Monday, May 31, 2010

Can not find truststore url.

"Error creating SSL Socket Factory for client invoker: Error initializing socket factory SSL context: Can not find truststore url."

Ever seen this error in your JBoss AS logs?

I have an application running on JBoss AS 5.1 and I saw org.jboss.remoting.transport.http.HTTPClientInvoker throwing this error at me, so I started to investigate what was going on.

I'm calling an external web service with a HTTPS and I saw the above error before every outgoing request message. The reason was that I didn't have a keystore set up.

Creating a keystore with a key and self-signed certificate is easy, it can be done with the keytool that comes with the JDK:

keytool -keystore myApp.keystore -alias myApp -genkey -keyalg RSA -validity 365

I then placed the keystore file into the conf folder on my server. To let JBoss know about the keystore, I added the following options to run.conf.bat, so that they would be loaded each time the server is started:

-Djavax.net.ssl.keyStore=c:/jboss-5.1.0.GA/server/default/conf/myApp.keystore
-Djavax.net.ssl.keyStorePassword=password"

No more "Can not find truststore url" error.


If I ever want to setup my production environment Tomcat with a secure HTTP connector, I must remember not to try to use the same keystore for the connector (set up in server.xml). Not only because it's self-signed, but also because in production the Tomcat utilizes the APR connector (Apache Portable Runtime). APR uses a native connection and for SSL a native connection uses OpenSSL instead of JSSE (Java Secure Sockets Extension).

Here are commands to create key and certificate with OpenSSL:

openssl genrsa -des3 -out myApp.key
openssl req -new -x509 -key myApp.key -out myApp.crt

Here's example how to configure the connector in server.xml:

< Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${jboss.server.home.dir}\conf\myApp.crt"
SSLCertificateKeyFile="${jboss.server.home.dir}\conf\myApp.key" />

In a non-APR enviroment, like my localhost, I can use the JSSE keystore:

< Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/myApp.keystore"
keystorePass="password" sslProtocol = "TLS" />


Configuring SSL for Jetty:
http://communitymapbuilder.osgeo.org/display/JETTY/How+to+configure+SSL

2 comments:

  1. Hey!, great article!. I understand how configure JBoss as ssl client and server!. Thanks

    ReplyDelete