Search code examples
jbosskeystorekeytooltruststore

Certificate/Keystore Configuration Issue - JBoss AS 7


I've been trying to get this working for a while now and am just about at the end of my rope. I'm trying to add the certificate that I obtained from a secure site to a local keystore and truststore, and then have a JBoss 7.1 configuration pick it up. The documentation I have primarily been attempting to follow is here: http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html.

Here is what I'm executing:

  1. keytool -genkey -alias myalias.com -keypass changeit -storepass changeit -keystore keystore.jks

  2. keytool -import -trustcacerts -keystore keystore.jks -storepass changeit -noprompt -alias myalias.com -file downloaded-certificate.pem

  3. keytool -export -alias myalias.com -file cacerts.cer -keystore keystore.jks

This is the relevant portion of my JBoss 7.1 standalone.xml file:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="ssl" password="changeit" key-alias="myalias.com" certificate-key-file="${JBOSS_HOME}/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="${JBOSS_HOME}/keystore.jks"/>
</connector>

And finally, this is the top of the stacktrace written in the logs when JBoss starts:

15:39:35,882 ERROR [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-2) Error initializing endpoint: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:788) [jbossweb-7.0.13.Final.jar:]
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:493) [jbossweb-7.0.13.Final.jar:]
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:168) [jbossweb-7.0.13.Final.jar:]
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:977) [jbossweb-7.0.13.Final.jar:]
    at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:190) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.connector.Connector.init(Connector.java:983) [jbossweb-7.0.13.Final.jar:]
etc...

Any help would be greatly appreciated!


Solution

  • If you provide a keystore, you need to specify an alias such as the following in the ssl section

    key-alias="myalias.com"

    Also, I think the certificate-file is ca-certificate-file.