Encryption

8.1. About Encryption

Encryption refers to obfuscating sensitive information by applying mathematical algorithms to it.

Encryption is one of the foundations of securing your infrastructure from data breaches, system outages, and other risks.

Encryption can be applied to simple string data, such as passwords. It can also be applied to data communication streams. The HTTPS protocol, for instance, encrypts all data before transferring it from one party to another. If you connect from one server to another using the Secure Shell (SSH) protocol, all of your communication is sent in an encrypted tunnel .

Report a bug

8.2. About SSL Encryption

Secure Sockets Layer (SSL) encrypts network traffic between two systems. Traffic between the two systems is encrypted using a two-way key, generated during the handshake phase of the connection and known only by those two systems.

For secure exchange of the two-way encryption key, SSL makes use of Public Key Infrastructure (PKI), a method of encryption that utilizes a key pair. A key pair consists of two separate but matching

cryptographic keys - a public key and a private key. The public key is shared with others and is used to encrypt data, and the private key is kept secret and is used to decrypt data that has been encrypted using the public key.

When a client requests a secure connection, a handshake phase takes place before secure

communication can begin. During the SSL handshake the server passes its public key to the client in the form of a certificate. The certificate contains the identity of the server (its URL), the public key of the server, and a digital signature that validates the certificate. The client then validates the certificate and makes a decision about whether the certificate is trusted or not. If the certificate is trusted, the client generates the two-way encryption key for the SSL connection, encrypts it using the public key of the server, and sends it back to the server. The server decrypts the two-way encryption key, using its private key, and further communication between the two machines over this connection is encrypted using the two-way encryption key.

Report a bug

8.3. Implement SSL Encryption for the JBoss EAP 6 Web Server

Introduction

Many web applications require a SSL-encrypted connection between clients and server, also known as a HT T PS connection. You can use this procedure to enable HT T PS on your server or server group. Prerequisites

You need a set of SSL encryption keys and a SSL encryption certificate. You may purchase these from a certificate-signing authority, or you can generate them yourself using command-line utilities. To generate encryption keys using Red Hat Enterprise Linux utilities, refer to Section 8.4, “Generate

Note

This procedure uses commands appropriate for a JBoss EAP 6 configuration that uses a managed domain. If you use a standalone server, modify Management CLI commands by removing the /profile=default from the beginning of any Management CLI commands. Procedure 8.1. Configure the JBoss Web Server to use HTTPS

1. Add a new HTTPS connector.

Execute the following Management CLI command, changing the profile as appropriate. This creates a new secure connector, called HT T PS, which uses the https scheme, the https socket binding (which defaults to 84 4 3), and is set to be secure.

Example 8.1. Management CLI Command

/profile=default/subsystem=web/connector=HTTPS/:add(socket- binding=https,scheme=https,protocol=HTTP/1.1,secure=true)

2. Configure the SSL encryption certificate and keys.

Execute the following CLI commands to configure your SSL certificate, substituting your own values for the example ones. This example assumes that the keystore is copied to the server configuration directory, which is EAP_HOME/dom ain/configuration/ for a managed domain.

Example 8.2. Management CLI Command

/profile=default/subsystem=web/connector=HTTPS/ssl=configuration:add(name=h ttps,certificate-key-

file="${jboss.server.config.dir}/keystore.jks",password=SECRET, key- alias=KEY_ALIAS)

For a full listing of parameters you can set for the SSL properties of the connector, refer to Section 8.5, “SSL Connector Reference”.

3. Deploy an application.

Deploy an application to a server group which uses the profile you have configured. If you use a standalone server, deploy an application to your server. HTTP requests to it use the new SSL- encrypted connection.

Report a bug

8.4. Generate a SSL Encryption Key and Certificate

To use a SSL-encrypted HTTP connection (HTTPS), as well as other types of SSL-encrypted communication, you need a signed encryption certificate. You can purchase a certificate from a Certificate Authority (CA), or you can use a self-signed certificate. Self-signed certificates are not considered trustworthy by many third parties, but are appropriate for internal testing purposes.

This procedure enables you to create a self-signed certificate using utilities which are available on Red Hat Enterprise Linux.

Prerequisites

You need the keytool utility, which is provided by any Java Development Kit implementation. OpenJDK on Red Hat Enterprise Linux installs this command to /usr/bin/keytool.

generic instructions, because further discussion of the specifics of SSL certificates or the keytool command are out of scope for this documentation.

Procedure 8.2. Generate a SSL Encryption Key and Certificate