How to setup Apache Archiva to use HTTPS instead of HTTP - https

In default configuration, Apache Archiva 2.2 uses HTTP, and official documentation tells nothing how to change it to HTTPS.
I think that this can be done by modifying conf/jetty.xml file, but when I try to do this, as described in Jetty documentation, it only gives me errors like:
java.lang.NoSuchMethodException: class org.eclipse.jetty.util.ssl.SslContextFactory.setTrustStorePath(class java.lang.String)
Is it possible to do this?

I used Apache as a HTTPS proxy, configuring new virtual host:
Listen 8081
<VirtualHost *:8081>
ServerName archiva.example.com
SSLEngine On
SSLCertificateFile /path/to/apache_certs/cert.pem
SSLCertificateKeyFile /path/to/apache_certs/cert.key
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Proxy http://localhost:8080/*>
Order allow,deny
Allow from all
</Proxy>
ProxyPreserveHost on
</VirtualHost>
Don't forget to enable two apache mods that are necessary to run this:
sudo a2enmod proxy proxy_http

I added the following to jetty.xml and it worked:
<Call class="java.lang.System" name="setProperty"><Arg>jdk.tls.ephemeralDHKeySize</Arg><Arg>2048</Arg></Call>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore"><SystemProperty name="jetty.home" default="." />/conf/tomcat.keystore</Set>
<Set name="keyStorePassword">changeit</Set>
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>
<Set name="port">8843</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="lowResourcesConnections">5000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>

Related

Unable to open httpConnection in Jetty9 while migrating from jetty6

I am migrating my current spring based java project from jetty6 to jetty9. I am also migrating from JDK6 to JDK9 at the same time. I do understand that quite a lot has changed with jetty.
I tried to follow the docs from jetty link but after successfully building my project I am getting error while trying to open active http/https connections.
I have done the configuration in XML as I am reading a lot of values from properties file and doing all this programmatically won't be very clean approach.
Below is my configuration:-
<Configure id="server" class="org.eclipse.jetty.server.Server">
<New id="httpConfig"
class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort"><Ref id="opPort" /></Set>
<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>
<Set name="sendServerVersion">true</Set>
<Set name="sendDateHeader">false</Set>
<Set name="headerCacheSize">512</Set>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
</Arg>
</Call>
</New>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="server" />
</Arg>
<!-- <Arg name="acceptors">2</Arg> -->
<!-- <Arg name="selectors">-1</Arg> -->
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<Ref refid="sslContextFactory" />
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="httpConfig" />
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host">localhost</Set>
<Set name="port">
<Ref id="opPort" />
</Set>
<Set name="idleTimeout">2000000</Set>
<Set name="acceptQueueSize">64</Set>
</New>
</Arg>
</Call>
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="keyStorePath">./configuration/dev/keystore</Set>
<Set name="keyStorePassword">OBF:1zlu1uum1toq1w8v1to41uvk1zlo</Set>
<Set name="keyManagerPassword">OBF:1zlu1uum1toq1w8v1to41uvk1zlo</Set>
<Set name="trustStorePath">./configuration/dev/keystore</Set>
<Set name="trustStorePassword">OBF:1zlu1uum1toq1w8v1to41uvk1zlo</Set>
<!-- <Set name="endpointIdentificationAlgorithm"></Set> -->
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
</New>
<Set name="handler">
<New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<!--your web app WAR goes here -->
<Item>
<New id="WmSecurityWebApp" class="org.eclipse.jetty.webapp.WebAppContext">
<Arg>./target/gls-op.war</Arg>
<Arg>/gls-op/us/7049</Arg>
<Set name="logUrlOnStart" type="boolean">true</Set>
<Set name="parentLoaderPriority">true</Set>
</New>
</Item>
</Array>
</Set>
</New>
</Set>
While the project is building successfully but when I hit any Rest API, it throws error:-
16:26:16.470 [qtp985922955-32] DEBUG o.e.j.util.thread.QueuedThreadPool - ran EatWhatYouKill#29855e88/org.eclipse.jetty.io.ManagedSelector$SelectorProducer#dcd6f19/PRODUCING/1/1
16:26:16.470 [qtp985922955-18] DEBUG o.e.jetty.server.HttpConnection -
javax.net.ssl.SSLHandshakeException: Unrecognized SSL message, plaintext connection?
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:804) ~[jetty-io-9.4.6.v20170531.jar:9.4.6.v20170531]
I have updated the keystore using jdk8 and also the OBF form using jetty utility version being used on my machine.
Even after changing many things around, it is not working out for me.
I removed SSL and tested only using HTTP connection settings. It worked fine. I am not using SSL for now and it seems to be good for now. Meanwhile I will keep checking out for options to use both settings together in a single file.

Configuring thread name prefix in Jetty transport

It would be great if someone was able to help me with the following.
We currently use Jetty to expose our REST interface (Which is setup with Spring) and I want to be able to set the prefix of the threads that are used to process these calls. I believe I have found the change to cxf that will enable this behaviour:
https://issues.apache.org/jira/browse/CXF-5919
It seems to change the initial "qtp" value to whatever you want. (The version we have does include these changes) The problem is that I cannot actually work out how to set it, initially I tried the following:
<Configure id="server" class="org.eclipse.jetty.server.Server">
<Set name="threadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">1000</Set>
<Set name="threadNamePrefix">myname</Set>
</New>
</Set>
</Configure>
http://wiki.eclipse.org/Jetty/Reference/jetty.xml_syntax#Creating_a_NewObject_and_Setting_It_on_the_Server
But that does not work as it's not the QueuedThreadPool that has the threadNamePrefix value.
I would be great if someone was able to give me some pointers as to how I can update my jetty.xml so that I can set this value.
Thank you
Rob
Looking at Jetty source code I see that name attribute is the one you are after. Your example should look like this:
<Configure id="server" class="org.eclipse.jetty.server.Server">
<Set name="threadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">1000</Set>
<Set name="name">myname</Set>
</New>
</Set>
</Configure>
This is the result (from VisualVM) on my setup:

Rewrite rules for Run Jetty Run

I am trying to add a rewrite rule to my run jetty run Eclipse plugin. I am using Jetty v 8.1.2 and supply a 'jetty-rewrite.xml' in the 'Additional Jetty.xml' Eclipse run configuration option. What I would like to achieve is rewriting the following URL
/hello/world?id=1
to
/
The rewrite works in so far as my local URL is updated correctly. However, regardless of what URL I enter (regardless if it matches the rewrite pattern or not), I get a 404 File not Found error from jetty. Note that '/' is mapped to 'index.html' in my web.xml. I can enter any URL (even the full path to index.html) and I get the same 404 error.
<?xml version="1.0" ?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- create and configure the rewrite handler -->
<New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">false</Set>
<Set name="originalPathAttribute">requestedPath</Set>
<!-- redirect the response. This is a redirect which is visible to the browser.
After the redirect, the browser address bar will show /redirected -->
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.RedirectPatternRule">
<Set name="pattern">/hello/world/*</Set>
<Set name="location">/</Set>
</New>
</Arg>
</Call>
</New>
<!-- add the rewrite handler to the server -->
<Set name="handler">
<Ref id="Rewrite" />
</Set>
</Configure>
I don't use any other jetty configuration files, except the default ones that are loaded by the run jetty run plugin. Thanks for any pointers.
Turns out the problem was that I hadn't realized that <Set name="handler"> essentially 'overwrites' my default handlers. So, to fix it, I changed the last few lines to
<!-- add the rewrite handler to the server -->
<Set name="handler">
<New class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<Ref id="Rewrite" />
</Item>
<Item>
<Ref id="oldhandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
where oldhandler refers to a previously declared <Get id="oldhandler" name="handler"/>
I use jetty9, and I edit two files:
1) start.ini
add one line: "--module=rewrite"
2) etc/jetty-rewrite.xml
add:
/yyy/(.*)
/$1

Can I use property placeholders in Jetty-env.xml?

I am working on a project that uses jetty-env.xml to define some resources in the test environment. It requires that I hijack it and put in my username and password for the resources. Is there a way to define my credentials in an external way and use a property placeholder instead? Like in the Spring applicationConfig.xml I can use ${username} as defined in my system properties.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure id="wac" class="org.mortbay.jetty.webapp.WebAppContext">
<New id="validation_mail" class="org.mortbay.jetty.plus.naming.Resource">
<Arg>mail/exampleMail</Arg>
<Arg>
<New class="org.mortbay.naming.factories.MailSessionReference">
<Set name="user"></Set>
<Set name="password"></Set>
<Set name="properties">
<New class="java.util.Properties">
<Put name="mail.smtp.host">mail.example.edu</Put>
</New>
</Set>
</New>
</Arg>
</New>
<New id="datasource" class="org.mortbay.jetty.plus.naming.Resource">
<Arg>jdbc/DataSource</Arg>
<Arg>
<New class="com.sybase.jdbc3.jdbc.SybDataSource">
<Set name="databaseName">example</Set>
<Set name="serverName">testip.example.edu:2025</Set>
<Set name="portNumber">2025</Set>
<Set name="user">username</Set> <!-- put username here -->
<Set name="password">password</Set> <!-- put password here -->
</New>
</Arg>
</New>
I new to these tools so I might be closer to an answer than I think. Any help would be appreciated.
Enviroment:
Spring Tool Suite 3.4.0 RELEASE
Maven 3
Jetty Plugin 6.1
Spring 3
If you're using the jetty maven plugin, then you can define your properties in a properties file.
Configure the jetty plugin like this:
<configuration>
<systemPropertiesFile>${project.basedir}/src/test/conf/jetty-env.properties</systemPropertiesFile>
</configuration>
And then your jetty-env.xml can be like this:
<New id="dsDatasource" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg>jdbc/dsProtWb</Arg>
<Arg>
<New class="org.apache.commons.dbcp.BasicDataSource">
<Set name="driverClassName">net.sourceforge.jtds.jdbc.Driver</Set>
<Set name='url'>jdbc:jtds:sqlserver://ROPFDN812Q:4900/dlmp_proteomics_wb_dev;instance=FDNDEV18;domain=mfad</Set>
<Set name="username"><SystemProperty name="LANID" /></Set>
<Set name="password"><SystemProperty name="LANPW" /></Set>
</New>
</Arg>
</New>
You can define environment variables and use the Env tag as a placeholder.
<New id="dsDatasource" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg>jdbc/dsProtWb</Arg>
<Arg>
<New class="org.apache.commons.dbcp.BasicDataSource">
<Set name="driverClassName">net.sourceforge.jtds.jdbc.Driver</Set>
<Set name='url'>jdbc:jtds:sqlserver://ROPFDN812Q:4900/dlmp_proteomics_wb_dev;instance=FDNDEV18;domain=mfad</Set>
<Set name="username"><Env name="LANID"/></Set>
<Set name="password"><Env name="LANPW"/></Set>
</New>
</Arg>
</New>

How to Configure P6Spy with OracleConnectionPoolDataSource in specific

We are using Oracle connection Pooling mechanism in our project as our application uses some oracle specific features.
The configuration of our datasource in jetty.xml is as follows:
<Call name="addService">
<Arg>
<New class="org.mortbay.jetty.plus.DefaultDataSourceService">
<Set name="Name">DataSourceService</Set>
<Call name="addDataSource">
<Arg>app_ds</Arg><!--java:comp/env-->
<Arg>
<New class="oracle.jdbc.pool.OracleConnectionPoolDataSource">
<Set name="description">xxxx</Set>
<Set name="user">xxx</Set>
<Set name="password">xxxx</Set>
<Set name="loginTimeout">xxx</Set>
<Set name="URL">jdbc:oracle:thin:#localhost:1521:xxx</Set>
</New>
</Arg>
</Call>
<Call name="start"/>
</New>
Now How do we integrate this datasource with P6Spy, so that P6Spy can print out all the SQL statements on to the console...?
I have previously used P6spy with other datasources like spring's DriverManagerDataSource, other datasources like as
(In Tomcat)
Resource name="jdbc/test" auth="Container"
type="javax.sql.DataSource" driverClassName="oracle.jdbc.driver.OracleDriver"
url="jdbc:oracle:thin:#xxx"
username="xxx" password="xxx" maxActive="65" maxIdle="10"
maxWait="-1" removeAbandoned="true"/>
..etc.
All these datasources take driverClassName as argument where we can provide the "com.p6spyengine.spy.P6SpyDriver" in the place of "oracle.jdbc.driver.OracleDriver" and provide the real driver name in spy.properties. The all worked fine.
But with oracle.jdbc.pool.OracleConnectionPoolDataSource, there is no such property called driverClassName to provide a proxy driver to.
In this case how can i integrate P6Spy with it?
Please help...
Thanks in Advance,
Krishna V
From my experience with Glassfish, I would suggest to:
keep your existing oracle (real) datasource definition
create new one (P6Spy one) used as proxy to real one,
defined like this:
<Call name="addService">
<Arg>
<New class="org.mortbay.jetty.plus.DefaultDataSourceService">
<Set name="Name">DataSourceService</Set>
<Call name="addDataSource">
<Arg>p6spy_ds</Arg><!--java:comp/env -->
<Arg>
<New class="com.p6spy.engine.spy.P6DataSource">
<!-- properties would be irrelevant here -->
<Set name="description">xxxx</Set>
<Set name="user">xxx</Set>
<Set name="password">xxxx</Set>
<Set name="loginTimeout">xxx</Set>
<Set name="URL">jdbc:oracle:thin:#localhost:1521:xxx</Set>
</New>
</Arg>
</Call>
<Call name="start" />
</New>
and make sure to refer the real one from the spy.properties file,
using:
realdatasource=jdbc/app_ds # assuming that app_ds is your real datasource
the last thing is to refer the proxy_ds in all your application logic to make sure to use it (If referring would cost you too much, you can always call the proxy datasource the same as the original one and rename the original one + refer the new name in spy.properties config file)
With Jetty, adding P6Spy is actually a little easier. P6Spy has a P6DataSource that accepts another data source via constructor parameter. This is by far the easiest way to setup P6Spy.
<Call name="addService">
<Arg>
<New class="org.mortbay.jetty.plus.DefaultDataSourceService">
<Set name="Name">DataSourceService</Set>
<Call name="addDataSource">
<Arg>app_ds</Arg><!--java:comp/env-->
<Arg>
<New class="com.p6spy.engine.spy.P6DataSource">
<Arg>
<New class="oracle.jdbc.pool.OracleConnectionPoolDataSource">
<Set name="description">xxxx</Set>
<Set name="user">xxx</Set>
<Set name="password">xxxx</Set>
<Set name="loginTimeout">xxx</Set>
<Set name="URL">jdbc:oracle:thin:#localhost:1521:xxx</Set>
</New>
</Arg>
</New>
</Arg>
</Call>
<Call name="start"/>
</New>

Resources