JBoss.orgCommunity Documentation
There are 2 connections between the cluster and the front-end. Both could be encrypted. That chapter describes how to encrypt both connections.
As the ClusterListener allows to configure httpd it is adviced to use SSL for that connection. The most easy is to use a virtual host that will only be used to receive information from JBossWEB. Both side need configuration.
mod_ssl of httpd is using to do that. See in one example how easy the configuration is:
Listen 6666
<VirtualHost 10.33.144.3:6666>
SSLEngine on
SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
SSLCACertificateFile conf/server-ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>The conf/server.crt file is the PEM-encoded Certificate file for the VirtualHost it must be signed by a Certificate Authority (CA) whose certificate is stored in the sslTrustStore of the ClusterListener parameter.
The conf/server.key file is the file containing the private key.
The conf/server-ca.crt file is the file containing the certicate of the CA that have signed the client certificate JBossWEB is using. That is the CA that have signed the certificate corresponding to the sslKeyAlias stored in the sslKeyStore of the ClusterListener parameters.
There is a wiki describing the SSL parameters of the ClusterListener. See in one example how easy the configuration is:
<Listener className="org.jboss.web.cluster.ClusterListener"
ssl="true"
sslKeyStorePass="changeit"
sslKeyStore="/home/jfclere/CERTS/CA/test.p12"
sslKeyStoreType="PKCS12"
sslTrustStore="/home/jfclere/CERTS/CA/ca.p12"
sslTrustStoreType="PKCS12" sslTrustStorePassword="changeit"
/>The sslKeyStore file contains the private key and the signed certificate of the client certificate JBossWEB uses to connect to httpd. The certificate must be signed by a Cerficate Authority (CA) who certificate is in the conf/server-ca.crt file of the httpd
The sslTrustStore file contains the CA certificate of the CA that signed the certificate contained in conf/server.crt file.
The mod-cluster-jboss-beans.xml in $JBOSS_HOME/server/profile/deploy/mod-cluster.sar/META-INF in the ClusterConfig you are using you should have something like:
<property name="ssl">true</property>
<property name="sslKeyStorePass">changeit</property>
<property name="sslKeyStore">/home/jfclere/CERTS/test.p12</property>
<property name="sslKeyStoreType">pkcs12</property>
<property name="sslTrustStore">/home/jfclere/CERTS/ca.p12</property>
<property name="sslTrustStoreType">pkcs12</property>
<property name="sslTrustStorePassword">changeit</property>The files were created using OpenSSL utilities see OpenSSL CA.pl (/etc/pki/tls/misc/CA for example) has been used to create the test Certificate authority, the certicate requests and private keys as well as signing the certicate requests.
Create a work directory and work for there:
mkdir -p CERTS/Server
cd CERTS/ServerCreate a new CA:
/etc/pki/tls/misc/CA -newca
That creates a directory for example ../../CA that contains a cacert.pem file which content have to be added to the conf/server-ca.crt described above.
Create a new request:
/etc/pki/tls/misc/CA -newreq
That creates 2 files named newreq.pem and newkey.pem. newkey.pem is the file conf/server.key described above.
Sign the request:
/etc/pki/tls/misc/CA -signreq
That creates a file named newcert.pem. newcert.pem is the file conf/server.crt described above. At that point you have created the SSL stuff needed for the VirtualHost in httpd. You should use a browser to test it after importing in the browser the content of the cacert.pem file.
Create a work directory and work for there:
mkdir -p CERTS/Client
cd CERTS/ClientCreate request and key for the JBossWEB part.
/etc/pki/tls/misc/CA -newreq
That creates 2 files: Request is in newreq.pem, private key is in newkey.pem
Sign the request.
/etc/pki/tls/misc/CA -signreq
That creates a file: newcert.pem
Don't use a passphrase when creating the client certicate or remove it before exporting:
openssl rsa -in newkey.pem -out key.txt.pem
mv key.txt.pem newkey.pemExport the client certificate and key into a p12 file.
openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out test.p12
That is the sslKeyStore file described above (/home/jfclere/CERTS/CA/test.p12)
Using https allows to encrypt communications betwen httpd and JBossWEB. But due to the ressources it needs that no advised to use it in high load configuration.
(See Encrypting connection between httpd and TC for detailed instructions).
When using http or https beween httpd and JBossWEB you need to use the SSLValve and export the SSL variable as header in the request in httpd. If you are using AJP, mod_proxy_ajp will read the SSL variables and forward them to JBossWEB automaticaly.
(See Forwarding SSL environment when using http/https proxy for detailed instructions).
The SSL variable used by mod_proxy_ajp are the following:
"HTTPS" SSL indicateur.
"SSL_CLIENT_CERT" Chain of client certificates.
"SSL_CIPHER" Cipher used.
"SSL_SESSION_ID" Id of the session.
"SSL_CIPHER_USEKEYSIZE" Size of the key used.