JBoss.orgCommunity Documentation
Many services in JBoss allow usage of SSL for secure communication. To configure SSL, these services require a KeyStore for the certificate and private key and possibly a TrustStore with the trusted client certificates. Those attributes can be configured using the JDK system properties (javax.net.ssl.keyStore
, javax.net.ssl.keyStorePassword
, javax.net.ssl.trustStore
, javax.net.ssl.trustStorePassword
) or by a service specific set of attributes.
There can be situations when the AS as a whole should be using just one keystore and truststore for all the services, essentially ignoring all the system properties and service's specific configurations.
Starting in JBoss AS 6 there is a new service that can be installed at bootstrap that can override all the configuration for the KeyStore and TrustStore, provided that the service uses the default algorithm for the KeyManagerFactory
(SunX509
for Sun, JRockit and OpenJDK and IbmX509
for IBM) and TrustManagerFactory
(PKIX
for Sun, JRockit, OpenJDK and IBM).
Here is an example configuration for the service in conf/bootstrap/security.xml
:
<?xml version="1.0" encoding="UTF-8"?> <!-- Security bootstrap configuration --> <deployment xmlns="urn:jboss:bean-deployer:2.0"> ... <bean name="JBossSSLConfiguration" class="org.jboss.security.ssl.JBossSSLConfiguration"> <property name="keyStoreURL">my.keystore</property> <property name="keyStorePassword">changeit</property> </bean> </deployment>
With this service in place, the keystoreFile
and keystorePass
attributes of a HTTPS connector in deploy/jbossweb.sar/server.xml
would be overridden for example.
These are the properties the JBossSSLConfiguration bean accepts:
keyStoreURL
keyStorePassword
keyStoreAlias
keyStoreProvider
keyStoreProviderArgument
trustStoreURL
trustStorePassword
trustStoreProvider
trustStoreProviderArgument
These properties are the same as the ones in the JaasSecurityDomain
bean. See Section 4.3, “The JaasSecurityDomain Bean” for a detailed description.
The keyStorePassword
can be masked using the same methods described for the keyStorePass
.
There is still no support for using the Password annotation (shown in Chapter 13, Masking Passwords in XML Configuration) to mask those passwords as the PasswordMaskManagement
bean is started much later in the boot process.