Disable SSL v3 on JBoss AS 7.1.1

SSLv3 is vulnerable to POODLE attacks. If you’re running your web application on JBoss AS 7.1, you need to disable SSLv3 in order to protect your web application from POODLE attacks. JBoss AS 7.1 does support more recent versions of TLS but it is still subject to a downgrade attack i.e. the attacker tricks the browser into connecting with SSL v3.

How to test if your JBoss Server still uses SSL v3

Before attempting to disable SSL v3, you should make sure that your application can indeed be accessed via SSL v3. In order to do that:

  1. Open Internet Explorer
  2. On the browser, under options, turn off TLS 1.2, TLS 1.1, TLS 1.0 and SSL 2.0 and only allow SSL v3 (In Internet Explorer this is under Internet Options & Advanced tab)
  3. Try to access the web page of your app deployed on JBoss AS 7.1 server.
    • If you can successfully navigate to the page that means SSL v3 is enabled.
    • If you cannot navigate to the page that means SSL v3 is disbaled. This means your web application is already protected against POODLE and you don’t need to do anything.
  4. Now turn TLS back on, try to access the web page again, you should be able to access the site.
Configure IE to only use SSL v3

Configure IE to only use SSL v3

How to disable SSL v3

To disable SSLv3 in JBoss you need to make sure SSLv3 is not listed in the list of protocols in standalone.xml on your JBoss server.

  1. Open standalone.xml file
    • It is located in the configuration folder of your JBoss App server directory.
  2. Modify https connector config.
    • Change the value of protocols attribute to TLSv1, TLSv1.1, TLSv1,2.
    • Notice below in the original config – protocol list only contains TLSv1 and protocol is changed to protocols in the modified xml.

Code snippet from original configuration file.

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="your\file\path\to\the\certificate" protocol="TLSv1"/>
</connector>

Modified code snippet.

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="your\file\path\to\the\certificate" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>

Please note that if you’re running Java 6(JDK or JRE), you can only run TLS v1.0. TLSv1.1 and TLSv1.2 require Java 7 (minimum) to be running on your server.

Integrating Liferay Developer Studio with JBoss Application Server 7.1

Liferay Developer Studio comes bundled with Tomcat server. Tomcat is usually useful to get things up and running however not so suitable for resource intensive applications. JBoss is usually is good choice for most requirements. The following are the instructions on how to integrate JBoss with Liferay.

  1. Download Liferay JBoss bundle from the liferay website and save it on your local drive. I saved liferay-portal-jboss-6.2-ee-sp7-20140807114015311.zip to my local drive.
  2. Unzip this file to a folder of your choice. I unzipped it to C:\work\liferay-portal\liferay-portal-6.2-ee-sp7. This will your JBOSS_BUNDLE_HOME.
  3. Start the JBoss Server.
  4. If you navigate to http://localhost:8080/, you will see a message indicating that you dont have the Liferay License.
  5. Refer to section in my previous blog post on updating license.
  6. You also need to connect to the same database that you set up with Liferay Developer Studio. To connect to the existing database:
    1. Create a new file called portal-ext.properties in JBOSS_BUNDLE_HOME.
    2. Add the following properties to the file and restart your JBoss Application Server.
jdbc.default.driverClassName=net.sourceforge.jtds.jdbc.Driver
jdbc.default.url=jdbc:jtds:sqlserver://localhost:1433/service_portal
jdbc.default.username=xxxxxx
jdbc.default.password=xxxxxx
  1. Create a new file called portal-setup-wizard.properties in JBOSS_BUNDLE_HOME, add the following lines and save it.
    1. admin.email.from.address={your admin user email address}
    2. admin.email.from.name=Admin User
    3. liferay.home=C:/work/liferay-portal/liferay-portal-6.2-ee-sp7
    4. setup.wizard.enabled=false
  2. Create a new file called build.(your username}.properties in {LIFERAY_HOME}\liferay-developer-studio\liferay-plugins-sdk-6.2 and add the following lines and save it.
app.server.type = jboss
app.server.jboss.dir = ${app.server.parent.dir}/jboss-7.1.1
app.server.jboss.lib.global.dir = ${app.server.jboss.dir}/modules/com/liferay/portal/main
app.server.jboss.portal.dir = ${app.server.jboss.dir}/standalone/deployments/ROOT.war
app.server.jboss.deploy.dir = ${app.server.jboss.dir}/standalone/deployments
app.server.parent.dir = C:/work/liferay-portal/liferay-portal-6.2-ee-sp7
  1. Restart your application server. You should automatically be navigated to the Portal Login page.