JBoss.orgCommunity Documentation

Chapter 14. Overriding SSL Configuration

Many services in JBoss allow usage of SSL for secure communication. To configure SSL, these services require a KeyStore for the certificate and private key and possibly a TrustStore with the trusted client certificates. Those attributes can be configured using the JDK system properties (javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword) or by a service specific set of attributes.

There can be situations when the AS as a whole should be using just one keystore and truststore for all the services, essentially ignoring all the system properties and service's specific configurations.

Starting in JBoss AS 6 there is a new service that can be installed at bootstrap that can override all the configuration for the KeyStore and TrustStore, provided that the service uses the default algorithm for the KeyManagerFactory (SunX509 for Sun, JRockit and OpenJDK and IbmX509 for IBM) and TrustManagerFactory (PKIX for Sun, JRockit, OpenJDK and IBM).

Here is an example configuration for the service in conf/bootstrap/security.xml:

<?xml version="1.0" encoding="UTF-8"?>
    Security bootstrap configuration
<deployment xmlns="urn:jboss:bean-deployer:2.0">


   <bean name="JBossSSLConfiguration" class="org.jboss.security.ssl.JBossSSLConfiguration">
      <property name="keyStoreURL">my.keystore</property>
      <property name="keyStorePassword">changeit</property>

With this service in place, the keystoreFile and keystorePass attributes of a HTTPS connector in deploy/jbossweb.sar/server.xml would be overridden for example.

These are the properties the JBossSSLConfiguration bean accepts:

These properties are the same as the ones in the JaasSecurityDomain bean. See Section 4.3, “The JaasSecurityDomain Bean” for a detailed description.

The keyStorePassword can be masked using the same methods described for the keyStorePass.


There is still no support for using the Password annotation (shown in Chapter 13, Masking Passwords in XML Configuration) to mask those passwords as the PasswordMaskManagement bean is started much later in the boot process.