I am in the process of moving my app from HTTP to HTTPS and seem to be running into an issue.
Here is what I have done so far based off of these instructions:
- Identify the hostname for the computer hosting the server. I.e.: localhost for these instructions
- Identify the jBoss server type (all,default, production). I.e.: ecotrak for these instructions
- jBoss recommends using the same file as both keystore and trustore. This will be server.keystore. In a virgin install there should be no server.keystore in thedefault/conf folder. If you have one, you must decide whether to delete it (to use these instructions) or whether to adapt the instructions to suit your situation.
- Creating the keystore and private key:
- Open a command prompt or shell and go to the default/conf folder.
- keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore
- Answer the prompts. Use myHostname when asked for first/last name. This is critical.
- server.keystore is generated.
- keytool -list -keystore server.keystore
- You should see the PrivateKeyEntry named jbosskey in the listing.
- Generating and storing the certificate.
- keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore server.keystore
- server.crt is generated.
- keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore
- You receive a warning that it already exists in the keystore. Ignore it. It is because Java expects separate keystore adn trustore files and we are using only one.
- keytool -list -keystore server.keystore
- You should see a TrustedCertEntry named jbosscert in the listing.
In my server.xml I have the following:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C:/dev/server/jboss-5.1.0.GA/server/ecotrak/conf/server.keystore"
keystorePass="password" sslProtocol = "TLS" keyAlias="jbosskey" />
When I start the server I have the following:
call %JBOSS_HOME%\bin\run.bat -c default -b 0.0.0.0 -Djavax.net.ssl.trustStore=C:/dev/server/jboss-5.1.0.GA/server/ecotrak/conf/server.keystore
Here is what I get in my log file:
00:09:03,110 INFO [AprLifecycleListener] The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\dev\jdk\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\dev\jdk\jre\bin;native
00:09:03,197 INFO [Http11Protocol] Initializing Coyote HTTP/1.1 on http-localhost%2F127.0.0.1-8080
00:09:03,214 INFO [AjpProtocol] Initializing Coyote AJP/1.3 on ajp-localhost%2F127.0.0.1-8009
00:09:03,261 ERROR [Http11Protocol] Error initializing endpoint
java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:456)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:139)
Another section of the log
00:09:03,265 ERROR [AbstractKernelContro开发者_如何转开发ller] Error installing to Start: name=WebServer state=Create
LifecycleException: Protocol handler initialization failed: java.io.IOException: Cannot recover key
at org.apache.catalina.connector.Connector.initialize(Connector.java:1031)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:683)
DEPLOYMENTS IN ERROR:
Deployment "WebServer" is in error due to the following reason(s): LifecycleException: Protocol handler initialization failed: java.io.IOException: Cannot recover key
Deployment "jboss.web:service=WebServer" is in error due to the following reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **
Any ideal as to what is going on here?
Update
I found my error - I had mixed up the passwords between the keystore and the cert. Once that was fixed I am now able to run the site under HTTPS
I followed the instructions above and got the same errors you reported. I didn't understand your update and so I wrote a batch file with the following in it:
c:
cd "/opt/fg/jboss-5.1.0.GA/server/default/conf"
REM create the server.keystore file - will fail if it already exists
keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore -storepass changeit -dname "CN=localhost, OU=MY_DEPARTMENT, O=MY_COMPANY, L=MY_CITY, S=MY_STATE, C=US"
REM display what was made
keytool -list -keystore server.keystore -storepass changeit
REM generate and store the certificate
keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore server.keystore -storepass changeit
keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore -storepass changeit
REM display what was made
keytool -list -keystore server.keystore -storepass changeit
Doing this helped me see where all the passwords were being set. Originally I had copied and pasted the commands without reading them. I didn't notice that some of the commands had passwords embedded in them. All of a sudden your updated post made a lot more sense to me.
For anybody else with the same troubles, anytime, you see "changeit" in the bat file that I wrote, change that to your password.
You will also want to change the computer name, department, organization, state and country in the script above.
Now JBoss appears to be starting up correctly for me.
Thanks for the post and update.
In my case the keystore password and the alias password were different. They must be the same (In Tomcat at least).
Another reason for that error is that the keystore is using high grade encryption. If true, you need to install Java Cryptography Extension to increase the java encryption level support (not enable by default due the US export rules)
Check this JCE install mini-howto how to do this.
The JCE for jre7 is here. For those still using jre6, check this link.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论