2-Way SSL in JBoss 7.1.1

As I tried to setup 2-way SSL in JBOSS 7.1.1, the documentation kept on referring to 1-way SSL (even though it was not clearly stated so). I was looking for a simple configuration that will enable a certificate to be used as authentication and to be used in a 2-way SSL protocol. Given that the documentation was not properly describing how to do this, I found a post pointing to check XSD documents to see what other configuration options are available in JBOSS. As I was simply trying to configure in "standalone" mode, this is what I did:

First I looked for the XSD files available in the distribution:

find -name *.xsd | grep 1.1

Then I looked for the definition of the "sslType" within the XSD jboss-as-web_1.1.xsd (hopefully you can guess why I chose that one over the 1.0 xsd). Luckily, their XSD was well documented (using XSD comments) which allowed me to see how to setup a "truststore" for my ssl configuration. Here is a snippet of my "standalone.xml" file.:

	...
	<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
	<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
	<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="http" secure="true">
	<ssl key-alias="foo" password="YOUR_KEYSTORE_PASSWORD"
	certificate-key-file="YOUR_KEYSTORE_FILE"
	verify-client="true"
	ca-certificate-file="YOUR_TRUSTORE_FILE"
	ca-certificate-password="YOUR_TRUSTORE_PASSWORD"
	truststore-type="YOUR_TRUSTORE_TYPE"/>
	</connector>
	...
	</subsystem>
	...

view raw standalone.xml hosted with ❤ by GitHub

Hopefully this will help anyone looking for similar information. I took me a little bit to realize that this was not an easy search on Google, thus I had to look it up in the XSD file within the JBoss distribution.

One additional note: The "alias" specified in the keystore-file is the one you defined when creating your keystore. In case you missed this, this can be done doing the following:

keytool -genkey -alias foo -keyalg RSA -keystore dev-server.keystore

What this will do is generate a keystore named "dev-server.keystore" with alias "foo" (as the sample SSL configuration defined above). I'm not exactly sure why (although I can guess of a few) but if you have a keystore with more than one alias as keystore, JBOSS is going to complaint, so try to have one with a single alias.