Configure SSL between JBossWEB and httpd
Using SSL between JBossWEB and httpd As the ClusterListener allows to configure httpd it is adviced to use SSL for that connection. The most easy is to use a virtual host that will only be used to receive information from JBossWEB. Both side need configuration. 11.1.1. Apache httpd configuration part mod_ssl of httpd is using to do that. See in one example how easy the configuration is: Listen 6666 SSLEngine on SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key SSLCACertificateFile conf/server-ca.crt SSLVerifyClient require SSLVerifyDepth 10 The conf/server.crt file is the PEM-encoded Certificate file for the VirtualHost it must be signed by a Certificate Authority (CA) whose certificate is stored in the sslTrustStore of the ClusterListener parameter. The conf/server.key file is the file containing the private key. The conf/server-ca.crt file is the file containing the certicate of the CA that have signed the client certificate JBossWEB is using. That is the CA that have signed the certificate corresponding to the sslKeyAlias stored in the sslKeyStore of the ClusterListener parameters. 11.1.2. ClusterListener configuration part There is a wiki describing the SSL parameters of the ClusterListener. See in one example how easy the configuration is: The sslKeyStore file contains the private key and the signed certificate of the client certificate JBossWEB uses to connect to httpd. The certificate must be signed by a Cerficate Authority (CA) who certificate is in the conf/server-ca.crt file of the httpd The sslTrustStore file contains the CA certificate of the CA that signed the certificate contained in conf/server.crt file. 11.1.3. mod-cluster-jboss-beans configuration part The mod-cluster-jboss-beans.xml in $JBOSS_HOME/server/profile/deploy/mod-cluster.sar/META-INF in the ClusterConfig you are using you should have something like: true changeit /home/jfclere/CERTS/test.p12 pkcs12 /home/jfclere/CERTS/ca.p12 pkcs12 changeit 11.1.4. How the diferent files were created The files were created using OpenSSL utilities see OpenSSL CA.pl (/etc/pki/tls/misc/CA for example) has been used to create the test Certificate authority, the certicate requests and private keys as well as signing the certicate requests. 11.1.4.1. Create the CA Create a work directory and work for there: mkdir -p CERTS/Server cd CERTS/Server Create a new CA: /etc/pki/tls/misc/CA -newca That creates a directory for example ../../CA that contains a cacert.pem file which content have to be added to the conf/server-ca.crt described above. 11.1.4.2. Create the server certificate Create a new request: /etc/pki/tls/misc/CA -newreq That creates 2 files named newreq.pem and newkey.pem. newkey.pem is the file conf/server.key described above. Sign the request: /etc/pki/tls/misc/CA -signreq That creates a file named newcert.pem. newcert.pem is the file conf/server.crt described above. At that point you have created the SSL stuff needed for the VirtualHost in httpd. You should use a browser to test it after importing in the browser the content of the cacert.pem file. 11.1.4.3. Create the client certificate Create a work directory and work for there: mkdir -p CERTS/Client cd CERTS/Client Create request and key for the JBossWEB part. /etc/pki/tls/misc/CA -newreq That creates 2 files: Request is in newreq.pem, private key is in newkey.pem Sign the request. /etc/pki/tls/misc/CA -signreq That creates a file: newcert.pem Don't use a passphrase when creating the client certicate or remove it before exporting: openssl rsa -in newkey.pem -out key.txt.pem mv key.txt.pem newkey.pem Export the client certificate and key into a p12 file. openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out test.p12 That is the sslKeyStore file described above (/home/jfclere/CERTS/CA/test.p12)