Enable HTTPS protocol in JBoss cluster

Generate Server Certificate

Note:if you already has certificate created then the the can be ignored.

Generate Private Key on the Server Running Apache + mod_ssl First, generate a private key on the Linux server that runs Apache webserver using OpenSSL command as shown below.

[[email protected] jbossuser]# mkdir /etc/httpd/conf/certs[[email protected] jbossuser]# openssl genrsa -des3 -out www.xyz.com.key 1024

Generate a Certificate Signing Request (CSR) Using the key generate above, you should generate a certificate request file (CSR) using OpenSSL as shown below.

[[email protected] jbossuser]# openssl req -new -key www.xyz.com.key -out www.xyz.com.csr

Generate a self-signed SSL Certificate For testing purpose, you can generate a self-signed SSL certificate that's valid for 1 year using OpenSSL command as show N below.

[[email protected] jbossuser]# openssl x509 -req -days 365 -in www.xyz.com.csr -signkey www.xyz.com.key -out www.xyz.com.crt

Apache SSL Configuration

If you already has mod_cluster configured to listen to port, then remove this virtual host entry and make following con Figuration. Create ssl.conf as following.

[[email protected] jbossuser]# vi/etc/httpd/conf.d/ssl.confthis is the Apache server configuration file providing S  SL support.# It contains the configuration directives to instruct, the server how to# serve pages through an HTTPS connection. For detailing information about these# directives see <url:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>##  Do not simply read the instructions in this without understanding# what they do.  They ' re here is only as hints or reminders. If you are unsure# consult the online docs. You had been warned. #LoadModule Ssl_module modules/mod_ssl.so## When we also provide SSL we had to listen to the# the HT TPS port in addition. #Listen 1.1.1.1:443#### SSL Global context#### All SSL configuration in this Context applies both t o## the main server and all ssl-enabled virtual hosts.### pass Phrase dialog:# Configure the pass Phrase gathering PR ocess.# The Filtering Dialog program (' Builtin ' is a internal# Terminal dialog) have to provide the PThe phrase on stdout.  Sslpassphrasedialog builtin# inter-process session cache:# Configure The SSL session Cache:first the mechanism# to Use and second the expiring timeout (in seconds). Sslsessioncache Shmcb:/var/cache/mod_ssl/scache (512000) sslsessioncachetimeout 300# Semaphore:# Configure the Path to the mutual exclusion Semaphore the# SSL engine uses internally for inter-process synchronization.  Sslmutex default# Pseudo Random number Generator (PRNG): # Configure One or more sources to seed the PRNG of the# SSL Library. The seed data should be of good random quality.# warning! On some platforms/dev/random blocks if not enough entropy# is available.   This means-cannot use the/dev/random device# because it would leads to very long connection times (as Long as# It requires to make more entropy available). But usually those# platforms additionally provide a/dev/urandom device which doesn ' t# block. So, if available, use this one instead. Read The Mod_ssl user# Manual for more details. Sslrandomseed startup file:/dev/urandom 256SSLRandomSeed connect builtin#sslrandomseed startup File:/dev/random 512#  Sslrandomseed Connect file:/dev/random 512#sslrandomseed connect file:/dev/urandom 512## use ' sslcryptodevice ' to enable Any supported hardware# accelerators.  Use the "OpenSSL engine-v" to list supported# engine names. Note:if you enable a accelerator and the# server does not to start, consult the error logs and ensure# your accelerator is functioning properly. #SSLCryptoDevice builtin#sslcryptodevice ubsec#### SSL Virtual Host context##<virtualhost _ default_:443># general setup for the virtual host, inherited from Global Configuration#documentroot "/var/www/html" #Se Rvername www.example.com:443# Use separate log files for the SSL virtual host; Note that loglevel# isn't inherited from Httpd.conf.ErrorLog Logs/ssl_error_logtransferlog logs/ssl_access_logloglevel warn# SSL Engine switch:# enable/disable SSL for this VirTual host.  Sslengine on# SSL Protocol support:# List The Enable Protocol levels with which clients would be able to# connect.  Disable SSLv2 access by Default:sslprotocol all-sslv2# SSL Cipher suite:# List The ciphers that's the client is permitted To negotiate.# see the mod_ssl documentation for a complete list. Sslciphersuite all:! Adh:! export:!  sslv2:rc4+rsa:+high:+medium:+low# Server certificate:# Point Sslcertificatefile at a PEM encoded Certificate.  if# The certificate is encrypted and then you'll be a prompted for a# pass phrase.  Note that a kill-hup'll prompt again. A new# certificate can be generated using the Genkey (1) command. sslcertificatefile/etc/httpd/conf/certs/www.xyz.com.crt# Server Private key:# If The Key is not a combined with the CER  Tificate, use this# directive-to-point at the key file. Keep in mind this if# you ' ve both a RSA and a DSA private key you can configure# both in parallel (to also allow the U SE of DSA ciphers, etc.) Sslcertificatekeyfile/etc/httpd/conf/certs/www.xyz.com.key# Server Certificate chain:# Point sslcertificatechainfile at a file containing the# Concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. alternatively# the referenced file can be a same as sslcertificatefile# when the CA certificates is directly append Ed to the server# certificate for convinience. #SSLCertificateChainFile/etc/pki/tls/certs/server-chain.crt# Certificat E Authority (CA): # Set The CA Certificate verification path where to find ca# certificates for client authentication O R Alternatively one# huge file containing all of the them (file must be PEM encoded) #SSLCACertificateFile/etc/pki/tls/certs  /ca-bundle.crt# Client Authentication (type): # Client certificate verification type and depth.  Types are# None, optional, require and Optional_no_ca. Depth is a# number which specifies what deeply to verify the certificate# issuer chain before deciding the CertificatE is not valid. #SSLVerifyClient require#sslverifydepth 10# Access control:# with Sslrequire what can do per-directory Access control based# on arbitrary complex Boolean expressions containing server# variable checks and other lookup dir  Ectives.  The syntax is a# mixture between C and Perl. See the Mod_ssl documentation# for more details.#<location/> #SSLRequire (%{ssl_cipher}!~ m/^ (exp| NULL)/# and%{ssl_client_s_dn_o} eq "Snake Oil, Ltd." # and%{ssl_client_s_dn_ou} in {"Staff", "CA" , "Dev"} # and%{time_wday} >= 1 and%{time_wday} <= 5 # and%{time_hour} >= 8 and%{time_h Our} <=) # or%{REMOTE_ADDR} =~ m/^192\.76\.162\. [0-9]+$/#</location># SSL Engine options:# Set various Options for the SSL engine.# o fakebasicauth:# Tran  Slate the client to a Basic authorisation.  This means that# the standard Auth/dbmauth methods can is used for access control.     the#User name is the ' one line ' version of the client's certificate.# Note that no password are obtained from the use R. Every entry in the user# file needs this password: ' Xxj31zmtzzkva '. # o exportcertdata:# this exports the Addi tional environment Variables:ssl_client_cert and# Ssl_server_cert.      These contain the pem-encoded certificates of the# Server (always existing) and the client (only existing when client# Authentication is used).  This can is used to import the certificates# into CGI scripts.# o stdenvvars:# This exports the standard SSL/TLS Related ' ssl_* ' environment variables.# Per default this exportation are switched off for performance reasons,# be Cause the extraction step is a expensive operation and is usually# useless for serving static content. So one usually enables the# exportation for CGI and SSI requests only.# O strictrequire:# this denies access whe N "Sslrequiressl" or "Sslrequire" applied even# underA "Satisfy any" situation, i.e. when it applies access was denied# and no other module can change it.# o Optrenegotia te:# This enables optimized SSL connection renegotiation handling when ssl# directives is used in Per-directory C Ontext. #SSLOptions +fakebasicauth +exportcertdata +strictrequire<files ~ "\. (cgi|shtml|phtml|php3?) $ "> Ssloptions +stdenvvars</files><directory"/var/www/cgi-bin "> Ssloptions +stdenvvars</director y># SSL Protocol adjustments:# the safe and default but still SSL/TLS standard compliant shutdown# approach are th At Mod_ssl sends the close notify alert but doesn ' t wait for for# the close notify alert from client.     When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# This forces a unclean shutdown when the connection are closed, i.e. no# SSL close notify alert is send or allowed to  Received. This violates# the SSL/TLS standard and is needed foR some brain-dead browsers. use# this if you receive I/O errors because of the standard approach where# Mod_ssl sends the close notify alert . # o ssl-accurate-shutdown:# This forces a accurate shutdown when the connection is closed, i.e. a# SSL close N Otify alert is send and Mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead browsers. use# This is browsers where you know that their SSL implementation# works correctly.# notice:most problem S of broken clients is also related to the http# keep-alive facility, so we usually additionally want to disable# Ke Ep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one have to force some clients to use http/1.0 to workaround# their BR Oken http/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this. Setenvif user-agent ". *msie.* "Nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0# per-server logging:# the Hom E of a custom SSL log file. The use of this is want a# compact Non-error SSL logfile on a virtual host basis. Customlog logs/ssl_request_log "%t%h%{ssl_protocol}x%{ssl_cipher}x \"%r\ "%b" </virtualhost>loadmodule s Lotmem_module modules/mod_slotmem.soloadmodule manager_module modules/mod_manager.soloadmodule proxy_cluster_ Module Modules/mod_proxy_cluster.soloadmodule advertise_module modules/mod_advertise.sonamevirtualhost        1.1.1.1:443memmanagerfile/var/cache/httpd<virtualhost 1.1.1.1:443> <Location/mod_cluster_manager>    SetHandler Mod_cluster-manager Order deny,allow allow from </Location> keepalivetimeout 60 Maxkeepaliverequests 0 managerbalancername testcluster advertisefrequency 5 documentroot "/var/www/html" ERR Orlog logs/ssl_error_log transferlog Logs/ssl_access_log logleVel warn sslengine on sslprotocol all-sslv2 sslciphersuite all:! Adh:! export:! Sslv2:rc4+rsa:+high:+medium:+low SSLCERTIFICATEFILE/ETC/HTTPD/CONF/CERTS/WWW.XYZ.COM.CRT SSLCertificateKeyFile/ Etc/httpd/conf/certs/www.xyz.com.key sslcertificatechainfile/etc/httpd/conf/certs/www.xyz.com.crt <Files ~ "\. (cgi|shtml|phtml|php3?) $ "> ssloptions +stdenvvars </Files> <directory"/var/www/cgi-bin "> Ssloptions +stdenvva         RS </Directory> <directory "/var/www/html" > allowoverride None Order allow,deny Allow from all </Directory></VirtualHost>

Once These changes has been made you should being able to reach-Apache over SSL [https://1.1.1.1/][1]

Upgrade Jboss for Mod_cluster and SSL

The Jboss 7.1.1.Final doesn ' t work with Mod_cluster and SSL configuration. It basically ignores the certificate configuration to SSL of Mod_cluster. We need to upgrade to higher Jboss such as Download higher source tag from Git Https://github.com/jbossas/jboss-as/tree/7. 1.3.Final If You already has Maven 3 installed

$ mvn install

If you don ' t have Maven 3

$ ./build.sh

Creating self-signed certificates using KeyTool

Generating the key pair into a keystore (JKS), for RSA:

[[email protected] jbossuser]# keytool -genkey -keyalg RSA -keysize 2048 -keystore xyz_keystore.jks -alias xyz

Import Server certificate into KeyStore

[[email protected] jbossuser]# keytool -import -alias xyz -file /etc/httpd/conf/certs/www.xyz.com.crt -storetype JKS -keystore /home/jboss-as-7.1.1.final/keystore/xyz_keystore.jks

To list KeyStore content

[[email protected] jbossuser]# keytool -list -keystore /home/jboss-as-7.1.1.final/keystore/xyz_keystore.jksJboss mod_cluster ssl configuration

In Domain.xml Add System Properties for Truststore and password.

<property name="javax.net.ssl.trustStore" value="<path to keystore>/keystore/xyz_keystore.jks"/><property name="javax.net.ssl.trustStorePassword" value="xyzmanish"/>

Modify Mod_cluster subsystem to now listen to 444 and use keystore that we configured.

<subsystem xmlns="urn:jboss:domain:modcluster:1.1">  <mod-cluster-config advertise-socket="modcluster" connector="ajp" proxy-list="1.1.1.1:443" advertise-security-key="xyzmanish">   <dynamic-load-provider>         <load-metric type="busyness"/>   </dynamic-load-provider>   <!-- SSL/TLS configuration for mod_cluster advertise-security-key -->   <ssl password="xyzmanish" key-alias="xyz" ca-certificate-file="<path to key store>/keystore/xyz_keystore.jks"  certificate-key-file="<path to key store>/keystore/xyz_keystore.jks" cipher-suite="ALL" protocol="TLSv1"/>  </mod-cluster-config></subsystem>>

Once The changes restart the JBOSS server and try to access your application via Apache over SSL.

Enable HTTPS protocol in JBoss cluster