Using SSL/HTTPS With Jetty
As of revision 165331 (2005-04-29) Geronimo now runs both http and https protocols.
There is a self-signed keystore included in the distribution in var/security/keystore. This contains one untrusted certificate that will not be recognized by a browser. This should be replaced with a certificate signed by a trusted CA as described in the Jetty FAQ or in the documentation on keytool.
This uses the new !SslConnector
from Jetty that uses the standard javax.net.ssl API rather than Sun's JSSE implementation. This should work with any JVM, not just Sun's implementation. The properties for this connector are slightly different than described in the Jetty documentation.
A default connector is defined in the server plan:
<gbean name="JettySSLConnector" class="org.apache.geronimo.jetty.connector.HTTPSConnector">
<attribute name="port">8443</attribute>
<attribute name="keystore">var/security/keystore</attribute>
<attribute name="keystoreType">JKS</attribute>
<attribute name="password">secret</attribute>
<attribute name="keyPassword">secret</attribute>
<attribute name="needClientAuth">false</attribute>
<attribute name="protocol">TLS</attribute>
<reference name="JettyContainer"><name>JettyWebContainer</name></reference>
<reference name="ServerInfo"><module>org/apache/geronimo/System</module><name>ServerInfo</name></reference>
</gbean>
Attribute
Description
port
The port to listen on
keystore
The location of the keystore, resolved relative to ServerInfo
keystoreType
The type of keystore, JKS for the default store
password
The store password
keyPassword
The key password, often the same as the store password
needClientAuth
Whether clients must provide a certificate
protocol
Wire protocol
algorithm
Encryption algorithm to use, if omitted uses the JVM's default
References
http://www.mortbay.org/jetty/faq?s=400-Security&t=ssl
- Jetty SSL FAQ
http://nagoya.apache.org/eyebrowse/ReadMsg?listName=user@geronimo.apache.org&msgNo=96 - message from Jeremy Boynes with some hints about how to get started