6.5 Manually enabling SSL for JBoss

During Turnkey installation, the JBoss application server is set up with Secure Sockets Layer (SSL) disabled by default. Enable SSL for JBoss if you want to use Adobe® LiveCycle® Rights Management 10 with Adobe Acrobat for securing documents. Enabling SSL requires a signed certificate issued by a trusted certificate authority (CA) like VeriSign. However, you can also generate and use a self-signed certificate to enable SSL.

The following broad tasks are involved in enabling SSL for JBoss on a Turnkey installation:

  1. Create a keystore using the keytool utility that ships with the Java SDK.

  2. Generate the certificate or use a certificate issued by a CA.

  3. Copy the keystore and the certificate files to the JBoss root configuration folder—[JBoss root]\server\lc_turnkey\conf.

  4. Import the certificate into [Adobe_JAVA_HOME]\lib\security\cacerts.

  5. Update the JBoss server.xml file to uncomment the SSL configuration settings and specify reference attributes for the certificate.

  6. Restart the JBoss server to apply your changes.

    6.5.1 Enable SSL for JBoss

    You can configure SSL for JBoss using Configuration Manager. If you skipped this option, manually configure SSL using the instructions given below:

    X.500 distinguished names are used as identifiers when you generate a keystore and a certificate. The keytool command that you use to generate a certificate supports the following subparts for the –dname option:

    CN: The complete hostname of the machine for which you’re creating the certificate. For example, “machine.adobe.com”.

    OU: The name of a small organizational unit, such as a department or a division. For example, “Purchase”.

    O: The name of the organization. For example, “Adobe Systems”.

    L: The name of a locality or city. For example, “San Jose”.

    S: The name of a state or province. For example, “California”.

    C: A two letter country code. For example, “US”.

    6.5.1.1 Enable SSL for JBoss on a Turnkey installation

    1. Navigate to [Adobe_JAVA_HOME]/bin and type the following command to create the keystore:

      keytool -genkey -dname "CN=Host Name, OU=Group Name, O=Company Name, L=City Name, S=State, C=Country Code" -alias "LC Cert" keyalg rsa -keypass key_password -keystore keystorename.keystore

      Replace [Adobe_JAVA_HOME] with the name of the directory where the JDK is installed, and replace the text in bold with values that correspond to your environment. The Host Name is the fully qualified domain name of the application server.

    2. Enter the keystore_password when prompted for a password.

      Note: The keystore_password entered at this step may be the same password (key_password) that you entered in step 1, or may be different.

    3. Copy the keystorename.keystore file to the [JBoss root]\server\lc_turnkey\conf directory by typing the following command:

          copy keystorename.keystore [JBoss root]/server/lc_turnkey/conf

    4. Export the certificate file by typing the following command:

      keytool -export -alias "LC Cert" -file LC_cert.cer -keystore [JBoss root]\server\lc_turnkey\conf\keystorename.keystore

    5. Enter the keystore_password when prompted for a password.

    6. Copy the LC_cert.cer file to the [JBoss root] conf directory by typing the following command:

      copy LC_cert.cer [JBoss root]\server\lc_turnkey\conf

    7. View the contents of the certificate by typing the following command:

      keytool -printcert -v -file [JBoss root]\server\lc_turnkey\conf\LC_cert.cer

    8. If necessary, provide write access to the cacerts file in [Adobe_JAVA_HOME]\lib\security. Right-click the cacerts file, select Properties, and then deselect the Read-only attribute.

    9. Import the certificate by typing the following command:

      keytool -import -alias "LC Cert" -file LC_cert.cer -keystore [Adobe_JAVA_HOME]\jre\lib\security\cacerts

    10. Type changeit as the password. changeit is the default password for a Java installation.

    11. When prompted if you Trust this certificate? [no]:,type yes. The confirmation "Certificate was added to keystore” is displayed.

    12. In a text editor, open the file

      (JBoss 5.1 only) [JBoss root]\server\lc_turnkey\deploy\jbossweb.sar\server.xml.

    13. Uncomment the following lines in the server.xml file:

      <!-- SSL/TLS Connector configuration using the admin devl guide keystore <Connector port="8443" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/keystoreFile.keystore" keystorePass="keystorePass" sslProtocol = "TLS" />

      -->

    14. For the keystoreFile attribute in server.xml, specify the path of the keystore file you created. Specify keystore_password for the keystorePass attribute in server.xml.

    15. Save the server.xml file.

    16. Restart the application server:

      • From the Windows Control Panel, click Administrative Tools, and then click Services.

      • Select JBoss for Adobe LiveCycle ES3.

      • Select Action > Stop.

      • Wait for the status of the service to appear as stopped.

      • Select Action > Start.

    // Ethnio survey code removed