Monday, September 7, 2015

Configuring Jetty Server With Security Certificates

  • 1 Install Jetty
  • Download Jetty 9.3.2 version from http://download.eclipse.org/jetty/ and unzip to a directory (This directory will be called Jetty Home)
  • go into Jetty Home directory and create a new directory inside this directory with name SECURE_BASE (This directory will be called Jetty Base)
  • go into Jetty Base directory and create a new file with name start.ini
  • open start.ini with a text editor and edit it to include below lines
# Initialize module server
--module=server
threads.min=10
threads.max=200
threads.timeout=60000
jetty.dump.start=false
jetty.sump.stop=false
--module=deploy
--module=jsp
--module=ext
--module=resources
--module=client
--module=annotations
--module=http
--module=ssl
--module=https
save and exit.
  • Execute below command in Jetty Base directory
java -jar ../start.jar
then terminate the process via issuing kill -9 pid command
  • create a new directory in Jetty Base directory with name etc.
In the end you should have following directory structure in your Jetty Base directory. (secure-base is Jetty Base in below example)
[rozaydin@RO secure-base]$ pwd
/home/rozaydin/WDH/jetty-9.3.2/secure-base
[rozaydin@RO secure-base]$ ls
etc lib resources start.ini webapps
[rozaydin@RO secure-base]$

2 Create SSL Certificate

Create an SSL certificate by issuing below command please ensure you note the password, this file will be used at https negotiation with the client.
$ keytool -keystore keystore -alias keystore -genkey -keyalg RSA -sigalg SHA256withRSA
 Enter keystore password:  password
 What is your first and last name?
   [Unknown]:  Test Test
 What is the name of your organizational unit?
   [Unknown]:  Software Development
 What is the name of your organization?
   [Unknown]:  Test Test
 What is the name of your City or Locality?
   [Unknown]: Istanbul
 What is the name of your State or Province?
   [Unknown]: Istanbul
 What is the two-letter country code for this unit?
   [Unknown]: TR
 Is CN=
Test Test, OU=Software Development, O=Test Test,
 L=Istanbul, ST=Istanbul, C=TR correct?
   [no]:  yes

 Enter key password for <keystore>
         (RETURN if same as keystore password):
 $

After the execution you should have a file with name keystore at the directory you have issued the command.

2 Configure HTTPS on Jetty

  1. Copy the SSL certificate file (keystore file) you have created in previous step to Jetty Base/etc directory

  2. Https configuration is determined by 4 configuration files located under Jetty Home/etc directory these files are
  • jetty.xml
  • jetty-https.xml
  • jetty-ssl.xml
  • jetty-ssl-context.xml
Open the jetty-ssl-context.xml file and modify below lines accordingly

jetty-ssl-context.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- ============================================================= -->
<!-- SSL ContextFactory configuration -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/keystore"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="test"/></Set>
<Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
<Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="test"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/keystore"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password" default="test"/></Set>
<Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
<Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
<Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>

Here we are setting the password by changing 3 properties listed below, password must be the same as the password that is set to the Certificate file.
<Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="test"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="test"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password" default="test"/></Set>

4 Run Jetty Server 

After following previous configuration steps, start jetty server by going into Jetty Base directory and issuing command
java -jar ../start.jar
you can access the server using https protocol by using default url https://localhost:8443
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)