AtomicWiki Logo
Login
Quick Search
Feed Contents
Enable SSL in Jetty by dizzzz5-12-2008 23:06
HowTos by dizzzz31-12-2008 18:45

Enable SSL in Jetty

by dizzzz at 3-12-2008 20:06; Wiki ID: JettySSL

It is not very difficult to enable HTTPS for exist. Basically the process of enabling SSL in jetty consists of three steps:

  1. Edit the Jetty configuration
  2. Create SSL Certficates
  3. Read the additional notes

Edit the Jetty configuration

  1. Open EXIST_HOME/tools/jetty/etc/jetty.xml in your favourite text editor (jEdit?)
  2. Scroll down to line 69, uncomment line 74 - 93 (element "Call")
    <Call name="addListener">
        <Arg>
            <New class="org.mortbay.http.SunJsseListener">
                <Set name="Port">8443</Set>
                <Set name="PoolName">P1</Set>
                <Set name="MaxIdleTimeMs">30000</Set>
                <Set name="lowResources">30</Set>
                <Set name="LowResourcePersistTimeMs">2000</Set>
                <Set name="Keystore">
                    <SystemProperty name="jetty.home"
                            default="."/>/etc/demokeystore</Set>
                <Set name="Password">secret</Set>
                <Set name="KeyPassword">secret</Set>
                <Set name="HttpHandler">
                    <New class="org.mortbay.http.handler.MsieSslHandler">
                        <Set name="UserAgentSubString">MSIE 5</Set>
                    </New>
                </Set>
            </New>
        </Arg>
    </Call>

Create SSL Certficates

  1. Generate the SSL certificates with ./build.sh -f build/scripts/jarsigner.xml jetty-keygen
    <!-- Generate FAKE CERTIFICATE for SSL -->
    <target name="jetty-keygen" description="Generate keystore for jetty.">
        <genkey alias="jetty" storepass="${keystore.password}"
                keystore="tools/jetty/etc/demokeystore"
                validity="${keystore.validity}">
            <dname>
                <param name="CN" value="eXist XML database"/>
                <param name="OU" value="Anonymous"/>
                <param name="O" value="exist-db.org"/>
                <param name="C" value="DE"/>
            </dname>
        </genkey>
    </target>

Additional notes

Now you are actually ready!

  1. Start the server with bin/startup.sh
  2. Point your browser to https://localhost:8443

Please note only the http traffic to port 8443 is encrypted. Other ports are still unsecure. Check for the following logging in the console:

05 Dec 2008 22:40:16,713 [main] INFO  (Container.java [start]:74) - Started WebApplicationContext[/exist,eXist XML Database] 
05 Dec 2008 22:40:16,719 [main] INFO  (SocketListener.java [start]:205) - Started SocketListener on 0.0.0.0:8080 
05 Dec 2008 22:40:16,720 [main] INFO  (SunJsseListener.java [createFactory]:185) - jetty.ssl.keystore=/Users/drfoobar/eXist/tools/jetty/etc/demokeystore 
05 Dec 2008 22:40:16,720 [main] INFO  (SunJsseListener.java [createFactory]:189) - jetty.ssl.password=****** 
05 Dec 2008 22:40:16,720 [main] INFO  (SunJsseListener.java [createFactory]:195) - jetty.ssl.keypassword=****** 
05 Dec 2008 22:40:16,720 [main] INFO  (SunJsseListener.java [createFactory]:200) - jetty.ssl.keystore.type=jks 
05 Dec 2008 22:40:16,721 [main] INFO  (SunJsseListener.java [createFactory]:225) - jetty.ssl.keystore.provider.name=[DEFAULT] 
05 Dec 2008 22:40:16,735 [main] INFO  (SunJsseListener.java [createFactory]:248) - SSLServerSocketFactory=com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl@95575f 
05 Dec 2008 22:40:16,945 [main] INFO  (JsseListener.java [newServerSocket]:200) - JsseListener.needClientAuth=false 
05 Dec 2008 22:40:16,946 [main] INFO  (SocketListener.java [start]:205) - Started SocketListener on 0.0.0.0:8443 
05 Dec 2008 22:40:16,946 [main] INFO  (Container.java [start]:74) - Started org.mortbay.jetty.Server@eb41e5 
-----------------------------------------------------
Server has started on port 8080. Configured contexts:
http://localhost:8080/exist
-----------------------------------------------------
05 Dec 2008 22:40:28,891 [P1-9] INFO  (Container.java [start]:74) - Started HttpContext[/,/]

If you have a 'real' x509 certificate (free at e.g. Thawte) you might consider to convert your x509 certificate using KeyTool IUI into a Java KeyStore (jks)

HowTos

by dizzzz at 1-12-2007 18:57; Wiki ID: HowTos
SQL DatabasesQuerying SQL Databases from XQuery (SQLModule)
XSLT 2Upgrading eXist for XSLT 2.0 (Saxon)
TroubleshootingSome help for common issues
JettySSLEnabling SSL in Jetty
OxygenAccessing eXist-db 1.3/trunk from the OxygenXML editor
Links
Latest Posts
2010-02-04
Set alternative XML parser
2010-02-04
Jetty5 to Jetty6 migration
2010-02-04
Some Module Issues
2010-02-04
Update on JSR-225
2010-02-04
2010-01-21
eXist Users Group @ XML Prague
2009-12-19
eXist on FLOSS weekly
2009-11-18
Upgrading eXist for XSLT 2.0 (Saxon)
2009-11-11
eXist 1.4 final is out!
2009-11-11
eXist 1.4 Released
2009-09-09
1.4 Release Candidate
2009-07-16
eXist 1.2.5 & 1.3 and OxygenXML
2009-06-19
eXist 1.2.6 Maintenance Release
2009-05-14
Java Service Wrapper Issues
2009-04-30
Memory and other settings
AtomicWiki 0.4