Install JAVA8:
$ sudo su - root
# yum install java-1.8.0-openjdk.x86_64 java-1.8.0-openjdk-devel.x86_64 -y
# cd /etc/alternatives
# rm /etc/alternatives/java_sdk
# ln -d -s -f /usr/lib/jvm/java-1.8.0-openjdk.x86_64 /etc/alternatives/java_sdk
# rm /etc/alternatives/java_sdk_exports
# ln -d -s -f /usr/lib/jvm-exports/java-1.8.0-openjdk.x86_64 /etc/alternatives/java_sdk_exports
# rm /etc/alternatives/java_sdk_openjdk
# ln -d -s -f /usr/lib/jvm/java-1.8.0-openjdk.x86_64 /etc/alternatives/java_sdk_openjdk
# rm /etc/alternatives/java_sdk_openjdk_exports
# ln -d -s -f /usr/lib/jvm-exports/java-1.8.0-openjdk.x86_64 /etc/alternatives/java_sdk_openjdk_exports
# ln -s -f /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java /etc/alternatives/java
# ln -s -f /usr/lib/jvm/java-1.8.0-openjdk.x86_64/bin/javac /etc/alternatives/javac
# rm /etc/alternatives/keytool
# ln -s -f /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool /etc/alternatives/keytool
# $JAVA_HOME/bin/javac -version
javac 1.8.0_161
# $JAVA_HOME/bin/java -version
openjdk version "1.8.0_161"
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
Create the environment:
# groupadd -r jboss
# useradd -g jboss jboss
# passwd jboss
# su - jboss
$ mkdir jdbc wildfly
Download JBoss/wildfly:
$ cd wilfly
$ wget http://download.jboss.org/wildfly/12.0.0.Final/wildfly-12.0.0.Final.tar.gz
$ tar xvzf wildfly-12.0.0.Final.tar.gz
$ echo 'export JBOSS_HOME="/home/jboss/wildfly/wildfly-12.0.0.Final"' >> ~/.bash_profile
$ echo 'export PATH="${JBOSS_HOME}/bin:${PATH}"' >> ~/.bash_profile
$ source ~/.bash_profile
Download PostgreSQL JDBC:
$ cd jdbc
$ wget https://jdbc.postgresql.org/download/postgresql-42.2.1.jar
$ wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Convert the RDS certificate to 'der' format:
$ openssl x509 -in rds-combined-ca-bundle.pem -out rds-combined-ca-bundle.der -outform der
Add the cert to default JAVA_HOME certs (default 'keystore' password should be 'changeit'):
$ sudo su -
# echo $JAVA_HOME
/usr/lib/jvm/java
# cd ~jboss/jdbc/
# keytool -keystore $JAVA_HOME/lib/security/cacerts -alias rdscombined -import -file rds-combined-ca-bundle.der
If the follow error is presented (after you replied 'yes' to the question "Trust this certificate?"):
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /usr/lib/jvm/java/lib/security/cacerts (No such file or directory)
(...) then you will need to create the keystore itself:
# mkdir $JAVA_HOME/lib/security
# keytool -genkey -alias cacerts -keyalg RSA -keystore $JAVA_HOME/lib/security/cacerts -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Vinicius S
What is the name of your organizational unit?
[Unknown]: AWS Premium Support
What is the name of your organization?
[Unknown]: AWS
What is the name of your City or Locality?
[Unknown]: Dublin
What is the name of your State or Province?
[Unknown]: Dublin
What is the two-letter country code for this unit?
[Unknown]: IE
Is CN=Vinicius S, OU=AWS Premium Support, O=AWS, L=Dublin, ST=Dublin, C=IE correct?
[no]: yes
Enter key password for <cacerts>
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/jvm/java/lib/security/cacerts -destkeystore /usr/lib/jvm/java/lib/security/cacerts -deststoretype pkcs12".
# keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file rds-combined-ca-bundle.der
Enter keystore password:
Owner: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Serial number: 42
Valid from: Thu Feb 05 09:11:31 UTC 2015 until: Thu Mar 05 09:11:31 UTC 2020
Certificate fingerprints:
MD5: CF:C1:A2:0D:A1:C1:B1:3C:12:0B:C1:5A:E5:33:73:EF
SHA1: E8:11:88:56:E7:A7:CE:3E:5E:DC:9A:31:25:1B:93:AC:DC:43:CE:B0
SHA256: AF:EB:B8:40:BE:0C:1A:F6:5E:63:E0:CB:D7:9C:CE:35:65:4B:F6:0F:4E:07:62:54:BB:A9:35:E9:63:6D:53:F7
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4E 02 EE AC 3E F6 15 C8 4C ED 2C F5 05 C1 8F 9C N...>...L.,.....
0010: 84 08 49 83 ..I.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E 02 EE AC 3E F6 15 C8 4C ED 2C F5 05 C1 8F 9C N...>...L.,.....
0010: 84 08 49 83 ..I.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/jvm/java/lib/security/cacerts -destkeystore /usr/lib/jvm/java/lib/security/cacerts -deststoretype pkcs12".
Optionally you may want to change the JAVA_HOME variable:
export JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre"
When initializing JBoss pass the trustStorae and the password
$ standalone.sh -b 0.0.0.0 -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -bmanagement 0.0.0.0 -Djavax.net.ssl.trustStorePassword=changeit
Then you must add the JBoss admin uesr:
$ $JBOSS_HOME/bin/add-user.sh
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
- The password should be different from the username
- The password should not be one of the following restricted values {root, admin, administrator}
- The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:
About to add user 'vinnixadmin' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'vinnixadmin' to file '/home/jboss/wildfly/wildfly-12.0.0.Final/standalone/configuration/mgmt-users.properties'
Added user 'vinnixadmin' to file '/home/jboss/wildfly/wildfly-12.0.0.Final/domain/configuration/mgmt-users.properties'
Added user 'vinnixadmin' with groups to file '/home/jboss/wildfly/wildfly-12.0.0.Final/standalone/configuration/mgmt-groups.properties'
Added user 'vinnixadmin' with groups to file '/home/jboss/wildfly/wildfly-12.0.0.Final/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="yasdgfyagsdfyg4xMjMk" />
Open jboss command line interface:
$ jboss-cli.sh -c
Add JDBC Driver as a JBoss module:
[standalone@localhost:9990 /] module add --name=org.postgresql --resources=postgresql-42.2.1.jar --dependencies=javax.api,javax.transaction.api
Allow DataSource subsystem to work with the recently added module:
/subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql, driver-class-name=org.postgresql.Driver, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
-
[1] Data Sources Management / Red Hat JBoss https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/index#datasource_management
-
[2] SSL Client / JDBC PostgreSQL https://jdbc.postgresql.org/documentation/head/ssl-client.html
"To make the server certificate available to Java, the first step is to convert it to a form Java understands.
$ openssl x509 -in server.crt -out server.crt.der -outform der
From here the easiest thing to do is import this certificate into Java's system truststore.
$ keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file server.crt.der
The default password for the cacerts keystore is changeit. The alias to postgresql is not important and you may select any name you desire.
If you do not have access to the system cacerts truststore you can create your own truststore.
$ keytool -keystore mystore -alias postgresql -import -file server.crt.der
When starting your Java application you must specify this keystore and password to use.
$ java -Djavax.net.ssl.trustStore=mystore -Djavax.net.ssl.trustStorePassword=mypassword com.mycompany.MyApp
$ standalone.sh -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
In the event of problems extra debugging information is available by adding -Djavax.net.debug=ssl to your command line."
- [3] http://www.keycloak.org/docs/1.9/server_installation_guide/topics/database/datasource.html
- [4] https://developer-should-know.com/post/127065962382/installing-postgresql-and-adding-data-source-to
- [5] https://ravishbhupesh.wordpress.com/2008/05/06/connect-to-ssl-enabled-database-via-jboss/
- [6] https://docs.tibco.com/pub/mdm/9.1.0/doc/html/GUID-AA55613A-FD0C-4C64-A012-EA485ECC6FB8.html
- [7] https://stackoverflow.com/questions/41401790/can-anybody-please-guide-in-detail-how-to-connect-to-an-aws-rds-mysql-instance-v
- [8] https://mirocupak.com/secure-database-connection-with-wildfly/
- [9] https://mirocupak.com/configuring-a-datasource-on-wildfly/
- [10] https://jdbc.postgresql.org/documentation/head/ssl-client.html
- [11] https://jdbc.postgresql.org/documentation/head/connect.html#ssl
Summary
How to install and connect JBoss/wildfly with RDS/Aurora PostgreSQL using SSL certificates Main Text
Install SSL Certificate to Connect JBoss/wildfly with PostgreSQL Database
For security reasons, it's important to have a security connection between your application and its database. Customers can use the .pem certificate file when working with languages such as python, perl and ruby; however, when customers' application uses JBoss or JBoss/wildfly application server, the configuration can be tricky, since java has its own way to store the certificate file, which must be converted to another format.
In this article I show how to configure JBoss application server to work with RDS SSL certificates. Please read the full article once, before perform all steps.
Install JAVA8
If the host has no JVM and Java SDK installed you can simple install it by running the following command.
$ sudo su - root
If that is the case you can skip the next step.
Install JAVA8 when JAVA7 was already installed.
If the environment has JAVA7 installed previously and you must change the default symbolic links so the system PATH will recognize JAVA8 as default.
$ sudo su - root
ln -d -s -f /usr/lib/jvm-exports/java-1.8.0-openjdk.x86_64 /etc/alternatives/java_sdk_openjdk_exports
javac 1.8.0_161
openjdk version "1.8.0_161" OpenJDK Runtime Environment (build 1.8.0_161-b14) OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
Later I discovered that there is a proper way to change the symbolic links at /etc/alternatives directory:
$ sudo update-alternatives --config java
But you will need to do it for all commands.
Creating JBoss environment
Once Java 8 environment is correctly installed, now we must create the JBoss application server environment. Let's start by creating users, groups and directories.
$ mkdir jdbc wildfly
Download JBoss/wildfly:
Simply download the tarball inside wildfly directory and decompress it. Then, the environment variables.
$ cd wildfly $ wget http://download.jboss.org/wildfly/12.0.0.Final/wildfly-12.0.0.Final.tar.gz $ tar xvzf wildfly-12.0.0.Final.tar.gz
$ echo 'export JBOSS_HOME="/home/jboss/wildfly/wildfly-12.0.0.Final"' >> ~/.bash_profile $ echo 'export PATH="${JBOSS_HOME}/bin:${PATH}"' >> ~/.bash_profile $ source ~/.bash_profile
Download PostgreSQL JDBC
In this article I am showing how to connect using RDS PostgreSQL as example, that's why we are now downloading the PostgreSQL JDBC driver. If you are dealing with other database, you must change the JDBC driver to the appropriate engine. Further, when configuring JBoss the driver will change as well, but for the RDS certificate this will not change.
$ cd jdbc $ wget https://jdbc.postgresql.org/download/postgresql-42.2.1.jar $ wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Convert the RDS certificate to 'der' format:
As mentioned above, Java environment does not work directly with .pem files certificates. The JVM requires that you store it as a .der file format.
$ openssl x509 -in rds-combined-ca-bundle.pem -out rds-combined-ca-bundle.der -outform der
Then, add the new certificate file, rds-combined-ca-bulde.der, to the JAVA_HOME certs. The default 'keystore' has a default password which is 'changeit'.
$ sudo su -
/usr/lib/jvm/java
keytool -keystore $JAVA_HOME/lib/security/cacerts -alias rdscombined -import -file rds-combined-ca-bundle.der
To import the certificate you must provide the keystore password; the password that must be entered is changeit. Unless it was modified by the sysadmin already, a fresh installation will use this passphrase, changeit, as password to the access all keys for your Java environment. I do recommend that you change it.
If the follow error is observed (after you replied 'yes' to the question "Trust this certificate?"):
Certificate was added to keystore keytool error: java.io.FileNotFoundException: /usr/lib/jvm/java/lib/security/cacerts (No such file or directory)
(...) then you will need to create the keystore:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Vinicius S
What is the name of your organizational unit?
[Unknown]: AWS Premium Support
What is the name of your organization?
[Unknown]: AWS
What is the name of your City or Locality?
[Unknown]: Dublin
What is the name of your State or Province?
[Unknown]: Dublin
What is the two-letter country code for this unit?
[Unknown]: IE
Is CN=Vinicius S, OU=AWS Premium Support, O=AWS, L=Dublin, ST=Dublin, C=IE correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/jvm/java/lib/security/cacerts -destkeystore /usr/lib/jvm/java/lib/security/cacerts -deststoretype pkcs12".
With the steps above the key-store is created. The defined password will be used when starting the JBoss.
Once the key-store is created you can import the RDS SSL certificate. When asked to trust this certificate, choose "yes".
keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file rds-combined-ca-bundle.der
Enter keystore password:
Owner: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Serial number: 42
Valid from: Thu Feb 05 09:11:31 UTC 2015 until: Thu Mar 05 09:11:31 UTC 2020
Certificate fingerprints:
MD5: CF:C1:A2:0D:A1:C1:B1:3C:12:0B:C1:5A:E5:33:73:EF
SHA1: E8:11:88:56:E7:A7:CE:3E:5E:DC:9A:31:25:1B:93:AC:DC:43:CE:B0
SHA256: AF:EB:B8:40:BE:0C:1A:F6:5E:63:E0:CB:D7:9C:CE:35:65:4B:F6:0F:4E:07:62:54:BB:A9:35:E9:63:6D:53:F7
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 4E 02 EE AC 3E F6 15 C8 4C ED 2C F5 05 C1 8F 9C N...>...L.,..... 0010: 84 08 49 83 ..I. ] ]
#2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ]
#3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ]
#4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 4E 02 EE AC 3E F6 15 C8 4C ED 2C F5 05 C1 8F 9C N...>...L.,..... 0010: 84 08 49 83 ..I. ] ]
Trust this certificate? [no]: yes Certificate was added to keystore
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/jvm/java/lib/security/cacerts -destkeystore /usr/lib/jvm/java/lib/security/cacerts -deststoretype pkcs12".
Optionally you may want to change the JAVA_HOME variable:
export JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre"
Following the steps above, you will have:
-
Java 8 environment up and running;
-
A keystore for that envionrment;
-
The RDS certificate stored in the Java 8 keystore;
Starting with JBoss/wildfly
Now you need to start JBoss (using the command standalone.sh, if not a cluster farm). The important part here is to pass the correct variables to inform the JVM (running the application server) that you want to use the key store.
Those environment variables will be passed using "-D" parameter.
-Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
Also, don't use -bmanagement 0.0.0.0 in a production environment, as this will allow anyone that can reach your application server instance to access the JBoss management interface.
$ standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Once your JBoss is up and running, you must add the JBoss admin user:
$ $JBOSS_HOME/bin/add-user.sh
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
- The password should be different from the username
- The password should not be one of the following restricted values {root, admin, administrator}
- The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s) Password : Re-enter Password : What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: About to add user 'vinnixadmin' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'vinnixadmin' to file '/home/jboss/wildfly/wildfly-12.0.0.Final/standalone/configuration/mgmt-users.properties' Added user 'vinnixadmin' to file '/home/jboss/wildfly/wildfly-12.0.0.Final/domain/configuration/mgmt-users.properties' Added user 'vinnixadmin' with groups to file '/home/jboss/wildfly/wildfly-12.0.0.Final/standalone/configuration/mgmt-groups.properties' Added user 'vinnixadmin' with groups to file '/home/jboss/wildfly/wildfly-12.0.0.Final/domain/configuration/mgmt-groups.properties' Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls. yes/no? yes To represent the user add the following to the server-identities definition
Once JBoss admin user is created you can open Jboss command line interface, and create/import the JDBC driver as a JBoss module.
$ jboss-cli.sh -c
When inside the JBoss Command Line Interface, the prompt will change to: "[standalone@localhost:9990 /]"
Add JDBC Driver as a JBoss module:
[standalone@localhost:9990 /] module add --name=org.postgresql --resources=postgresql-42.2.1.jar --dependencies=javax.api,javax.transaction.api
Allow DataSource subsystem to work with the recently added module:
[standalone@localhost:9990 /] /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql, driver-class-name=org.postgresql.Driver, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
Now you have:
-
JBoss up and running;
-
PostgreSQL JDBC driver imported and working with JBoss;
-
JBoss DataSource subsystem allowed to work with PostgreSQL JDBC driver;
Final steps: create and test the Data Source
So far we have only prepared JBoss to work with the JDBC driver and using SSL certificates. Now the final step will require you to have your database launched with SSL option enabled. You can create and test Data Sources from JBoss Web Management Console, or from CLI as well.
To create a Data Source from CLI follow those steps:
[standalone@localhost:9990 /] xa-data-source add --name=XA_PremiumSupportDS --jndi-name=java:/XA_PSDS --driver-name=postgresql --user-name=cseroot --password=MySup3rS3cr37DBP4ssw0rd --xa-datasource-class="org.postgresql.xa.PGXADataSource" --xa-datasource-properties={"ServerName"=>"pgtest.cacpiot1aa1a.eu-west-1.rds.amazonaws.com","DatabaseName"=>"bigdb", "ssl"="true"}
(note) Please note that here I'm creating a Multi-Transaction (XA) Data Source, which does not support JDBC URI based connection. If you don't need a XA data source, or your JDBC driver does not support it. You can create a simple data source. I have used a different name for it.
[standalone@localhost:9990 /] data-source add --name=PremiumSupportDS --jndi-name=java:/PSDS --driver-name=postgresql --connection-url="jdbc:postgresql://pgtest.cuhkiot5kb7i.eu-west-1.rds.amazonaws.com/bigdb?user=cseroot&password=MasterTest123&sslmode=verify-full"
Enable the data source that was created above:
[standalone@localhost:9990 /] /subsystem=datasources/xa-data-source=XA_PremiumSupportDS:enable
Reloading the JBoss is necessary to apply changes in DataSource subsystem:
[standalone@localhost:9990 /] reload
After that long journey, if all steps were performed correctly testing the new data-source will show a nice message:
[standalone@localhost:9990 /] /subsystem=datasources/xa-data-source=XA_PremiumSupportDS:test-connection-in-pool { "outcome" => "success", "result" => [true] }
A Java application that is running inside JBoss now can access your database through a fully managed data source, taking advantage of connection pooling multi-transaction environment, connection statistics and others that an enterprise application should have. The data source can be accessed using its name, or the JNDI.
Thank you!