You can install SSL certificates on JBoss servers to enable HTTPS-based access to web services that are deployed on the servers. This topic describes how to install an SSL certificate on a JBoss server.
In this topic, a JBoss server that runs a CentOS operating system and is deployed based on jboss-as-7.1.1.Final is used as an example to illustrate the installation. Installation operations vary based on the versions of servers and operating systems. If you have questions, contact your account manager.
Prerequisites
- A certificate is issued by using the Certificate Management Service console. For more information, see Purchase an SSL certificate and Submit a certificate application.
- DNS resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
Step 1: Download the certificate
- Log on to the Certificate Management Service console.
- In the left-side navigation pane, click SSL Certificates.
Find JKS in the Server Type column and click Download in the Actions column.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the CSR generation method that you use when you submit the certificate application.Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the JKS format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.
Password file in the TXT format: By default, the password file is named in the Certificate format-password format.
ImportantA new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.
If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate on the JBoss server
Run the following command to create a cert directory in the standalone/configuration directory of JBoss to store the certificate:
Upload the certificate file to the cert directory.
NoteYou can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, or WindSCP.
For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.
Open the standalone.xml configuration file of the JBoss server, find the following parameters, and modify the certificate-related settings based on the following comments:
Go to the bin directory of the JBoss server and run the following command to restart the JBoss server:
sh standalone.sh &
mkdir cert # Create a directory named cert.<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<!-- Specify the password of the certificate file and the path to the certificate file.
Set password to the password contained in the jks-password.txt file.
Set certificate-key-file to the path to the certificate file.
-->
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" password="******" certificate-key-file="../standalone/configuration/cert/domain_name.jks"/>
</connector>
</subsystem>
<!-- Configure remote access to the JBoss server and change ports.-->
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"></inet>
</interface>
<!-- Enable remote access.-->
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"></inet>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"></inet>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"></socket>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"></socket>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"></socket>
<socket-binding name="ajp" port="8009"></socket>
<!-- Change the port used by the HTTP service to 80.-->
<socket-binding name="http" port="80"></socket>
<!-- Change the port used by the HTTPS service to 443.-->
<socket-binding name="https" port="443"></socket>
<socket-binding name="osgi-http" interface="management" port="8090"></socket>
<socket-binding name="remoting" port="4447"></socket>
<socket-binding name="txn-recovery-environment" port="4712"></socket>
<socket-binding name="txn-status-manager" port="4713"></socket>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"></remote>
</outbound-socket-binding>
</socket-binding-group>Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.If a lock icon appears in the address bar, the certificate is installed.
