JBoss的SSL证书导入和配置
[英]SSL Certificate Import and configuration for JBoss
问题描述
I am fairly new to the JBoss configuration and I have been asked to import a certificate into the JBoss App server. 
我对JBoss配置还很陌生,因此我被要求将证书导入JBoss App服务器。 Based on what I have read around on the forums I think I did what was necessary but we still keep seeing the "None of the TrustManagers allowed for trust of the SSL certificate(s) provided by the remote server to which this client attempted a connection" error message. 根据我在论坛上阅读的内容,我认为我做了必要的事情,但是我们仍然看到“没有任何TrustManager允许信任该客户端尝试连接到的远程服务器提供的SSL证书。 “ 错误信息。 We have hosted a Pega application on our JBoss server and the Pega application makes a 1-way outbound call to consume services from IBM Datapower. 我们已经在JBoss服务器上托管了一个Pega应用程序,并且Pega应用程序进行了1向出站调用,以使用来自IBM Datapower的服务。 We are using Red Hat JBoss Middleware (EWS+EAP) on Red Hat Enterprise Linux 7.1 and have setup the JBoss in Domain mode. 我们在Red Hat Enterprise Linux 7.1上使用Red Hat JBoss中间件(EWS + EAP),并已在Domain模式下设置了JBoss。
JBoss Enterprise Application Platform version 6.4 is installed under /opt/jboss folder owned by jboss system user configured running in Domain mode only. JBoss企业应用程序平台6.4版安装在/ opt / jboss文件夹下,该文件夹由配置为仅在域模式下运行的jboss系统用户拥有。 The environment is pre-configured with one Domain controller and one or more Host controllers. 该环境已预先配置了一个域控制器和一个或多个主机控制器。 All host controllers can be managed by the domain controller. 所有主机控制器都可以由域控制器管理。 The environment is also tailored to operate in full-HA profile exclusively. 该环境还专门针对完全HA配置文件进行了操作。
We have a SGWSGateway-sscert.pem certificate for Datapower that I was asked to import into JBoss.
我们有一个用于Datapower的SGWSGateway-sscert.pem证书,要求我将其导入JBoss。 The steps I took were. 我采取的步骤是。 If I can get any help on what I have setup incorrectly or what I need to change, I will be greatly obliged. 如果我对我的设置不正确或需要更改的内容有任何帮助,我将非常有义务。
1) Import it into the jbossTrust.jks in /host-controller/configuration/keystores using an alias -sgwsgateway. 1)使用别名-sgwsgateway将其导入/ host-controller / configuration / keystores中的jbossTrust.jks。
2) The domain.xml configuration is: 2)domain.xml配置为:
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl/>
</connector>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
</virtual-server>
</subsystem>
<interfaces>
<interface name="management"/>
<interface name="public"/>
<interface name="unsecure"/>
</interfaces>
<socket-binding-groups>
<socket-binding-group name="full-ha-sockets" default-interface="public">
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jacorb" interface="unsecure" port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
<socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" port="7600"/>
<socket-binding name="jgroups-tcp-fd" port="57600"/>
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
<socket-binding name="messaging" port="5445"/>
<socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
<socket-binding name="messaging-throughput" port="5455"/>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
</socket-binding-groups>
<server-groups>
<server-group name="jboss-server-group" profile="full-ha">
<jvm name="pega_default">
<heap size="4096m" max-size="8192m"/>
<permgen size="768m" max-size="1536m"/>
<jvm-options>
<option value="-Xms8192m"/>
<option value="-Xmx8192m"/>
<option value="-XX:NewSize=1536m"/>
<option value="-XX:MaxNewSize=1536m"/>
<option value="-XX:PermSize=768m"/>
<option value="-XX:MaxPermSize=1536m"/>
<option value="-Djboss.as.management.blocking.timeout=60000"/>
<option value="-Djava.net.preferIPv4Stack=true"/>
<option value="-XX:TargetSurvivorRatio=90"/>
<option value="-XX:+UseParNewGC"/>
<option value="-XX:+UseConcMarkSweepGC"/>
<option value="-XX:+UseCMSInitiatingOccupancyOnly"/>
<option value="-XX:CMSInitiatingOccupancyFraction=80"/>
<option value="-XX:+CMSClassUnloadingEnabled"/>
<option value="-XX:ReservedCodeCacheSize=768m"/>
<option value="-XX:+UseCodeCacheFlushing"/>
<option value="-XX:+DisableExplicitGC"/>
<option value="-XX:+PrintGCDetails"/>
<option value="-verbose:gc"/>
<option value="-Xloggc:/opt/jboss/host-controller/log/gc.%t.%p.log"/>
<option value="-XX:+UseGCLogFileRotation"/>
<option value="-XX:NumberOfGCLogFiles=10"/>
<option value="-XX:GCLogFileSize=1M"/>
<option value="-Djava.awt.headless=true"/>
<option value="-Djboss.modules.policy-permissions=true"/>
</jvm-options>
</jvm>
<socket-binding-group ref="full-ha-sockets"/>
<deployments>
<deployment name="example.war" runtime-name="example.war"/>
<deployment name="prhelp.war" runtime-name="prhelp.war"/>
<deployment name="prsysmgmt_jboss.war" runtime-name="prsysmgmt_jboss.war"/>
<deployment name="prpc_j2ee14_jboss61JBM.ear" runtime-name="prpc_j2ee14_jboss61JBM.ear"/>
</deployments>
</server-group>
</server-groups>
3) The host-master.xml configuration is: 3)host-master.xml配置为:
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::dc_ident_keystore_password::1}" alias="jboss_domain"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
4) The host-slave.xml configuration is: 4)host-slave.xml配置为:
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_identity_keystore_password::1}" alias="jboss_host"/>
</ssl>
<secret value="U2NvdGlhYmFua0Ax"/>
</server-identities>
<authentication>
<truststore path="keystores/jbossTrust.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_trust_keystore_password::1}"/>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>
<servers>
<server name="jboss-server-one" group="jboss-server-group" auto-start="true">
<jvm name="pega_default"/>
<socket-bindings port-offset="100"/>
</server>
</servers>
Regards Ali. 问候阿里。
1 个解决方案
解决方案1
0 2016-03-16 16:41:13
We resolved this by adding the certificate at the Java level. 我们通过在Java级别添加证书解决了这一问题。 In my question scenario above we were importing the certificate into the JBoss keystore. 在上述问题场景中,我们将证书导入到JBoss密钥库中。 That application was not finding the certificate because of the different JVM's we had setup. 由于我们设置了不同的JVM,因此该应用程序找不到证书。 So instead, we imported the certificate into the Java cacerts keystore in the jre folder. 因此,我们将证书导入到jre文件夹中的Java cacerts密钥库中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.