Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 18. Encrypting the Keystore Password in a Tomcat Connector

JBoss Web is based on Apache Tomcat.
SSL with Tomcat requires a secure connector. This means that the keystore/truststore password cannot be passed as an attribute in the connector element of Tomcat's server.xml file.
A working understanding of the JaasSecurityDomain that supports keystores, truststores, and password based encryption is advised.
Refer to Chapter 13, Secure Remote Password Protocol and Chapter 17, Encrypting Data Source Passwords for supporting information and related procedures.

Procedure 18.1. Encrypt Tomcat Container Keystore Password

  1. Append connector element

    Add a connector element in server.xml in $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar 
      <!-- SSL/TLS Connector with encrypted keystore password configuration  -->
<Connector port="8443" address="${jboss.bind.address}"
   maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
   scheme="https" secure="true" clientAuth="true"
   sslProtocol="TLS"
   securityDomain="java:/jaas/encrypt-keystore-password"
   SSLImplementation="org.jboss.net.ssl.JBossImplementation" >
</Connector>
    Copy to Clipboard Toggle word wrap
    .

  2. Configure JaasSecurityDomain MBean

    Set the JaasSecurityDomain MBean in the $JBOSS_HOME/server/$PROFILE/deploy/security-service.xml file.
    If the file does not exist, create it. The code sample in Example 18.1, “security-service.xml” shows the content you need to add to a newly-created service-security.xml file. If the security-service.xml file exists, append the <mbean> element block to the file.

    Example 18.1. security-service.xml

    <server>
   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=PBESecurityDomain">
      <constructor>
         <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
      </constructor>
      <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
      <attribute name="Salt">welcometojboss</attribute>
      <attribute name="IterationCount">13</attribute>
   </mbean>
</server>
    Copy to Clipboard Toggle word wrap

    Note

    If the keystore contains multiple certificates, you can use the ServerAlias property. The property value specifies the alias of the certificate retrieved by the SSL connector. 
    <attribute name="ServerAlias">ssl</attribute>
    Copy to Clipboard Toggle word wrap
    The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Ensure you record the new values, and use when generating the encrypted password.

    Note

    The Salt must be at least eight characters long.

  3. Generate encrypted password

    The <mbean> configuration specifies that the keystore is stored in the jboss-as/server/$PROFILE/conf/localhost.keystore file. The <mbean> also specifies the encrypted password file is stored in jboss-as/server/$PROFILE/conf/keystore.password file.
    You must create the localhost.keystore file.
    Execute the following command in the jboss-as/server/$PROFILE/conf directory. 
    [conf]$ java -cp $JBOSS_HOME/lib/jbosssx.jar \org.jboss.security.plugins.FilePassword welcometojboss 13 unit-tests-server keystore.password
    Copy to Clipboard Toggle word wrap
    This command uses jbosssx.jar as the classpath (-cp) and the FilePassword security plug-in to create a keystore.password file with the password set as unit-tests-server. To verify you have permission to create a keystore.password file, you supply the salt and iteration parameters configured in the <mbean> <attribute> elements of the JaasSecurityDomain.
    You execute this command in the /conf directory so the keystore.password file is saved to this directory.

  4. Update the Tomcat service MBean

    Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF/.
    Open jboss-beans.xml and append the following <depends> tag to the WebServer end of the file. Adding the <depends> tag specifies that Tomcat must start after jboss.security:service=PBESecurityDomain . 
    <bean name="WebServer"
class="org.jboss.web.tomcat.service.deployers.TomcatService">
...
<depends>jboss.security:service=PBESecurityDomain</depends>

...
    Copy to Clipboard Toggle word wrap

Example 18.2. JaasSecurityDomain definition for pkcs12 keystores

Based on Procedure 18.1, “Encrypt Tomcat Container Keystore Password”, pkcs12 keystore containers referenced by the Tomcat Connector would look similar to this example. 
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=PBESecurityDomain">
    <constructor>
       <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
    </constructor>
    <attribute name="KeyStoreType">pkcs12</attribute>
    <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
    <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
    <attribute name="Salt">welcometojboss</attribute>
    <attribute name="IterationCount">13</attribute>
</mbean>
Copy to Clipboard Toggle word wrap

18.1. Medium Security Usecase
Link kopieren

A user does not want to encrypt the keystore password but wants to externalize it (outside of server.xml ) or wants to make use of a predefined JaasSecurityDomain.

Procedure 18.2. Predefined JaasSecurityDomain

  1. Update jboss-service.xml to add a connector

    Navigate to $JBOSS_HOME/server/ $PROFILE /deploy/jbossweb.sar/META-INF, and add the following code block to the jboss-service.xml file. 
    <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=SecurityDomain">
      <constructor>
         <arg type="java.lang.String" value="jbosstest-ssl"></arg>
      </constructor>
      <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
      <attribute name="KeyStorePass">unit-tests-server</attribute>
   </mbean>
    Copy to Clipboard Toggle word wrap

  2. Add a <depends> tag to the Tomcat service

    Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar .
    Open server.xml and append the following <depends> element toward the end of the file: 
    <depends>jboss.security:service=SecurityDomain</depends>
   </mbean>
</server>
    Copy to Clipboard Toggle word wrap

  3. Define the JaasSecurityDomain MBean in a *-service.xml file

    security-service.xml in the deploy directory, for example. 
     <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
     name="jboss.security:service=SecurityDomain">
     <constructor>
        <arg type="java.lang.String" value="jbosstest-ssl"></arg>
     </constructor>
     <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
     <attribute name="KeyStorePass">unit-tests-server</attribute>
  </mbean>
    Copy to Clipboard Toggle word wrap

Note

If you see this error, remember the keystore file should be writable by the user id that is running JBoss Enterprise Application Platform.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat