33
4. Appendix A: Enabling HTTPS with Jetty
Proceed as follows to configure Jetty to enable a secure connection. If an existing private key or company certificate is being used, skip steps 1 and 2 as necessary.
1. Create a private key using the following command and entering a pass phrase in the output.
$ openssl genrsa -des3 -out myCompany.key Sample Output
Generating RSA private key, 2048 bit long modulus ...+++
...+++
e is 65537 (0x10001)
Enter pass phrase for myCompany.key: [pwJetty123]
Verifying - Enter pass phrase for myCompany.key: [pwJetty123]
This creates the private key file myCompany.key. Verify the private key using the following command.
$ openssl rsa -in myCompany.key -check Sample Output
Enter pass phrase for myCompany.key: [pwJetty123]
RSA key ok writing RSA key
---BEGIN RSA PRIVATE KEY---
MIIEogIBAAKCAQEAr653O+uwL0Ohoq8OQFadub9MMi1qak2tDhI9k25N5iZgElkL : :
R1dsDTpOMqikPFbT1aw98mNTcSMFiOiUcg07AEswqYfuuc8iR44=
---END RSA PRIVATE KEY---
2. Create a certificate using the private key that was just created and enter the applicable information.
$ openssl req -new -x509 -key myCompany.key -out myCompany.crt Sample Output
Enter pass phrase for myCompany.key: [pwJetty123]
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
---
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:myState Locality Name (eg, city) []:myTown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:myServer.com
Email Address []:[email protected]
This creates the certificate file myCompany.crt. Verify the certificate using the following command.
$ openssl x509 -in myCompany.crt -text -noout Sample Output
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17639746180074664251 (0xf4ccf7b0ff67713b) Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UK, ST=myState, L=myTown, O=myCompany, OU=Engineering, CN=myServer.com/[email protected]
Validity
Not Before: Sep 2 07:18:47 2015 GMT Not After : Oct 2 07:18:47 2015 GMT
Subject: C=UK, ST=myState, L=myTown, O=myCompany, OU=Engineering, CN=myServer.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
X509v3 Subject Key Identifier:
39:09:70:E1:9A:99:A6:DE:90:CB:AF:70:6E:D4:A9:74:68:71:11:C1 X509v3 Authority Key Identifier:
keyid:39:09:70:E1:9A:99:A6:DE:90:CB:AF:70:6E:D4:A9:74:68:71:11:C1 X509v3 Basic Constraints:
CA:TRUE
3. Add the certificate to the keystore using the following command and enter the applicable information.
$ keytool keystore myCompanyJetty.jks import alias myCompany file myCompany.crt -trustcacerts
Sample Output
Enter keystore password: [pwJetty123]
Re-enter new password: [pwJetty123]
Owner: [email protected], CN=myServer.com, OU=Engineering, O=myCompany,
35 Issuer: [email protected], CN=myServer.com, OU=Engineering, O=myCompany,
L=myTown, ST=myState, C=UK Serial number: f4ccf7b0ff67713b
Valid from: Wed Sep 02 08:18:47 BST 2015 until: Fri Oct 02 08:18:47 BST 2015 Certificate fingerprints:
Signature algorithm name: SHA256withRSA Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647 ]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [
Trust this certificate? [no]: yes Certificate was added to keystore
This creates the keystore file myCompany-Jetty.jks. Verify the keystore contents using the following command.
$ keytool -list -keystore myCompany-Jetty.jks Sample Output
Enter keystore password: [pwJetty123]
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
mycompany, 02-Sep-2015, trustedCertEntry, Certificate fingerprint (SHA1):
CF:E8:39:E0:E7:7F:B0:96:CE:80:72:7E:4B:C0:4A:2B:D2:DB:94:DA
4. Create a Certificate Signing Request (CSR) using the following command and enter the applicable information.
$ openssl req -new -key myCompany.key -out myCompany.csr Sample Output
Enter pass phrase for myCompany.key: [pwJetty123]
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
---
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:myState Locality Name (eg, city) []:myTown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:myServer.com Email Address []:[email protected]
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:pwJetty123 An optional company name []:
This creates the CSR file myCompany.csr. Verify the contents of the CSR using the following command.
$ openssl req -text -noout -verify -in myCompany.csr Sample Output
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=UK, ST=myState, L=myTown, O=myCompany, OU=Engineering, CN=myServer.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
challengePassword :unable to print attribute Signature Algorithm: sha256WithRSAEncryption
37 : :
55:21:82:5a:8c:e9:18:8e:b7:98:53:32:7a:7f:77:5e:55:08:
7f:76:96:e2
5. Create a PKCS12 bundle containing the private key and its x509 certificate using the following command and enter the applicable information.
$ openssl pkcs12 -inkey myCompany.key -in myCompany.crt -export -out myCompany.p12 Sample Output
Enter pass phrase for myCompany.key: [pwJetty123]
Enter Export Password: [pwJetty123]
Verifying - Enter Export Password: [pwJetty123]
This creates the PKCS12 bundle file myCompany.p12. Verify the contents of the PKCS12 bundle using the following command.
$ openssl pkcs12 -info -in myCompany.p12 Sample Output
Enter Import Password: [pwJetty123]
MAC Iteration 2048 MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes
localKeyID: CF E8 39 E0 E7 7F B0 96 CE 80 72 7E 4B C0 4A 2B D2 DB 94 DA Key Attributes: <No Attributes>
Enter PEM pass phrase: [pwJetty123]
Verifying - Enter PEM pass phrase: [pwJetty123]
---BEGIN ENCRYPTED PRIVATE KEY---
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI4W6snmuYS6ICAggA : :
Ks7khnExAVuwu5/kbxBH90rf/cFFMQ/QOOFOY1ITVchhbBjRgYcnEVp7dUPSEWum a5E=
---END ENCRYPTED PRIVATE KEY---
6. Insert the PKCS12 bundle in the keystore using the following command and enter the applicable information.
$ keytool -importkeystore -srckeystore myCompany.p12 -srcstoretype PKCS12 -destkeystore myCompany-Jetty.jks
Sample Output
Enter destination keystore password: [pwJetty123]
Enter source keystore password: [pwJetty123]
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled This updates keystore file myCompany-Jetty.jks. Verify the contents of the
updated keystore using the following command.
$ keytool -list -keystore myCompany-Jetty.jks Sample Output
Enter keystore password: [pwJetty123]
Keystore type: JKS Keystore provider: SUN
Your keystore contains 2 entries
mycompany, 02-Sep-2015, trustedCertEntry, Certificate fingerprint (SHA1):
CF:E8:39:E0:E7:7F:B0:96:CE:80:72:7E:4B:C0:4A:2B:D2:DB:94:DA 1, 02-Sep-2015, PrivateKeyEntry,
Certificate fingerprint (SHA1):
CF:E8:39:E0:E7:7F:B0:96:CE:80:72:7E:4B:C0:4A:2B:D2:DB:94:DA
7. Copy the updated keystore to an area that can be used by the Jetty installation.
$ cp myCompany-Jetty.jks <jetty-install-dir>/etc/
8. Update the Jetty SSL config file to use the new keystore as follows:
a. Locate the sslContextFactory block in <jetty-install-dir>/etc/jetty-ssl.xml.
<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="KeyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
<Set name="KeyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
<Set name="TrustStore"><Property name="jetty.home" default="."
/>/etc/keystore</Set>
<Set name="TrustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
</New>
Note: The passwords are listed in obfuscated form. Jetty provides a utility within the installation to generate obfuscated passwords.
b. In the Jetty install directory, run the following command using the passwords created in the previous steps. Note the value of the obfuscated (OBF) version of the password.
$ java -cp lib/jetty-util-8.1.10.v20130312.jar org.eclipse.jetty.util.security.Password pwJetty123
c. Update the sslContextFactory configuration accordingly. Note that the password and keystore locations have been updated.
<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="." />/etc/myCompany-Jetty.jks</Set>
<Set name="KeyStorePassword">OBF:1lfg1mmc1di01x0r1z0f1z0f1x1v1dgm1mii1lc2</Set>
<Set name="KeyManagerPassword">OBF:1lfg1mmc1di01x0r1z0f1z0f1x1v1dgm1mii1lc2</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/etc/myCompany-Jetty.jks</Set>
<Set name="TrustStorePassword">OBF:1lfg1mmc1di01x0r1z0f1z0f1x1v1dgm1mii1lc2</Set>
</New>
d. In the Jetty startup file (<jetty-install-dir>/start.ini), look for the following line: # etc/jetty-ssl.xml. Uncomment and save.
9. Validate the changes. Take note of the Jetty ports (i.e., 8888 is the standard Jetty port for MRB/LB UI and 8443 is the standard default HTTPS port).
$ netstat -nlp | grep -E '8888|8443'
If 8443 is not an appropriate secure port, change it using the following procedure:
a. Restart Jetty to apply the changes using the following command.
$ service jetty restart
b. Verify that Jetty is listening on its secure port using the following command.
$ netstat -nlp | grep -E '8888|8443'
c. Using a web browser, navigate to the new secure port: https://<Jetty-IP>:8443/. The default Jetty landing page should appear.
After validating the changes, you can change the secure port by updating the Port value in the <jetty-install-dir>/etc/jetty-ssl.xml SslSelectChannelConnector class element. Follow step 9 to validate and restart Jetty after changing the secure port.