Getting Flex and JBoss to use SSL
I have spent the last 7 or so hours at work trying to configure our Flex client to connect to our JBoss 4.2.3 server using SSL.
Now that I have figured it out here are the steps to make it work. The assumption is you have JBoss 4.2.3 installed and are able to access a web app on port 8080 over plain old http.
Types of SSL
JBoss supports at least two implementations of SSL:
Java Secure Socket Extension (JSSE) which uses the Java Runtime.
Apache Portable Runtime (APR) which uses OpenSSL.
Based on my version I am going to go out on a limb and say by default JBoss 4.2.3 uses APR out of the box. You can verify this by looking in the server.xml found in your JBoss installation at
JSSE SSL Setup Instructions
Generating a KeyStore
In order for all this SSL craziness to work you need to generate a keystore for your server. This keystore is created using the Java keytool executable. The keystore will be kept in the
1. Open a command line tool and navigate to
2. Execute keytool -genkey -alias tomcat -keyalg RSA -keystore server.keystore
3. Enter ‘123456’ as the password when prompted.
4. You will also be prompted to enter your name, organizational unit, organiation, city, state and country. Enter the appropriate values for you.
5. When prompted to enter the key password just hit enter to make it the same as the keystore password.
6. Voila you now have a key in the conf directory called server.keystore
Configuring JBoss For SSL
The {jboss}/server/default/deploy/jboss-web.deployer/server.xml file now needs to be modified to connect on https. This requires the addition of a Connector tag in the file specifying the port, keystore location and also the keystore password. In order to use JSSE we need to override the default protocol with org.apache.coyote.http11.Http11Protocol. This will cause it to override the APR SSL
1. Open {jboss}/server/default/deploy/jboss-web.deployer/server.xml in your favourite text editor.
2. By default the Connector for https is commented out (you can find it by searching for 8443)
3. Add a new Connector to the file:
<Connector port=“8443” SSLEnabled=“true”
protocol=“org.apache.coyote.http11.Http11Protocol”
maxThreads=“150” scheme=“https” secure=“true”
keystoreFile=“${jboss.server.home.dir}/conf/server.keystore” keystorePass=“123456” clientAuth=“false” sslProtocol=“TLS” />
4. You can modify the port as you like and also update the keystoreFile and keystorePass as is appropriate.
5. Save the file.
Verify Results for Either SSL
Now that you have created a keystore and also added a new connector you should be able to start up JBoss without errors. To verify you can now go to https://{server name}:{port}/{webapp}. You will be prompted to accept the certificate and once you accept the page should load.
Here are two very helpful sources: Steps for Building A Hello World Web App, Apache Tomcat SSL How To, JBoss Community SSL Config, and How To Create a Self Signed Certificate
Updating the Flex Client
We use Granite and Gravity for transferring objects between the Flex client and the JBoss server. All you need to do is update the services-config.xml Granite file.
Locate the channeldefinition tags and update them to use the secure channel classes and also update the URL to include https.
<channel-definition id=“myApp-graniteamf” class=“mx.messaging.channels.SecureAMFChannel”>
<endpoint uri=”localhost/myApp/gra…“
class=“flex.messaging.endpoints.SecureAMFEndpoint” />
</channel-definition>