key-file="..\standalone\configuration\JBoss.keystore" protocol="TLSv1.2" verify-client="true"/>
<virtual-server name="my-host" />
</connector>
I thought that setting secure property true will do the trick, but browser does not ask for user certificate, but immediately returns error ERR_BAD_SSL_CLIENT_AUTH_CERT. Browser is configured to ask for certificate each time, if required.
How to change server configuration into expected behavior?
I have found an answer. The solution was to import CA certificate that signed client certificate into truststore, instead of importing client certificate itself.
After importing CA certificate, each certificate that was signed by CA and imported into browser is displayed to be chosen from.
I have a simple HTTPS connector configured on my JBoss EAP 6.1 server for SSL connections to a bunch of RESTful web services I am working on. I am not sure if JBoss EAP 6.1 comes with TLS 1.2 (or SSL 3.2, since I believe TLS is really just later versions of SSL), but I want to use that version of TLS or later.
What is the default SSL version of JBoss EAP 6.1 , if my standalone.xml file tags that handle this connector look like this? :
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" key-alias="localhost" password="something" certificate-key-file="${jboss.server.config.dir}/localhost.jks"/>
</connector>
There is no SSL version information given in the standalone.xml entry above, as you can see, so I've no idea.
I have read on the JBoss community web site that you can add something like sslProtocol="TLS" in the tag, and protocol="TLSv2" in the tag, but is that really all there is to it?
i.e.
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" sslProtocol="TLS">
<ssl name="https" key-alias="localhost" password="something" certificate-key-file="${jboss.server.config.dir}/localhost.jks" protocol="TLSv2" />
</connector>
Will the above work, and if so, how can I tell?
According to redhat documentation for EAP 6.1
protocol
The version of the SSL protocol to use. Supported values include SLv2, SSLv3, >TLSv1, SSLv2+SSLv3, and ALL. The default is ALL
Adding sslProtocol="TLS" and protocol="TLSv2" should work fine. Not to sound condescending, but the easiest way to see if it works is by testing it.
If this question did get moved to another SE site could you please provide the link?
Note: I will be answering my own question... just wanted to add this tidbit to the collective wisdom of The Internets.
I've successfully configured certificate authentication on my JBoss 5.1.0.GA server, largely with the help of the information on this page: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
I have one context (let's call it /openContext) that doesn't require any authentication, and another context (let's call it /securedContext) that requires client certificate authentication (i.e., it's configured to use CLIENT-CERT in web.xml). When using JBoss's default web connector, this works splendidly. I can hit http://myhost/openContext and I'm not prompted for a certificate, but when I hit http://myhost/securedContext, I'm prompted for a client certificate as I'd expect.
However, when I install JBossWeb Native and use APR as my web connector, I'm no longer prompted for a certificate when I hit http://myhost/securedContext.
My APR connector config in server.xml looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
/>
I've also tried adding the SSLVerifyClient parameter to that configuration and setting it to optional, but that prompts for a certificate in both /openContext and /securedContext, which isn't the behavior I want.
How can I get JBoss with APR to require certificate authentication for one web context, but not another web context?
What worked for me was to just add a whole new web connector, and have clients use that alternate port for the secured web context. My connectors config now looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
/>
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8543" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="true"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
SSLVerifyClient="require"
/>
Now, if I hit http://myhost:8443/openContext, I'm not prompted for a certificate, but when I hit http://myhost:8543/securedContext, I am prompted for a certificate. Of course, I can still access either web app with the "wrong" port, but the consequences are negligible for my purposes. If a client hits http://myhost:8443/securedContext, they simply get an HTTP authentication error. If a client hits http://myhost:8543/openContext, they're prompted for a client certificate. If they provide one, great (though I don't care who you are), and if they don't provide one or provide an invalid one, they get an HTTP auth error (they should have used the correct port in the first place).
I'm pretty sure there's an alternative way to get this working without requiring a second connector by putting httpd in front of JBoss and doing some clever configuration there, but this worked well enough for my purposes.