Install an SSL certificate on a JBoss server - Certificate Management Service

Install an SSL certificate on a JBoss server to enable secure access to your web services over HTTPS. This topic describes the installation procedure.

Important

This topic uses Linux and jboss-as-7.1.1.Final as an example. The deployment steps may vary depending on your operating system and JBoss server version.

Prerequisites

You have purchased and requested a certificate from Certificate Management Service, and its Status is Issued. For more information, see Purchase a commercial certificate and Request a certificate.
The domain name is correctly resolved to the server.
You have administrative permissions for the server, such as a root account or an account with sudo privileges.

Procedure

Step 1: Download the SSL certificate

Go to the SSL Certificate Management page, find the certificate that you want to deploy, and confirm the following information:
1. Certificate Status: The status must be Issued. If the status is Pending Expiration or Expired, you must renew the SSL certificate.
2. Bound Domains: This setting must match all the domain names that you want to protect. Otherwise, a security warning appears when an unmatched domain name is accessed over HTTPS. To add or modify domain names, see Append and replace domain names.
  Check whether the certificate matches the target domain name
  The Bound Domains of a certificate can include multiple exact-match and wildcard domain names. The matching rules for each type of domain name are as follows:
  - Exact-match domain name: Applies only to the specified domain name.
    example.com applies only to example.com.
    www.example.com applies only to www.example.com.
  - Wildcard domain name: Applies only to its first-level subdomains.
    *.example.com applies to first-level subdomains such as www.example.com and a.example.com.
    *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.
  Note
  To match multi-level subdomains, the Bound Domains field must contain the exact domain name, such as a.b.example.com, or a corresponding wildcard domain name, such as *.b.example.com.
In the Actions column for the target certificate, click More to open the certificate details page. On the Download tab, set Server Type to JKS and download the certificate.
The unzipped package contains a certificate file (with a .jks extension and the full certificate chain) and a certificate password file (jks-password.txt).
Note
JKS is a Java-specific key store format and is suitable for use in Java environments.

Step 2: Install the SSL certificate on the JBoss server

Log on to the Linux server.
Alibaba Cloud server
The following steps use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other types of servers, see the corresponding product documentation.
1. Log on to the ECS console. In the upper-left corner, select the region where the target ECS instance is located.
2. In the left navigation pane, select Instances & Images > Instances. On the Instances page, find the target ECS instance and click Connect in the Actions column.
3. In the dialog box that appears, select Workbench and click Sign in now.
4. Select Terminal as the connection method, enter the required authentication information, and follow the on-screen prompts to log on to the server terminal. For more information, see Log on to an ECS instance using Workbench.
  Note
  If a note to add security group rules appears, click Add Now.
Servers from other cloud providers
Use the remote connection feature provided by the cloud provider to log on to the server terminal.
Non-cloud servers (such as physical servers or IDC-hosted servers)
Use an SSH tool to log on to the server terminal from your local computer.
Windows: In Command Prompt (cmd) or PowerShell, run: ssh username@serverIP. If the ssh command is not supported, you can use third-party software such as PuTTY or WinSCP to connect.
macOS/Linux: In the built-in Terminal, run: ssh username@serverIP.
Some of the following commands vary based on the operating system. Choose the commands that apply to your server's operating system.
- RHEL/CentOS series: Includes Alibaba Cloud Linux, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Anolis OS, and their derivatives.
- Debian/Ubuntu series: Includes Debian, Ubuntu, and their derivatives.
How to identify the operating system series
Run cat /etc/os-release in the server terminal and check the values of ID_LIKE and ID in the output:
- If ID_LIKE or ID contains rhel or centos, the operating system belongs to the RHEL/CentOS series.
- If ID_LIKE or ID contains debian or ubuntu, the operating system belongs to the Debian/Ubuntu series.
Open port 443 in the security group and firewall.
1. Run the following command in the server terminal to check whether port 443 is open:
  RHEL/CentOS
```
command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443
```
  If the output is Ncat: Connected to <your_server_public_ip>:443, port 443 is open. Otherwise, open port 443 in the security group and firewall.
  Debian/Ubuntu
```
command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443
```
  If the output is Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open, port 443 is open. Otherwise, open port 443 in the security group and firewall.
2. Open port 443 in your security group configuration.
  Important
  If your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service will be inaccessible. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, refer to their official documentation.
  Go to the Elastic Compute Service (ECS) instances page and click the target instance name to go to the instance details page. For more information, see Add a security group rule to add a rule in the Security Group Details section with Action set to Allow, Protocol to Custom TCP, Destination (Current Instance) to HTTPS (443), and Source to 0.0.0.0/0 (anywhere).
3. Open port 443 in your firewall.
  Run the following command to identify the active firewall service on your system:
```
if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi
```
  If the output is none, no further action is required. Otherwise, run the corresponding command below based on the output (firewalld, ufw, nftables, or iptables) to open port 443:
  firewalld
```
sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload
```
  ufw
```
sudo ufw allow 443/tcp
```
  nftables
```
sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null
```
  iptables
```
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
```
  To make sure that the iptables rules persist after a system reboot, run the following commands:
  RHEL/CentOS
  sudo yum install -y iptables-services sudo service iptables save
  Debian/Ubuntu
  sudo apt-get install -y iptables-persistent sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null
Run the following command to create a directory named cert in the JBoss standalone/configuration directory to store the certificate file.
```
mkdir cert # Create a certificate directory named cert.  
```
Upload the certificate file to the cert directory.
Note
You can use the local file upload feature of a remote logon tool, such as PuTTY, Xshell, or WinSCP, to upload the file.
If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, for more information, see Transfer files to a Windows instance using Remote Desktop or Windows APP or Upload a file to a Linux instance.

Open the JBoss configuration file standalone.xml, locate the following parameters, and modify the certificate-related configuration according to the comments.

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <!--
        Configure the certificate password and path.
        Set password to the certificate password from jks-password.txt.
        Set certificate-key-file to the actual path where the certificate is stored.
    -->
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="https" password="******" certificate-key-file="../standalone/configuration/cert/domain_name.jks"/>
    </connector>
</subsystem>

<!--Configure remote access to JBoss and the HTTPS port-->
<interfaces>
    <interface name="management">
        <inet-address value="${jboss.bind.address.management:127.0.0.1}"></inet>
    </interface>
    <!--Enable remote access-->
    <interface name="public">
        <inet-address value="${jboss.bind.address:0.0.0.0}"></inet>
    </interface>
    <interface name="unsecure">
        <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"></inet>
    </interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"></socket>
    <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"></socket>
    <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"></socket>
    <socket-binding name="ajp" port="8009"></socket>
    <!--Change the HTTP port to 80-->
    <socket-binding name="http" port="80"></socket>
    <!--Change the HTTPS port to 443-->
    <socket-binding name="https" port="443"></socket>
    <socket-binding name="osgi-http" interface="management" port="8090"></socket>
    <socket-binding name="remoting" port="4447"></socket>
    <socket-binding name="txn-recovery-environment" port="4712"></socket>
    <socket-binding name="txn-status-manager" port="4713"></socket>
    <outbound-socket-binding name="mail-smtp">
        <remote-destination host="localhost" port="25"></remote>
    </outbound-socket-binding>
</socket-binding-group>

Go to the bin directory in the JBoss directory and run the following command to restart the JBoss server.
```
sh standalone.sh
```

Step 3: Verify the installation

Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.
If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.
Starting from version 117, the icon in the Chrome address bar has been replaced with a new icon. Click this icon to view the lock information.

Note

If the issue persists, see FAQ for troubleshooting.

FAQ

Why is my certificate not working or HTTPS inaccessible after installation or update?

The common causes are as follows:

Port 443 is not open in the server's security group or firewall. For more information, see Open port 443 in the security group and firewall.
The Bound Domains of the certificate do not include the domain name that is being accessed. For more information, see Check whether the certificate matches the target domain names.
The JBoss service was not restarted after modifying the JBoss configuration file. For more information, see Restart the JBoss server.
The certificate file was not replaced correctly, or the certificate path is incorrectly specified in the JBoss configuration. Verify that the JBoss configuration file and the certificate file that you are using are the latest and valid versions.
Missing certificate on other services: If your domain uses services such as a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services to complete the setup.
Incomplete deployment on multiple servers: If your domain's DNS resolves to multiple servers, the certificate must be installed on all of them.

Note

For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.

How do I update (replace) an SSL certificate installed on JBoss?

First, back up the original certificate files (.jks and .txt) on the server. Then, log on to the Digital Certificate Management Service console, download the new certificate files, and upload them to the target server to overwrite the original files. Ensure that the path and filenames are the same. Finally, restart the JBoss service for the new certificate to take effect.

Prerequisites

Procedure

Step 1: Download the SSL certificate

Step 2: Install the SSL certificate on the JBoss server

Alibaba Cloud server

Servers from other cloud providers

Non-cloud servers (such as physical servers or IDC-hosted servers)

RHEL/CentOS

Debian/Ubuntu

firewalld

ufw

nftables

iptables

RHEL/CentOS

Debian/Ubuntu

Step 3: Verify the installation

FAQ

Why is my certificate not working or HTTPS inaccessible after installation or update?

How do I update (replace) an SSL certificate installed on JBoss?