Configure SSL on Jetty

Yura picture Yura · Oct 24, 2010 · Viewed 65.6k times · Source

I am trying to configure SSL on my Jetty.

I read this: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL and created a key store.

Then, I jumped directly to section 4. But where is this configuration file I should configure Jetty?

I tried to serach for jetty.xml, but there is no such on my computer...

Answer

formixian picture formixian · Jan 18, 2013

I had a lot of problems making it work but I finally foud out how to make it happend. I'm using ubuntu 10.04 with java 7. It may be possible to do it under windows but all the comands lines are bash commands, maybe possible to do the same with cigwin/mingw

I used Jetty 8.1.8. Download it from codehaus and choose the .tar.gz file for linux (.zip for windows).

Unzip the file in any directory you wish, this will be your {jetty} home folder for the sake of this article/answer.

Go to the {jetty}/etc directory.

Execute all the following command lines in order. Whenever a password is asked, input the same password all the time. The passwords are used to protect the key file, the key store and the certificate itself. Sometimes, a password will be asked to unlock the key store or to use a generated key. Once you will understand what everything is and how to use the passwords correctly, you may change those passwords when you feel ready (safer for production use). Otherwise, input the requested informations when asked.

openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

Now you have to edit {jetty}/etc/jetty-ssl.xml and configure your password to match the one you used during certificate generation. If you want to obfuscate your password, go back to the command line. Go tho your {jetty} home directory and execute the following:

java -cp lib/jetty-util-8.1.8.v20121106.jar org.eclipse.jetty.util.security.Password "{PASSWORD}"

Change {PASSWORD} for your actual password then past the obfuscated password, including the "OBF:" in all password fields found in jetty-ssl.xml. Note that a password obfuscated like that is hard to read for humans but easily unobfiscated programmatically. It just prevent developpers to know the password when they edit the file. All configuration files should be secured properly and their accesses be as restrictive as possible.

Edit {jetty}/start.ini and uncomment the line #etc/jetty-ssl.xml (just remove the #).

Start jetty:

java -jar start.jar

Now contact your server at: https://localhost:8443

Done!

Note that this answer is a quick way to enable SSL with jetty. To make it secure for production, you have to read some more on the subject.