'Jboss'에 해당되는 글 4건

  1. 2007.03.15 jboss ide 설정하기
  2. 2006.12.05 Jboss Datasource의 설정
  3. 2006.11.27 Jboss SSL 사용하기.
  4. 2006.11.16 Jboss 설치하기 #1 - 기본 설치
DevX HomePage
 
http://www.devx.com Printed from http://www.devx.com/opensource/Article/20242
 
JBoss Meets Eclipse: Introducing the JBoss-IDE

The wildly popular J2EE application server goes from full steam to mainstream with a GUI-based IDE that plugs into the Eclipse development framework.  
Boss, the open source, J2EE-based application server, has been a favorite of the Java community for a long time. But recently JBoss got a handy new toolkit, thanks to Eclipse—one that may just help the product go from full steam to mainstream.

While JBoss has always been applauded for being robust and scalable, with support for security, load balancing, clustering, and transactional capability, what it hasn't had is a GUI-based IDE. And that has left the mass marketplace solely in the hands of closed source competitors such as IBM, BEA, and Borland. Those who prefer can always continue to configure JBoss using command line tools, but thanks to the Eclipse project, JBoss has an IDE that plugs into the Eclipse development framework, making the product a legitimate option for the thousands of developers who prefer a GUI.

A few Eclipse plugins already have support for JBoss, but the JBoss-IDE plugin is by far the easiest to install, update, and use. The plugin supports starting and stopping servers, debugging server-side code, packaging archive files, and deploying archive files. It also has support for XDoclet code-generation. Best of all, the JBoss-IDE is developed and maintained by JBoss Inc., the makers of the JBoss Application Server itself

In this article, I'll show you how to install and configure the JBoss-IDE plugin and then walk you through the steps of creating a simple Hello World application, packaging it, and deploying it to a JBoss server.

Installing the Plugin
Many Eclipse plugins are packaged as a ZIP file that you download and unzip directly into Eclipse's plugin directory. But the JBoss-IDE uses Eclipse's built-in update management functionality which makes initial installation easy and subsequent updates even easier.

Author's Note: If you are behind a proxy, you'll have to define the proxy server before you can run the update manager. Go to Window—>Preferences—>Install/Update, select Enable HTTP Proxy Connection and define values for Host Address and Port. There is more documentation available on the install process on the JBoss IDE Web page.

Eclipse 2.x

  1. Click Help—>Software Updates—>Update Manager.
  2. In the Feature Updates view, right click and select New—>Site Bookmark.
  3. Select an unused name for the bookmark and then set the bookmark at http://jboss.sourceforge.net/jbosside/updates.
  4. Expand the bookmark that was added and select JBoss-IDE 1.0/Eclipse 2.1.
  5. You should now see the available versions of the plugin. Select the latest version.
  6. You will be prompted to restart Eclipse.
Eclipse 3.x
  1. Click Help—>Software Updates—>Find and Install.
  2. Select Search for new features to install.
  3. Click Add Update Site.
  4. Select an unused name for the update site and then set the boomark at http://jboss.sourceforge.net/jbosside/updates.
  5. Expand the update site that was added and select JBoss-IDE 1.0/Eclipse 3.0.
  6. You should now see the available versions of the plugin. Select the latest version.
  7. You will be prompted to restart Eclipse.




Adding the Shortcuts to the Top Menu
The JBoss-IDE plugin provides a set of buttons to start, stop, and terminate a server, as well as view the server console and log files. These buttons only operate on a single server that you define as a Default Server. Configuring the Default Server will come later; for now, here's how to make the buttons visible on the toolbar:

Eclipse 2.x

  1. Right click on the top toolbar.
  2. Select Customize Perspective.
  3. Expand Other.
  4. Check Default Server.
  5. Click OK.
Eclipse 3.x
  1. Right click on the top toolbar.
  2. Select Customize Perspective.
  3. Select Commands.
  4. Check Default Server in the Available Command Groups pane.
  5. Click OK.

 
Figure 1: Use the Debug Configuration to launch the JBoss server.

Configuring and Launching a Server
Download the JBoss server here.

In order to start your JBoss server, you must create a Debug Configuration. Running JBoss in a Debug Configuration allows you to set and use breakpoints in your server code. Go to Run—>Debugand you should see several new "JBoss" Configurations in the left pane. Click on the one that matches the version of JBoss that you are running. The Debug option on the right allows you to define which perspective Eclipse will switch to when you launch your JBoss server. I prefer not having Eclipse change perspectives when my server starts, so I change it from Debug to None.

 
Figure 2: Define a Default Server to use the buttons at the top of the tool bar.

After defining the perspective, click New to create a new instance of your JBoss configuration. Give your configuration a name and point it to the home directory for your JBoss server (see Figure 1).

Click on Close and then go to Window—>Preferences—>JBoss IDE—>Launcher. You'll need to designate a Default Server so that you can use the buttons that we added to the top tool bar earlier (see Figure 2).

After you click OK, you should be able to use the buttons that were added to the top tool bar earlier.




 
Figure 3: Your source and output configuration should look like this.

Creating a Servlet
Now to learn how to use the plugin, you'll create a simple "Hello World!" Servlet and deploy it to JBoss.

Put your source code (.java files) in a source folder and your compiled classes (.class files) in an output folder. Follow these steps to configure your source and output folders (Figure 3).

  1. Right-click on your project in the Package Explorer.
  2. Go to Properties—>Java Build Path.
  3. Click on the Source tab.
  4. Click on Add Folder.
  5. Click on Create New Folder.
  6. Set the folder name to "src".
  7. Select Yes when it asks you to remove the project as a source folder and to create a "bin" folder.

Next, you need to set your CLASSPATH by defining the libraries (JAR files) that Eclipse should use to compile your code. You also need to add a JAR file that will allow you to compile a Servlet. Luckily, Eclipse comes equipped with a Tomcat plugin, which contains the library you will need you to compile a servlet.

 
Figure 4: This is how your libraries (CLASSPATH) should appear after adding the servlet.jar.

Follow these steps (see Figure 4):

  1. Click on the Libraries Tab (while still under Properties—>Java Build Path).
  2. Click Add Variable.
  3. Select ECLIPSE_HOME and click Extend.
  4. Navigate to the plugins/org.eclipse.tomcat.4.1.x directory.
  5. Select servlet.jar and click OK.
  6. Click OK to exit the properties dialog.

Now, create a class called HelloWorldSerlvet in the com.devx.example package, using the following code in your servlet:


package com.devx.example;
import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class HelloWorldServlet extends HttpServlet
{

protected void service(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
ServletOutputStream out = response.getOutputStream();
out.println("<html><body><h1>Hello World!</h1></body></html>");
}
}

 
Figure 5: This is how the project structure looks after creating all the necessary files.

Next, you need a deployment descriptor so that JBoss will know how to access your Servlet. The deployment descriptor (web.xml) goes under a folder called WEB-INF in the .war file. Create a folder under src called WEB-INF. Then, create a file called web.xml in that folder, using the following source.


<!DOCTYPE web-app PUBLIC
'-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
<web-app>
<servlet>
<servlet-name>HelloWorldServlet</servlet-name>
<servlet-class>com.devx.example.HelloWorldServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloWorldServlet</servlet-name>
<url-pattern>/Hello</url-pattern>
</servlet-mapping>
</web-app>
After all is said and done, your project structure should look like Figure 5.




Setting Up the Packaging Configuration
Before you can deploy your application to JBoss, you need to define the structure of your WAR file through a Packaging Configuration, which you then run to create a WAR file.

 
Figure 6: Here's how to define the packaging configuration, from inside the project properties.

Here's how to create a Packaging Configuration:

  1. Right click on your project in the Package Explorer.
  2. Select Properties—>Packaging Configurations.
  3. Right click in the right frame and click Add Std. Archive.
  4. Select Standard-WAR.war and click OK.
  5. Right click on the configuration and click Edit.
  6. Rename it to helloworld.war.
  7. Expand the configuration.
  8. Right click on the line with Manifest.MF and remove it.
  9. Make sure your configuration looks like that shown in Figure 6.

Click OK and you should see a file in your project called packaging-build.xml.

 
Figure 7: The Target Choice screen allows you to select the instance of JBoss to which you wish to deploy.

Creating and Deploying the WAR File
Create a WAR file by right-clicking on your project and clicking Run Packaging. You will have to right-click on the project and click Refresh before you see the WAR file. The file should be in the top level of you project.

Right click on the WAR file, select Deployment, and then Deploy To. You will see a Target Choice dialog appear, allowing you to select which application server you would like to deploy to, as shown in Figure 7.

 
Figure 8: Test out the Hello World Servlet! Do your results match?

I have JBoss 3.2.2 and JBoss 3.2.3 configured on my machine, thus both servers are available. After selecting the target you wish to deploy to, you should see a dialog that confirms that the application was deployed.

Now, pull up your Web browser and try it out. Go to http://localhost:8080/helloworld/Hello, as shown in Figure 8.

In this article, you learned how to install the JBoss-IDE plugin in Eclipse. You also learned how to configure a JBoss server and how to package and deploy a simple application that server. Keep a lookout for a follow-up to this article in which I will show you how to use the XDoclet features of the JBoss-IDE plugin.

Javid Jamae is the president of Jamae Consulting, a software development and consulting firm that provides business, training, and development services to large and small companies. Reach him by e-mail here.


DevX is a division of Jupitermedia Corporation
© Copyright 2005 Jupitermedia Corporation. All Rights Reserved. Legal Notices
211.218.255.147 devxweb01
Posted by twintail twintail

Jboss의 DB Source의 설정은 3개의 파일에 의해서 이루어진다.

우선 deploy 폴더에 test-ds.xml로 작성된 파일을 보면

<?xml version="1.0" encoding="UTF-8"?>

<datasources>
  <local-tx-datasource>
     <jndi-name>jdbc/test</jndi-name>-->
     <connection-url>jdbc:mysql://127.0.0.1:3306/test?zeroDateTimeBehavior=round</connection-url>
     <driver-class>com.mysql.jdbc.Driver</driver-class>
     <user-name>test</user-name>
     <password>test</password>
     <min-pool-size>5</min-pool-size>
     <max-pool-size>20</max-pool-size>
     <idle-timeout-minutes>1</idle-timeout-minutes>
     <track-statements>true</track-statements>
  </local-tx-datasource>
</datasources>

위와 같이 설정을 할 수가 있다. jboss deploy 폴더에 XXXX-ds.xml로 저장되어야만 Data Source 로 인식된다.

두번째로 확인해야 할 것은

war file의 WEB-INF에 포함되는 jboss-web.xml이다.

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

   <resource-ref>
       <res-ref-name>test-ds</res-ref-name>
       <res-type>javax.sql.DataSource</res-type>
       <jndi-name>java:/jdbc/test</jndi-name>
   </resource-ref>

</jboss-web>

위에서 표시된 test-ds는 참조 Data source를 나타낸다. 따라서 data source 설정을 하고 있은 test-ds.xml을 나타낸다.

마지막 설정으로 web.xml에 resource-ref를 설정한다.

   <resource-ref>
       <description>DB Connection</description>
       <res-ref-name>test-ds</res-ref-name>
       <res-type>javax.sql.DataSource</res-type>
       <res-auth>Container</res-auth>
   </resource-ref>

jboss-web.xml이 없어도 될거라고 생각했지만 실제로 jboss-web.xml이 없으면 에러를 유발한다.
web.xml내에 설정이 없다면 web applicaion에서 동작하지 않는 것으로 확인 되었다.

자세한 내용은 jboss 관리자 메뉴얼을 보시면 자세한 설명이 있습니다.



Posted by twintail twintail
TAG Java, Jboss, JNDI

SSLSetup
  
Your trail: Tomcat configurations

JBoss-3.2.3/Tomcat-4.1.x

   * Create a test keystore in the server/default/conf directory:

   starksm@banshee9100 conf$ keytool -genkey -alias tc-ssl -keyalg RSA -keystore server.keystore -validity 3650
   Enter keystore password:  tc-ssl
   What is your first and last name?
     [Unknown]:  www.myhost.com
   What is the name of your organizational unit?
     [Unknown]:  Some dot com
   What is the name of your organization?
     [Unknown]:  Security
   What is the name of your City or Locality?
     [Unknown]:  SomeCity
   What is the name of your State or Province?
     [Unknown]:  Washington
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=www.myhost.com, OU=Some dot com, O=Security, L=SomeCity, ST=Washington, C=US correct?
     [no]:  yes

   Enter key password for <tc-ssl>
           (RETURN if same as keystore password):

   * Please note that the answer to the "first and last name?" question is important. This answer consitutes the CN= part of your so called distinguished name. The browser will check that the CN= part matches the end of the domain it requested the web page from. If the CN= and the the web page domain do not match the browser will display an additional warning. So for local development you may want to use "localhost" as CN and later on use the domain name of the host that will serve request from the internet.

   * Edit jbossweb-tomcat41.sar/META-INF/jboss-service.xml and uncomment the following section and update the keystoreFile,

<!-- SSL/TLS Connector configuration -->
<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
    address="${jboss.bind.address}" port = "8443" scheme = "https"
    secure = "true">
    <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
        keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
        keystorePass="tc-ssl"
        protocol = "TLS"/>
</Connector>

   * You need to replace the value for keystorePass with the password you used while creating the key.

   * Start the server and browse to: https://localhost:8443/jmx-console/index.jsp to test the ssl connection. Your browser should complain about an not trusting the signer. To avoid this you would need to either import the server certificate into you browser or obtain a certificate from a well known cert authority. (Ex: Thawte, Verisign) See the examples section of the keytool docs: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html for the proceedure to create a server certificate that has been signed by a trusted CA.

On startup the log may contain this warning:

10:31:48,952 DEBUG [SSLImplementation] [getInstance.119] Error loading SSL Implementation org.apache.tomcat.util.net.puretls.PureTLSImplementation
java.lang.ClassNotFoundException: No ClassLoaders found for: org.apache.tomcat.util.net.puretls.PureTLSImplementation

Ignore it unless you are tyring to use the PureTLS? SSL implementation. Tomcat tries to find different SSL implementations and defaults to JSSE if no others are found.

JBoss-3.2.4+/Tomcat-5.0.x
In jboss-3.2.4+ the tomcat-5.0.x container has its configuration in the jbossweb-tomcat50.sar/server.xml descriptor.


Using a trusted certificate obtained from a well known CA

You may get the certificate in a format not appropriate for using it directly in JBoss/Tomcat. You may user the openssl tool to convert the certifcate and key in a suitable format:

openssl pkcs12 -export -out server.keystore -in certificate.pem -inkey private.key

If you get an error like this

10300:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1002:
10300:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:305:Type=PKCS12

you might have forgotten to add the "-export" option.

You can check if you have a valid keystore with the keytool (comes with the JDK):

$> keytool -list -keystore ssl.keystore -storetype PKCS12

Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

2, Jun 14, 2006, keyEntry,
Certificate fingerprint (MD5): CB:47:4F:56:75:23:FA:9E:9C:7B:11:D9:8C:B3:D4:1E

It's important that you have a *keyEntry* in there.

Authentication scenarios

In this section, we'll describe four typical SSL scenarios

   * 1 - SSL enabled on the server - the common case
   * 2 - SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client
   * 3 - SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client
   * 4 - SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

Setup

   * Grab a copy of the latest JBossAS release and explode it.
   * Download the java client client-server-certs.zip from the attachment section
   * Download the http client httpclient.zip from the attachment section
   * Download openssl if you don't have it so that a pkcs12 key can be generated

from the client x509 cert to import into your browser. For win32 you can download Cygwin and for *nix platforms you can either build the dist from source obtained from the OpenSSL Site or search the web for an rpm or other binary package as required for your platform.



1 - SSL enabled on the server - the common case

In this configuration you need three files

  1. server.keystore - contains the key pair
  2. server.cer - server certificate exported from the keystore
  3. client.truststore - contains the server certificate

   * Create the server keystore

   keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"


   * Create the server certificate

   keytool -export -alias serverkeys -keystore server.keystore -storepass 123456 -file server.cer


   * Configure Tomcat

   Copy server.keystore to /server/xxx/conf and update the following in server.xml

     <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
     <Connector port="8443" address="${jboss.bind.address}"
          maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
          emptySessionPath="true"
          scheme="https" secure="true" clientAuth="false"           
          sslProtocol = "TLS"
          keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
          keystorePass="123456" 
      />

   * Start the server

  run -c default


   * Creating client.truststore (by importing server certificate)

   keytool -import -v -keystore client.truststore  -storepass 123456 -file server.cer


   * Run the client

   java -Djavax.net.ssl.trustStore=client.truststore -Djavax.net.ssl.trustStorePassword=123456 acme/ReadHttpsURL2 https://localhost:8443



2 - SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client

To require that a http client presents a valid client certificate you need to add a clientAuth="true" attribute to the Connector configuration. Depending on how what root CA has signed the client cert you may need to also specify the truststoreFile and truststorePass for the keystore containing the client cert signer.

In this configuration you need 6 files

  1. server.keystore - contains the key pair
  2. server.cer - server certificate exported from the keystore
  3. client.truststore - contains the the server certificate
  4. client.keystore - contains the key pair
  5. client.cer - client certificate exported from the keystore
  6. server.truststore - contains the client certificate

   * Create the server keystore

   keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"


   * Create the server certificate

   keytool -export -alias serverkeys -keystore server.keystore -storepass 123456 -file server.cer


   * Create the client keystore

   keytool -genkey -alias clientkeys  -keyalg RSA -keystore client.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, S=MYSTATE, C=MY"


   * Create the client certificate

   keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer


   * Import server certificate into client truststore

   keytool -import -v -keystore client.truststore  -storepass 123456 -file server.cer


   * Import client certificate into server truststore

   keytool -import -v -keystore server.truststore  -storepass 123456 -file client.cer


   * Update the Tomcat configuration

    Copy both server.keystore and server.truststore to /server/xxx/conf and update the following in server.xml

     <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
     <Connector port="8443" address="${jboss.bind.address}"
          maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
          emptySessionPath="true"
          scheme="https" secure="true" clientAuth="true"
          sslProtocol = "TLS"
          keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
          keystorePass="123456" 
          truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
          truststorePass="123456"
      />

   NOTE: The attribute clientAuth is set to "true".

   * Start the server

  run -c default


   * Run the client

   java -Djavax.net.ssl.keyStore=client.keystore -Djavax.net.ssl.keyStorePassword=123456
      -Djavax.net.ssl.trustStore=client.truststore -Djavax.net.ssl.trustStorePassword=123456
       acme/ReadHttpsURL2 https://localhost:8443



3 - SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client

   * To enable mutual authentication between the client and server, a client cert must be generated. Both the client and server certs can be generated using the java keytool utility similar to how step 1 was done. An issue with using the client cert in a browser is that the cert must be imported into the browser from a key format such as pkcs12, and keytool does not currently support this format.

Because of this, openssl must be used to generate the required format from the keytool x509 certificate. Since there are many steps in this process, the steps have been scripted in an ant 1.6.x build.xml file that can be found in the client-server-certs.zip attachment. Download and unpack this zip file to create a client-server-certs directory that contains the build.xml script.

   * Cd to client-server-certs, and simply run at to generate the client and server certs, keystores and trustores. The output will be something like:

Buildfile: build.xml

self-signed-certs:
    [echo] keytool -genkey -alias clientCert -keyalg RSA -validity 730 -keystore client.keystore -dname cn=ClientCert,o=SomeCA,ou=SomeCAOrg -keypass clientcert -storepass clientcert

    [exec] Keystore type: jks
    [exec] Keystore provider: SUN

    [exec] Your keystore contains 1 entry

    [exec] clientcert, Jun 17, 2005, keyEntry,
    [exec] Certificate fingerprint (MD5): A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
    [echo] keytool -genkey -alias serverCert -keyalg RSA -validity 730 -keystore server.keystore -dname cn=localhost,o=SomeCA,ou=SomeCAOrg -keypass servercert -storepass servercert

    [exec] Keystore type: jks
    [exec] Keystore provider: SUN

    [exec] Your keystore contains 1 entry

    [exec] servercert, Jun 17, 2005, keyEntry,
    [exec] Certificate fingerprint (MD5): E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9
    [echo] keytool -export -alias clientCert -keystore client.keystore -storepass clientcert -file client.cer
    [exec] Certificate stored in file <client.cer>
    [exec] Owner: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
    [exec] Issuer: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
    [exec] Serial number: 42b37131
    [exec] Valid from: Fri Jun 17 17:56:17 PDT 2005 until: Sun Jun 17 17:56:17 PDT 2007
    [exec] Certificate fingerprints:
    [exec]      MD5:  A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
    [exec]      SHA1: 29:66:59:3B:9F:9E:2B:C4:E0:1C:37:BB:7B:58:C3:DD:19:E5:DE:D4
    [echo] keytool -export -alias serverCert -keystore server.keystore -storepass servercert -file server.cer
    [exec] Certificate stored in file <server.cer>
    [exec] Owner: CN=localhost, O=SomeCA, OU=SomeCAOrg
    [exec] Issuer: CN=localhost, O=SomeCA, OU=SomeCAOrg
    [exec] Serial number: 42b37132
    [exec] Valid from: Fri Jun 17 17:56:18 PDT 2005 until: Sun Jun 17 17:56:18PDT 2007
    [exec] Certificate fingerprints:
    [exec]      MD5:  E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9
    [exec]      SHA1: 12:BC:6D:D5:06:B7:49:CD:DA:F4:C2:9D:5F:3F:C2:9C:5D:AF:EA:15
    [echo] keytool -import -alias serverCert -keystore client.truststore -storepass clientcert -file server.cer
    [exec] Owner: CN=localhost, O=SomeCA, OU=SomeCAOrg
    [exec] Issuer: CN=localhost, O=SomeCA, OU=SomeCAOrg
    [exec] Trust this certificate? [no]:  Certificate was added to keystore
    [exec] Serial number: 42b37132
    [exec] Valid from: Fri Jun 17 17:56:18 PDT 2005 until: Sun Jun 17 17:56:18 PDT 2007
    [exec] Certificate fingerprints:
    [exec]      MD5:  E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9
    [exec]      SHA1: 12:BC:6D:D5:06:B7:49:CD:DA:F4:C2:9D:5F:3F:C2:9C:5D:AF:EA:15
    [echo] keytool -import -alias clientCert -keystore server.truststore -storepass servercert -file client.cer
    [exec] Owner: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
    [exec] Issuer: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
    [exec] Trust this certificate? [no]:  Certificate was added to keystore
    [exec] Serial number: 42b37131
    [exec] Valid from: Fri Jun 17 17:56:17 PDT 2005 until: Sun Jun 17 17:56:17 PDT 2007
    [exec] Certificate fingerprints:
    [exec]      MD5:  A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
    [exec]      SHA1: 29:66:59:3B:9F:9E:2B:C4:E0:1C:37:BB:7B:58:C3:DD:19:E5:DE:D4
    [echo] client.keystore contents:

    [exec] Keystore type: jks
    [exec] Keystore provider: SUN

    [exec] Your keystore contains 1 entry

    [exec] clientcert, Jun 17, 2005, keyEntry,
    [exec] Certificate fingerprint (MD5): A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
    [echo] server.keystore contents:

    [exec] Keystore type: jks
    [exec] Keystore provider: SUN

    [exec] Your keystore contains 1 entry

    [exec] servercert, Jun 17, 2005, keyEntry,
    [exec] Certificate fingerprint (MD5): E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9

BUILD SUCCESSFUL
Total time: 3 seconds
[starksm@banshee9100 client-server-certs]$ ls
build.xml    client.keystore*    server.cer*       server.truststore*
client.cer*  client.truststore*  server.keystore*  src/

   * Next, create a pkcs12 formatted key to import into your browser. This is done by running the cer2pkcs12 target.

[starksm@banshee9100 client-server-certs]$ ant cer2pkcs12
Buildfile: build.xml

cer2pkcs12:
   [mkdir] Created dir: C:\tmp\client-server-certs\classes
   [javac] Compiling 1 source file to C:\tmp\client-server-certs\classes
    [echo] openssl x509 -out client-pem.cer -outform pem -text -in client.cer -inform der
    [echo] openssl pkcs12 -export -out client.p12 -inkey client.8 -in client-pem.cer -passout pass:clientcert

BUILD SUCCESSFUL
Total time: 2 seconds
[starksm@banshee9100 client-server-certs]$ ls
build.xml       client.cer*       client.p8*          server.keystore*
classes/        client.keystore*  client.truststore*  server.truststore*
client-pem.cer  client.p12        server.cer*         src/

   * The resulting client.p12 file is the pkcs12 formatted private key for the x509 client cert created in the first step. This should be imported into your browser. For Mozilla Firefox 1.0.x, this entails selecting Tools/Options menu, selecting the Advanced section of the options dialog, and selecting the Manage Certificates... button to display the import dialog. The client.p12 password to use for the import is "clientcert", without the quotes.
   * You should also import the server.cer x509 cert into the Authorities section so that the server's self signed cert is seen as trusted. Otherwise, the browser should prompt you about an untrusted server cert when you try an https connection.
   * Next, copy the server.keystore and server.truststore to the jboss server/default/conf directory, or the conf directory of whatever server configuration you are using.
   * Next, edit the deploy/jbossweb-tomcat55.sar/server.xml file to enable the SSL connector. The Connector element should look like the following, with clientAuth="true" to require that clients provide a certificate.

     <!-- SSL/TLS Connector conf using the server.{keystore,truststore}
     -->
     <Connector port="8443" address="${jboss.bind.address}"
          maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
          emptySessionPath="true"
          scheme="https" secure="true" clientAuth="true"
          keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
          keystorePass="servercert"
          truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
          truststorePass="servercert"
          sslProtocol = "TLS"
          />

   * You should now be able to connect to the jboss server using https and the browser should display a dialog asking for the cert to use (unless the browser is configured to do this automatically). An example of the dialog from the Firefox 1.0.4 browser is shown here:

browser_prompt.png



4 - SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

   * Install openssl and configure its CA

First, you need to configure the certificate authority application of OpenSSL. churchillobjects.com has a good overview of the required steps in the Generating a Certificate Authority article. See the ca manpage for the full details of the OpenSSL ca command.

   * Create server openssl CA signed cert using keytool

[starksm@banshee9100 openssl-ca]$ keytool -genkey -alias unit-tests-server -keystore localhost.keystore
Enter keystore password:  unit-tests-server
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  QA
What is the name of your organization?
  [Unknown]:  JBoss Inc.
What is the name of your City or Locality?
  [Unknown]:  Snoqualmie Pass
What is the name of your State or Province?
  [Unknown]:  Washington
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=localhost, OU=QA, O=JBoss Inc., L=Snoqualmie Pass, ST=Washington, C=US correct?
  [no]:  yes

Enter key password for <unit-tests-server>
       (RETURN if same as keystore password):

   * Create a cert signing request for the server key

[starksm@banshee9100 conf]$ keytool -keystore localhost.keystore -certreq -alias unit-tests-server -file unit-tests-server.csr
Enter keystore password:  unit-tests-server

   * Sign the cert request

[starksm@banshee9100 openssl-ca]$ openssl ca -config openssl.cnf -in unit-tests
-server.csr -out unit-tests-server.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem: openssl-ca
DEBUG[load_index]: unique_subject = "no"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Washington'
localityName          :PRINTABLE:'Snoqualmie Pass'
organizationName      :PRINTABLE:'JBoss Inc.'
organizationalUnitName:PRINTABLE:'QA'
commonName            :PRINTABLE:'localhost'
Certificate is to be certified until Jul 30 21:39:21 2005 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

   * Convert to DER

[starksm@banshee9100 openssl-ca]$ openssl x509 -in unit-tests-server.pem -out unit-tests-server.cer

   * import CA root to keystore

[starksm@banshee9100 openssl-ca]$ keytool -keystore localhost.keystore -alias openssl-ca -import -file cacert.pem
Enter keystore password:  unit-tests-server
Owner: CN=jboss.com, C=US, ST=Washington, L=Snoqualmie Pass, EMAILADDRESS=admin@
jboss.com, OU=QA, O=JBoss Inc.
Issuer: CN=jboss.com, C=US, ST=Washington, L=Snoqualmie Pass, EMAILADDRESS=admin
@jboss.com, OU=QA, O=JBoss Inc.
Serial number: 0
Valid from: Wed May 26 00:53:20 PDT 2004 until: Sat May 24 00:53:20 PDT 2014
Certificate fingerprints:
        MD5:  B3:34:05:D0:7D:7E:18:A5:E3:0B:82:0A:D9:54:41:7E
        SHA1: F0:85:B4:14:8C:4E:92:CB:68:E6:D6:08:DC:86:94:E5:BF:DC:58:32
Trust this certificate? [no]:  yes
Certificate was added to keystore

   * Import CA reply

[starksm@banshee9100 openssl-ca]$ keytool -keystore localhost.keystore -alias unit-tests-server -import -file unit-tests-server.cer
Enter keystore password:  unit-tests-server
Certificate reply was installed in keystore
[starksm@banshee9100 openssl-ca]$ ls -l localhost.keystore
-rwxrwxrwx    1 starksm  None         3247 Jul 30 14:44 localhost.keystore*
[starksm@banshee9100 openssl-ca]$ keytool -list -keystore localhost.keystore
Enter keystore password:  unit-tests-server

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

unit-tests-server, Jul 30, 2004, keyEntry,
Certificate fingerprint (MD5): 34:35:A5:4A:EB:F3:3C:F8:60:C1:86:05:07:01:4B:DD
openssl-ca, Jul 30, 2004, trustedCertEntry,
Certificate fingerprint (MD5): B3:34:05:D0:7D:7E:18:A5:E3:0B:82:0A:D9:54:41:7E

   * Import the client cert

[starksm@banshee9100 openssl-ca]$ keytool -import -keystore localhost.keystore -alias unit-tests-client -file unit-tests-client.cer
Enter keystore password:  unit-tests-server
Certificate was added to keystore

[starksm@banshee9100 openssl-ca]$ keytool -list -keystore localhost.keystore
Enter keystore password:  unit-tests-server

Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

unit-tests-client, Jul 30, 2004, trustedCertEntry,
Certificate fingerprint (MD5): 4A:9C:2B:CD:1B:50:AA:85:DD:89:F6:1D:F5:AF:9E:AB
unit-tests-server, Jul 30, 2004, keyEntry,
Certificate fingerprint (MD5): 34:35:A5:4A:EB:F3:3C:F8:60:C1:86:05:07:01:4B:DD
openssl-ca, Jul 30, 2004, trustedCertEntry,
Certificate fingerprint (MD5): B3:34:05:D0:7D:7E:18:A5:E3:0B:82:0A:D9:54:41:7E
[starksm@banshee9100 openssl-ca]$

Another (untested) keystore/openssl recipe:

Create Keystore certificate:

  1. keytool -genkey -keystore {keystore location} -keyalg RSA -alias postgresql -dname "cn=www.beyarecords.com, ou=Music, o=Urban Music, c=GB" -keystore ~/postgresql -validity 365
  2. keytool -selfcert -keystore {keystore location} -alias postgresql
  3. keytool -export -keystore {keystore location} -alias postgresql -rfc -file postgresql.cer
  4. keytool -import -keystore {keystore location} -alias postgresql -file postgresql.cer

Export private key from keystore alias:

  1. java ExportPrivateKey? <keystore> <alias> <password> > exported-pkcs8.key
  2. openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out postgresql.key

Note: main keystore location on OS X is: /library/java/home/lib/security/cacerts

The ExportPrivateKey? class:

package security;

import java.io.File;
import java.io.FileInputStream;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;

import sun.misc.BASE64Encoder;

public class ExportPrivateKey
{
  public static void main(String args[]) throws Exception
  {
     for (int i = 0; i < args.length; i++)
     {
        System.out.println(i + ": " + args);
     }
     if (args.length < 2)
     {
        //Yes I know this sucks (the password is visible to other users via ps
        // but this was a quick-n-dirty fix to export from a keystore to pkcs12
        // someday I may fix, but for now it'll have to do.
        System.err.println("Usage: java ExportPriv <keystore> <alias> <password>");
        System.exit(1);
     }
     ExportPrivateKey myep = new ExportPrivateKey();
     myep.doit(args[0], args[1], args[2]);
  }

  public void doit(String fileName, String aliasName, String pass) throws Exception
  {

     KeyStore ks = KeyStore.getInstance("JKS");

     char[] passPhrase = pass.toCharArray();
     BASE64Encoder myB64 = new BASE64Encoder();

     File certificateFile = new File(fileName);
     ks.load(new FileInputStream(certificateFile), passPhrase);

     KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);

     PrivateKey privKey = kp.getPrivate();


     String b64 = myB64.encode(privKey.getEncoded());

     System.out.println("-----BEGIN PRIVATE KEY-----");
     System.out.println(b64);
     System.out.println("-----END PRIVATE KEY-----");

  }

// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html

  public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password)
  {
     try
     {
        // Get private key
        Key key = keystore.getKey(alias, password);
        if (key instanceof PrivateKey)
        {
           // Get certificate of public key
           Certificate cert = keystore.getCertificate(alias);
  
           // Get public key
           PublicKey publicKey = cert.getPublicKey();
  
           // Return a key pair
           return new KeyPair(publicKey, (PrivateKey) key);
        }
     }
     catch (UnrecoverableKeyException e)
     {
     }
     catch (NoSuchAlgorithmException e)
     {
     }
     catch (KeyStoreException e)
     {
     }
     return null;
  }

}



from : http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup

Posted by twintail twintail
TAG Jboss, SSL

Jboss를 빠르게 설치하는 방법

1. Jboss를 http://www.jboss.org에서 다운 받는다. AS(Application Server)임.
   - 사용한 버젼은 3.2.8.SP1을 사용하였습니다.

2. 적당한 위치에 다운 받은 파일의 압축을 해제한다.

3. http://java.sun.com에서 JDK를 다운 받는다. 4.0이상에서 JDK 5.0을 요구하는 것으로 알고 있습니다.

4. 환경 변수의 설정.
   - JAVA_HOME을 설정해 준다.
   - JBOSS_HOME을 설정해 준다.

5. /jboss-3.2.8.SP1/server 로 이동하여 default 폴더를 사용하고자하는 이름으로 복사해준다.
   - 프로젝트 이름이나 사이트 이름으로 보통 변경을 합니다.
   - test로 변경했다고 가정하겠습니다.

6. /jboss-3.2.8.SP1/server/test 내에서 jms 폴더를 삭제한다. 물론 기능을 사용하지 않으실 경우입니다.

7. port를 조정합니다. /jboss-3.2.8.SP1/server/test/deploy/jbossweb-tomcat50.sar 폴더 안에 보시면
   server.xml이 있습니다. 기본 포트가 8080으로 잡혀있는데 80(사용하고자 하는 포트)으로 변경해주시면
   됩니다.

8. /jboss-3.2.8.SP1/run.bat -c test 하시면 처음 구동되는 jboss를 보실수 있습니다.
   - 페이지가 안나오는 것이 정상임.
   - URL은 http://localhost/test 또는 http://127.0.0.1/test

9. deploy는 어떻게 하는가? /jboss-3.2.8.SP1/server/test/deploy 폴더내에 war,ear 형태로 넣어주시면
  됩니다.
   - war 파일 내에는 jboss가 요구하는 배포 조건을 맞춰야 합니다. web.xml, jboss-app.xml이 존재해야 합니다.


Posted by twintail twintail
TAG Jboss, 설치