Connecting Jboss and Tomcat through SSL with membrane proxy
163 views
Skip to first unread message
Sathish Ganesan
Dec 24, 2015, 3:34:25 AM12/24/15
to membrane-monitor
Hello again,
I'm working with a prototype for our project in using membrane proxy.
Setup info:
Jboss + Membrane proxy (war) + SSL configured
Tomcat (SSL configured)
--
Scenario:
When a service proxy is visited, it must be redirected to the tomcat homepage (SSL)
--
Result:
So when I try to hit the service proxy, the tomcat homepage shows up with normal HTTP configuration in tomcat(80)
But when I try to make them secure (443), facing few issues.
Steps:
1. Generated the server/client certs using the attached batch file (PFA: cmds)
2. Conf (JBOSS)
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl password="secret" certificate-key-file="C:\proj\security\tomcat-ssl\jboss.jks" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
3. Conf (Tomcat)
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="C:\proj\security\tomcat-ssl\tomcat.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
4. proxies.xml available in jboss (attached proxies.xml)
5. hits an exception when tried to access the service proxy(/service)
12:29:01,675 WARN AbstractHttpHandler:89 - An exception occured while handling a request:
com.predic8.membrane.core.transport.http.EOFWhileReadingLineException: null line so far: ""
at com.predic8.membrane.core.util.HttpUtil.readLine(HttpUtil.java:69)
at com.predic8.membrane.core.http.Header.<init>(Header.java:121)
at com.predic8.membrane.core.http.Response.read(Response.java:333)
at com.predic8.membrane.core.transport.http.HttpClient.doCall(HttpClient.java:329)
at com.predic8.membrane.core.transport.http.HttpClient.call(HttpClient.java:205)
at com.predic8.membrane.core.interceptor.HTTPClientInterceptor.handleRequest(HTTPClientInterceptor.java:60)
at com.predic8.membrane.core.interceptor.InterceptorFlowController.invokeRequestHandlers(InterceptorFlowController.java:106)
at com.predic8.membrane.core.interceptor.InterceptorFlowController.invokeHandlers(InterceptorFlowController.java:71)
at com.predic8.membrane.core.transport.http.AbstractHttpHandler.invokeHandlers(AbstractHttpHandler.java:70)
at com.predic8.membrane.servlet.embedded.HttpServletHandler.run(HttpServletHandler.java:75)
at com.predic8.membrane.servlet.embedded.MembraneServlet.service(MembraneServlet.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
at java.lang.Thread.run(Thread.java:745)
Please let me know what am I missing.
Thanks,
Sathish G
Tobias Polley
Dec 24, 2015, 4:12:48 AM12/24/15
to membrane-monitor
Hi Sathish,
you need to configure Membrane to use SSL for outbound connections. This can be done by
1. inserting
2. Then you need to establish trust. You could
2a. run
keytool.exe -importcert -alias tomcat -file tomcat.cer -keystore membrane.jks -storepass secret
2b. put the resulting membrane.jks into the WAR you create, say to /WEB-INF/membrane.jks .
2c. Expand the <ssl /> Element you added in step 1 to reference membrane.jks as truststore:
I hope this helps. Please get back to us, if it does not.
Best, Tobias
you need to configure Membrane to use SSL for outbound connections. This can be done by
1. inserting
</balancer>
<target>
<ssl />
</target>
</serviceProxy>
2. Then you need to establish trust. You could
2a. run
keytool.exe -importcert -alias tomcat -file tomcat.cer -keystore membrane.jks -storepass secret
2b. put the resulting membrane.jks into the WAR you create, say to /WEB-INF/membrane.jks .
2c. Expand the <ssl /> Element you added in step 1 to reference membrane.jks as truststore:
</balancer>
<target>
<ssl>
<truststore location="/WEB-INF/membrane.jks" password="changeit" />
</ssl>
</target>
</serviceProxy>
I hope this helps. Please get back to us, if it does not.
Best, Tobias
Sathish Ganesan
Dec 24, 2015, 5:24:42 AM12/24/15
to membrane-monitor
Great it works. :)
But however, when I try to extract the path of the truststore to outside the war file, the resource retrieval fails to load that.
We cannot place the *.jks file into the war file in production environment.
Anything can be done to place the truststore outside the war file?
Exception:
java.lang.RuntimeException: java.lang.RuntimeException: com.predic8.membrane.core.resolver.ResourceRetrievalException: null while retrieving C:\proj\security\tomcat-ssl\jboss.jks
com.predic8.membrane.core.Router.start(Router.java:272)
org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:173)
org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51)
org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:346)
org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:149)
org.springframework.context.support.DefaultLifecycleProcessor.start(DefaultLifecycleProcessor.java:91)
org.springframework.context.support.AbstractApplicationContext.start(AbstractApplicationContext.java:1276)
com.predic8.membrane.servlet.RouterUtil.initializeRoutersFromSpringWebContext(RouterUtil.java:43)
com.predic8.membrane.servlet.embedded.MembraneServlet.init(MembraneServlet.java:49)
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
java.lang.Thread.run(Thread.java:745)
Thanks,
Sathish G
Reply all
Reply to author
Forward
0 new messages