Creating the Keystore

Creating a keystore to store certificates that JBoss can use.

keytool -genkey -alias $MYDOMAIN -keyalg RSA ↵
-keystore my.keystore

You will be asked for a password to this keystore, just set any password you like. Furthermore you will need to enter some more information, just enter whatever you like – you only need these values to be correct if you are going to sign the certificate at your Certificate Authority.

Creating a Certificate Request

Then we need to create a Certificate Request.

keytool -certreq -keystore my.keystore ↵
-alias $MYDOMAIN -file myserver.csr

Normally you would want to send this Certificate Request to your Certificate Authority to sign it. That way browsers would accept your certificate without complaining. But we only need this certificate for our local development machine, so don’t worry about a security exception. You need to accept this certificate within your browser, though.

Configuring JBoss

You need to change this file to enable SSL with our created certificate: $JBOSS_HOME/server/default/deploy/jbossweb-tomcat50.sar/server.xml. Look for the following lines and uncomment them:

<Connector port="8443" address="${jboss.bind.address}"
  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
  emptySessionPath="true"
  scheme="https" secure="true" clientAuth="false" 
  keystoreFile="${jboss.server.home.dir}/conf/ssl/my.keystore"
  keystorePass="KEYSTORE_PASSWORD" sslProtocol = "TLS" />

At last we need to copy your keystore to the proper place:

mkdir $JBOSS_HOME/server/default/conf/ssl
cp my.keystore $JBOSS_HOME/server/default/conf/ssl/

After a JBoss restart you can now use the https connection.

See also

This how-to is a short version of SSL mit JBoss (german).

Tell me what you think about it.

Update: The link at heise.de seems to be down – use this link instead: Lest We Remember: Cold Boot Attacks on Encryption Keys.