SSL with Tomcat requires a secure connector. This means that the keystore/truststore password cannot be passed as an attribute in the connector element of Tomcat's server.xml.

A working understanding of the JaasSecurityDomain that supports keystores, truststores, and password based encryption is advised. Please see Chapter 19, Secure Remote Password Protocol for more information.

The first step is to add a connector element in server.xml in $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar.

  
<!-- SSL/TLS Connector with encrypted keystore password configuration  -->
      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           sslProtocol="TLS" 
           securityDomain="encrypt-keystore-password"
           SSLImplementation="org.jboss.net.ssl.JBossImplementation"/> 
   

You now need to provide the definition for the JaasSecurityDomain in a *-service.xml or in *-jboss-beans.xml in the deploy directory. Here is a MBean example:

      
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=PBESecurityDomain">
      <constructor>
         <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
      </constructor>
      <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
      <attribute name="Salt">abcdefgh</attribute>
      <attribute name="IterationCount">13</attribute>
   </mbean>
     

The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Just remember to use the changed value when generating the encrypted password.

Your keystore is the localhost.keystore which will be in your conf directory. The keystore.password is your encrypted password that will reside in the conf directory and will be generated in the next step.

You now need to go to the conf directory of your JBoss AS instance (default/conf, for example).

java -cp ../lib/jbosssx.jar org.jboss.security.plugins.FilePassword abcdefgh 13 unit-tests-server keystore.password
      

Run this on a single line. In the above example, "abcdefgh" is the Salt and 13 is the iteration count; 'unit-tests-server' is the password of the keystore that you are protecting; and keystore.password is the file in which the encrypted password will be stored.

You can then update the Tomcat service MBean to depend on your JaasSecurityDomain MBean because Tomcat has to start after jboss.security:service=PBESecurityDomain.

Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF. Open jboss-service.xml and add the following <depends> tag towards the end.

        
      <depends>jboss.security:service=PBESecurityDomain</depends>
   </mbean>
</server>
      

java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils SALT ITERATION-COUNT DOMAIN-PASSWORD KEYSTORE-PASSWORD

  
<!-- SSL/TLS Connector with encrypted keystore password configuration  -->
      <Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           SSLPassword="KAaxoMQCJH30GZWb96Mov"
           securityDomain="encrypt-keystore-password"
           SSLCertificateFile="server.crt"
           SSLCertificateKeyFile="server.pem" SSLProtocol="TLSv1" /> 
   

Please see Chapter 15, Encrypting Data Source Passwords for related information.