Thanks! You were a huge help. I missed the obvious and was changing the jboss-service.xml in server/default/conf instead of the one in server/default/deploy/jbossweb.sar/META-INF. Worked first time after that.
Your other info was also helpful.
Frank
On Friday, March 7, 2003, at 08:33 PM, Neal Sanche wrote:
On Friday 07 March 2003 09:12 am, Frank Morton wrote:I added the following to jboss-service.xml while running 3.2.0RC2 under MacOS X:
<Call name="addListener"> <Arg> <New class="org.mortbay.http.SunJsseListener"> <Set name="Port">8443</Set> <Set name="MinThreads">5</Set> <Set name="MaxThreads">255</Set> <Set name="MaxIdleTimeMs">50000</Set> <Set name="LowResourcePersistTimeMs">2000</Set> <Set name="Keystore">/usr/local/jboss/server/default/conf/keystore</Set> <Set name="Password">mypwurd</Set> <Set name="KeyPassword">mypwurd</Set> </New> </Arg> </Call>
Hey Frank, it really looks good, but just in case it's helpful, here's the contents of my jboss-service.xml in server/default/deploy/jbossweb.sar/META-INF which works with JDK 1.4.1 under Linux on a 3.2.0RC2 JBoss. The only thing that I would think would be different is your JDK release. OS X being a JDK 1.3 variant, right?
<Call name="addListener"> <Arg> <New class="org.mortbay.http.SunJsseListener"> <Set name="Port">8443</Set> <Set name="MinThreads">5</Set> <Set name="MaxThreads">100</Set> <Set name="MaxIdleTimeMs">30000</Set> <Set name="LowResourcePersistTimeMs">2000</Set> <Set name="Keystore"><SystemProperty name="jboss.server.home.dir"/>/ conf/mykeystore.jks</Set> <Set name="Password">MyPassword</Set> <Set name="KeyPassword">MyPassword</Set> <Set name="NeedClientAuth">true</Set> </New> </Arg> </Call>
Now, I added NeedClientAuth because I was experimenting with the requirement of having SSL client certificates to access this SSL port (which works for anyone who cares), you don't need that. The only other difference is the way I'm setting the Keystore property. It'll basically do the same thing as yours.
The only other thing that you really need to ensure is that your keystore file actually exists and is a correct JKS keystore. I created mine with a command very similar to the following:
keytool -genkey -alias myalias -keyalg rsa -keysize 2048 -validity 365 -keystore mykeystore.jks -storepass MyPassword -keypass MyPassword
Then typed in the answer to the rest of the questions. It doesn't seem to matter what 'alias' you use, I'd guess it probably tries the first alias it finds which has a private key. It seems to settle on the first certificate in alphabetical order. If you have more than one key in your keystore, you may need to make a new keystore with only the keys you want. The keysize is also not important, 1024 also works fine. I'd use at least 1024 bits though. I think you definitely need a keyalg of 'rsa' for this to work at all. I tried using 'dsa' (which is the default algorithm it seems) and it wouldn't work. Also, by default, it seems that keytool generates a self-signed certificate which is all that's needed to get an initial SSL test working.
A semi-interesting fact about getting SSL client certificate authentication working is this: The client certificates must be created by a trusted certificate authority. This means that your keystore file must contain the public certificates of the certificate authority your SSL server should trust. Without this the client cannot prove it is trusted by any CA the server knows about, and the client is rejected. That's just an aside, but useful info to someone trying to get client auth working.
In your server logs you should see lines like the following if it's working:
2003-03-04 10:22:11,116 INFO [org.jboss.jbossweb]
jetty.ssl.keystore=/home/neal/java/jboss-3.2.0RC2/server/default/conf/ mykeystore.jks
2003-03-04 10:22:11,119 INFO [org.jboss.jbossweb] jetty.ssl.password=******
2003-03-04 10:22:11,122 INFO [org.jboss.jbossweb] jetty.ssl.keypassword=******
2003-03-04 10:22:11,125 INFO [org.jboss.jbossweb] jetty.ssl.keystore.type=jks
2003-03-04 10:22:11,132 INFO [org.jboss.jbossweb] jetty.ssl.keystore.provider.name=[DEFAULT]
2003-03-04 10:22:11,434 INFO [org.jboss.jbossweb]
SSLServerSocketFactory=com.sun.net.ssl.internal.ssl.SSLServerSocketFact [EMAIL PROTECTED]
2003-03-04 10:22:11,481 INFO [org.jboss.jbossweb] JsseListener.needClientAuth=true
2003-03-04 10:22:11,521 INFO [org.jboss.jbossweb] Started SocketListener on 0.0.0.0:8443
Now at this point you should be able to connect to 8443 and attempt a browser connection to https://localhost:8443/ and if that doesn't work, all I can say is 'it works for me'. Why would Java under OSX be any different with respect to socket communications?
Hope this helps out.
-Neal
-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
