Configuring JBoss for HTTPS

Keys 1 by ~Brenda-Starr~

This is how I configured JBoss to handle HTTPS requests for secure ATG applications.

  1. Create the keystore and private key.
    $ cd /opt/jboss/jboss-eap-4.3/jboss-as/server/atg/conf
    $ keytool -genkey -alias jbosskey -keyalg RSA -keystore server.keystore
  2. Generate and store the certificate.
    $ keytool -export -alias jbosskey -file server.crt -keystore server.keystore
    $ keytool -import -alias jbosscert -file server.crt -keystore server.keystore
  3. Enable HTTPS.
    $ vi /opt/jboss/jboss-eap-4.3/jboss-as/server/atg/deploy/jboss-web.deployer/server.xml

    Uncomment SSL HTTP/1.1 Connector section and edit. For example:

        <Connector port="8443" address="${jboss.bind.address}"
                   protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS"
                   keystorePass="letmein" />
  4. Start JBoss with keystore specified. On UNIX you can do this by updating run.conf. For example:
    JAVA_OPTS="-Xms128m -Xmx512m -XX:MaxPermSize=128m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true"

Note that if you are using service bindings (i.e. uncommented service bindings section of conf/jboss-service.xml) then the bindings in the XML configuration file (e.g. sample-bindings.xml) will take precedence. In this case the secure port becomes 8543.

For further reading please see HOWTO Configure JBoss for HTTPS.

Turning On Debug in JBoss

Prius Power ButtonThere are probably many ways of turning debug on in JBoss.

In windows the way I do it is by uncommenting the line in<JBoss>/bin/run.bat that starts with:

rem set JAVA_OPTS=-Xdebug

Uncommenting in DOS bat files is simply done by removing the rem command:

set JAVA_OPTS=-Xdebug

I created aliases for turning debug on and off. I use a script which simply replaces one string with another.

alias debugon=' "^rem set JAVA_OPTS=-Xdebug" "set JAVA_OPTS=-Xdebug" ${JBOSS}/bin/run.bat && chmod 755 ${JBOSS}/bin/run.bat && unix2dos ${JBOSS}/bin/run.bat'
alias debugoff=' "^set JAVA_OPTS=-Xdebug" "rem set JAVA_OPTS=-Xdebug" ${JBOSS}/bin/run.bat && chmod 755 ${JBOSS}/bin/run.bat && unix2dos ${JBOSS}/bin/run.bat'

On Unix I do a similar thing, uncommenting this line in <JBoss>/bin/run.conf:

#JAVA_OPTS="$JAVA_OPTS -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n"

Uncommenting in Unix shell scripts is simply done by removing the # character at the beginning of the line.

JAVA_OPTS="$JAVA_OPTS -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n"

These are my aliases on UNIX for turning debug on and off.

alias debugon=" '^#JAVA_OPTS=\"\$JAVA_OPTS -Xrunjdwp:transport=dt_socket' 'JAVA_OPTS=\"\$JAVA_OPTS -Xrunjdwp:transport=dt_socket' ${JBOSS_HOME}/bin/run.conf"
alias debugoff=" '^JAVA_OPTS=\"\$JAVA_OPTS -Xrunjdwp:transport=dt_socket' '#JAVA_OPTS=\"\$JAVA_OPTS -Xrunjdwp:transport=dt_socket' ${JBOSS_HOME}/bin/run.conf"

One of the reasons I created the scripts was because on Windows suspend=y by default. Therefore when in debug mode you have to start your debugger or the JBoss server will not completely start up. On Unix suspend=n by default. If you change suspend=n on Windows too then the server will start up without waiting for the debugger to attach.

Note that you can only have one server with debug on for a given port, e.g. port 8787.  So if you try to start more than one JBoss server with that port, only the first will start.  The solution is to start only one server with debug on or start different servers with different debug ports.

Running JBoss with Oracle

(Photo: oracle by you are the atman)

Most commercial websites that use JBoss also use Oracle.  To run JBoss with Oracle you simply need to tell JBoss where to find the Oracle JDBC drivers. To do this modify run.bat or and set the JBOSS_CLASSPATH to include the Oracle JDBC jar file before

set JBOSS_CLASSPATH=C:\oracle\product\10.2.0\db_1\jdbc\lib\ojdbc14.jar

I did this right before run.bat checks to see if JBOSS_CLASSPATH is empty.

rem If JBOSS_CLASSPATH or JAVAC_JAR is empty, don't include it, as this will
rem result in including the local directory in the classpath, which makes
rem error tracking harder.
if not "%JAVAC_JAR%" == "" set RUNJAR=%JAVAC_JAR%;%RUNJAR%

After doing this you might need to tell your web application how to configure the data sources. I wrote a post about how to configure your data source for ATG web applications.

Create Additional JBoss Application Server Configurations

JBoss I thought to create an additional JBoss application server configuration one would have to use some kind of administration tool.

It turned out to be much simpler.

cp -R server/default server/betweengo

If you want to create an ATG application server configuration you can do this.

cp -R server/atg server/betweengo

The only difference between the default server configuration and the atg server configuration is that the latter has two additional datasource XML files for communicating with the SOLID database.


For further reading please see JBoss configurations to run an application (need active ATG support contract to see this document) or Building Your Own JBoss Configuration or Using JBoss Application Server.

Enabling Trace Level Debugging in JBoss

In JBoss 4.0.4.GA it took me awhile to figure out how to enable trace level debugging.

Typically you could do something like this to enable trace level debugging for a category of classes.

<category  name="">
  <priority  value="TRACE"/>

However JBoss 4.0.4.GA has an older log4j implementation so you need to use JBoss’s custom TRACE level.

<category  name="">
  <priority  value="TRACE" class="org.jboss.logging.XLevel"/>

This is documented in the release notes for JBoss-4.2.1.GA.

Since the latest log4j includes a trace level, there is no need to reference the custom jboss TRACE level in conf/jboss-log4j.xml configs, JBAS-4163.

There is additional information on trace level debugging in the articles Enabling TRACE logging on server and Using Logging.

How to Log SQL on JBoss

Edit the log4j.xml in the conf directory as shown below to turn on SQL debugging of the JDBC CMP plugin.

/apps/jboss/server/default/conf :->diff -c log4j.xml~ log4j.xml
*** log4j.xml~  Mon Sep 30 18:09:27 2002
--- log4j.xml   Tue Apr  4 20:41:18 2006
*** 61,73 ****
    <!-- ============================== -->

    <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
!     <param name="Threshold" value="INFO"/>
      <param name="Target" value="System.out"/>

      <layout class="org.apache.log4j.PatternLayout">
        <!-- The default pattern: Date Priority [Category] Message\\n -->
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>


--- 61,79 ----
    <!-- ============================== -->

    <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
!     <!--<param name="Threshold" value="INFO"/>-->
!     <param name="Threshold" value="DEBUG"/>
      <param name="Target" value="System.out"/>

      <layout class="org.apache.log4j.PatternLayout">
        <!-- The default pattern: Date Priority [Category] Message\\n -->
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>

+     <category name="org.jboss.ejb.plugins.cmp.jdbc">
+       <priority value="DEBUG"/>
+     </category>

If you want to log Hibernate SQL statements:

    <category name="org.hibernate.SQL">
      <priority value="DEBUG"/>

If you want to log everything Hibernate’s doing, including SQL statements, schema export, transactions, etc.:

    <category name="org.hibernate.SQL">
      <priority value="DEBUG"/>