Configuring SSL for JBoss Application Server

To configure SSL on JBoss Application Server, you need an SSL credential for authentication. You can use the Java keytool to create a credential or request and import a credential from a certificate authority (CA). You must then enable SSL on JBoss.

You can run keytool by using a single command that includes all of the information needed to create the keystore.

In this procedure:

  • [appserver root] is the home directory of the application server running LiveCycle.

  • [type] is a folder name that varies, depending on the type of install you performed.

    Create an SSL credential

    1. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to create the credential and keystore:

      keytool -genkey -dname "CN=Host Name, OU=Group Name, O=Company Name,L=City Name, S=State, C=Country Code" -alias "LC Cert" -keyalg RSA -keypass key_password -keystore keystorename.keystore

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment. Host Name is the fully qualified domain name of the application server.

    2. Enter the keystore_password when prompted for a password. The password for the keystore and the key must be identical.

      Note: The keystore_password entered at this step may be the same password (key_password) that you entered in step 1, or it may be different.

    3. Copy the keystorename.keystore to the [appserver root]/server/[type]/conf directory by typing one of the following commands:

      • (Windows) copy keystorename.keystore [appserver root]\server\[type]\conf

      • (Linux) cp keystorename.keystore[appserver root]/server/[type]/conf

    4. Export the certificate file by typing the following command:

      keytool -export -alias "LC Cert" -file LC_cert.cer -keystore [appserver root]\server\[type]\conf\keystorename.keystore

    5. Enter the keystore_password when prompted for a password.

    6. Copy the LC_cert.cer file to the [appserver root] \conf directory by typing the following command:

      • (Windows) copy LC_cert.cer [appserver root]\server\[type]\conf

      • (Linux) cp LC_cert.cer [appserver root]/server/[type]/conf

    7. View the contents of the certificate by typing the following command:

      keytool -printcert -v -file [appserver root]\server\[type]\conf\LC_cert.cer

    8. To provide write access to the cacerts file in [JAVA_HOME]\jre\lib\security, if required, perform the following task:

      • (Windows) Right-click the cacerts file and select Properties, and then deselect the Read-only attribute.

      • (Linux) Type chmod 777 cacerts

    9. Import the certificate by typing the following command:

      keytool -import -alias "LC Cert" -file LC_cert.cer -keystore JAVA_HOME\jre\lib\security\cacerts

    10. Type changeit as the password. This password is the default password for a Java installation and may have been changed by the system administrator.

    11. When prompted for Trust this certificate? [no]:, type yes. The confirmation "Certificate was added to keystore" is displayed.

    12. If you are connecting over SSL from Workbench, install the certificate on the Workbench computer.

    13. In a text editor, open [appserver root]/server/[type]/deploy/jbossweb.sar/server.xml.

    14. In the server.xml file, uncomment the following section:

       <!-- SSL/TLS Connector configuration using the admin devl guide keystore 
<Connector protocol="HTTP/1.1" SSLEnabled="true" 
    port="8443" address="${jboss.bind.address}" URIEncoding="UTF-8" 
    scheme="https" secure="true" clientAuth="false" 
    keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" 
    keystorePass="rmi+ssl" sslProtocol = "TLS" /> 
-->
      Note: In the server.xml fil, do not uncomment line “SSL/TLS Connector configuration using the admin devl guide keystore”.

    15. Change the value for the keystoreFile attribute and the keystorePass attribute to the keystore password that you specified when you created the keystore.

    16. Save the server.xml file.

    17. Restart the application server:

      • For turnkey installations:

        • From the Windows Control Panel, click Administrative Tools, and then click Services.

        • Select JBoss for LiveCycle.

        • Select Action > Stop.

        • Wait for the status of the service to appear as stopped.

        • Select Action > Start.

      • For Adobe preconfigured or manually configured JBoss installations:

        • From a command prompt, navigate to [appserver root]/bin.

        • Stop the server by entering the following command:

          • (Windows) shutdown.bat -S

          • (Linux) ./shutdown.sh -S

        • Wait until the JBoss process has fully shut down (when the JBoss process returns control to the terminal it was started in).

        • Start the server by entering the following command:

          • (Windows) run.bat -c <profile>

          • (Linux) ./run.sh -c <profile>

    18. To access Administration Console using SSL, type https://[host name]:[port]/adminui in a web browser:

      The default SSL port for JBoss is 8443. From here on, specify this port when accessing LiveCycle.

    Request a credential from a CA

    1. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to create the keystore and the key:

      keytool -genkey -dname "CN=Host Name, OU=Group Name, O=Company Name, L=City Name, S=State, C=Country Code" -alias "LC Cert" -keyalg RSA -keypass key_password -keystore keystorename.keystore

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.

    2. Type the following command to generate a certificate request to send to the certificate authority:

      keytool -certreq -alias "LC Cert" -keystore keystorename.keystore -file LCcertRequest.csr

    3. When your request for a certificate file is fulfilled, complete the next procedure.

    Use a credential obtained from a CA to enable SSL

    1. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to import the root certificate of the CA with which the CSR has been signed:

      keytool -import -trustcacerts -file rootcert.pem -keystore keystorename.keystore -alias root

      If the root certificate is not in the browser, also import it there.

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.

    2. In a command prompt, navigate to [JAVA HOME]/bin and type the following command to import the credential into the keystore:

      keytool -import -trustcacerts -file CACertificateName.crt -keystore keystorename.keystore

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
      Note: The imported CA signed certificate will replace a self-signed public certificate if it exists.

    3. Complete steps 13 - 18 of Create an SSL credential.

    // Ethnio survey code removed