Hitachi Vantara Pentaho Community Wiki
Child pages
  • Enabling SSL in Tomcat55 & JBoss
Skip to end of metadata
Go to start of metadata

Introduction

This is a small guide which will help you enable SSL mode in your Tomcat application server. The information provided here is based on Tomcat 5.5 and JBoss 4.0.4 but should be generally useful for a broad
range of their product versions.

Certificate

In a production environment you should obtain a certificate from one of the trusted certification authorities.
But for this example we'll walk through the steps needed to create your own self-signed certificate using the keytool which
comes with the Java Development Kit.

To generate your certificate enter the following command:

keytool -genkey -alias tomcat -keyalg RSA

You will be prompted for your name and organization, simply enter the details asked for and your certificate will be create in
your keystore. You may have to hunt down the location of this on disk, but typically this is going to be a .keystore file in
your home directory.

Now move the .keystore file into

{JBOSS}/server/default/conf. This is a fairly arbitrary location, but it is the default location specified in the tomcat 5.5
configuration. If you drop the keystore in a different location, be sure to keep this in mind.

Tomcat server.xml Configuration

Edit the server.xml file located in {JBOSS}

/server/default/deploy/jboss-web.deployer.  Look for this section:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector port="8443" address="${jboss.bind.address}"
  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
  emptySessionPath="true"
  scheme="https" secure="true" clientAuth="false"
  keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
  keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->

Notice that this node is commented between <!-- and -->, you'll need to uncomment this node. The port is defaulted to 8443,
if you'll want to use the default SSL port you should change this to 443. Change the keystoreFile property to match the
location and filename of your keystore file.

Lastly, modify the keystorePass to that which you selected when you created the certificate.

Deployment

Now you are ready to start JBoss / Tomcat and use SSL. Bring your server up as normal and hit your web application with an https
url. For example.

https://localhost/pentaho/Home

Errata

Depending on your luck and your version of Java, you may encounter an error in your server.log such as:

HTTPS hostname wrong:  should be <localhost>

Followed by a stack trace, preventing you from using SSL. We have fixed this problem in the PentahoSystem by registering our own
hostname verifier.  If you see an error like this then the PentahoSystem is not being initialized properly.

Another problem which you may encounter is:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 To resolve this, add these settings to your JAVA_OPTS in

{JBOSS}/bin/run.conf:

-Djavax.net.ssl.keyStore=/home/mdamour/workspace/pentaho-preconfiguredinstall/server/default/conf/.keystore -Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/home/mdamour/workspace/pentaho-preconfiguredinstall/server/default/conf/.keystore
-Djavax.net.ssl.trustStorePassword=changeit"
  • No labels