Skip navigation
Steffen Kuhnt
Currently Being Moderated

Acrobat 7.0.5 + APS + SSL

Mar 8, 2006 8:18 AM

Hello everyone,

just one question: Has anyone ever managed to connect to APS using Acrobat 7.0.5+ using the automatic APS installation on JBoss?

I have tried just about everything that came to mind but simply cannot get it to work. Everything runs well if I use Acrobat 7.0 using HTTP.

Any ideas?

Thank you VERY much,

Steffen.
 
Replies
  • Currently Being Moderated
    Mar 8, 2006 10:03 AM   in reply to Steffen Kuhnt
    Hi Steffen,<br /><br />The JBoss auto-install ships with a test SSL certificate, which I believe has expired.  <br /><br />Try the following on the client machine that Acrobat is installed on:<br /><br />1. In Internet Explorer (IE), navigate to the Policy Server web console (https://<yourhost>:<yourport>/edc/Main.do).  <br />2. You should receive a warning that the certificate is not trusted. Select "View Certificate" and then "Install Certificate."<br />3. Close IE and repeat step 1.<br />4. If the web page opens in IE without any warnings, Acrobat should now work.<br />5. If not, you need to correct any problems specified in the warning dialog before Acrobat will connect to APS.<br /><br />NOTE that Acrobat will refuse to connect to Policy Server over SSL if IE shows any warnings when loading the Policy Server web console over SSL.<br /><br />If IE warns that the certificate has expired, you will need to install a new test certificate.  See the JBoss documentation on how to do this using keytool.<br /><br />Hope this helps,<br /><br />-Bill
     
    |
    Mark as:
  • Currently Being Moderated
    Oct 5, 2006 3:26 AM   in reply to Steffen Kuhnt
    I have installed the test certificate and now a third party SSL certtificate. But when i connect on https in the webbrower i see the APS TEST cer. How can i remove it ?
     
    |
    Mark as:
  • Currently Being Moderated
    Oct 16, 2006 6:19 AM   in reply to Steffen Kuhnt
    Hi Michael -

    Did you manage to solve the problem of getting the test SSL certificate still being presented? I've followed all of the instructions as to deploying a new certificate to override the test one that's expired, but I don't seem to be able to get the correct certificate displayed.

    Any chance you could point me in the right direction?

    Many thanks,
    Anil.
     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2006 12:20 AM   in reply to Steffen Kuhnt
    Hi Sharma. I found different guides to install the certificate so I will include the one that worked. If you have done this correctly you only have to edit the server.xml so that the right keystore and ports are being used.<br /><br />Guide from:<br /><br />I recently had to configure a production JBoss 3.2.5/Policy Server with<br />a server certificate from Entrust for SSL.  Here are my notes on that.<br /><br />1) Create a keystore as well as a certificate-key pair using the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -genkey -keystore <keystore_filename><br />-storepass <keystore_password> -keypass <keystore_password> -keyalg RSA<br />-validity 365 -alias <alias_name> -dname<br />"cn=<fully_qualified_DNS_name_of_server>, OU=<department_name>,<br />O=<company_name>, ST=<state_or_province_name>, C=<country_name>"<br /><br />note: the quotes are required.  -storepass and -keypass should be the<br />same.  Make sure you get the fully_qualified_DNS_name_of_server exactly<br />right, if not you'll regret it later.<br /><br />2) Create a Certificate Signing Request (CSR) for the certificate in the<br />certificate-key pair you just created with the following command:<br />$JAVA_HOME\jre\bin\keytool -certreq -keystore<br /><full_path_to_the_keystore_filename> -alias <alias_name> -storepass<br /><keystore_password> -keypass <keystore_password> -keyalg RSA -file<br /><filename_for_the_CSR><br /><br />3) Get the customer's IT person in charge of the customer's SSL<br />certificates to login to their Certificate Authority's website to<br />request the Certificate Authority to sign the new certificate with their<br />own certificate.  Copy-paste the contents of the <filename_for_the_CSR>.<br />It'll look like gobbledygook.  The Certificate Authority can be<br />VeriSign, Entrust, Thawte or any other.<br /><br />4) Get the customer's IT person in charge of the customer's SSL<br />certificates to forward to you the response from the Certificate<br />Authority.  If it is in the body of an e-mail, copy-paste the contents<br />(including the BEGIN CERTIFICATE and END CERTIFICATE lines) into a text<br />file, save as "All Files" with any filename like CA_signed_cert.cer<br /><br />5) Import the CA-signed certificate back into your keystore with the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -import -trustcacerts -keystore<br /><keystore_filename> -storepass <keystore_password> -alias <alias_name><br />-keypass <keystore_password> -file <filename_for_the_CA_signed_cert><br /><br />If you fail to add the -trustcacerts parameter, you will get a "failed<br />to establish chain from reply" error.  This is because the file cacerts<br />in $JAVA_HOME\jre\lib\security\ contains the public certificates of all<br />the popular CAs like VeriSign, Entrust and Thawte.  To determine the<br />contents of the cacerts file (to verify if your CA is listed there), use<br />the following command:<br />$JAVA_HOME\jre\bin\keytool -list -keystore<br />$JAVA_HOME\\jre\lib\security\cacerts -storepass changeit<br />You will get an output like what is attached.<br /><br />6) Copy the keystore file to $JBOSS_HOME\conf\<br /><br />7) Edit server.xml in<br />$JBOSS_HOME\server\all\deploy\jbossweb-tomcat50.sar\ to point the<br />SSL/TLS Connector to the new keystore file like this:<br />keystoreFile="${jboss.server.home.dir}/conf/<keystore_filename>"<br />keystorePass="<keystore_password>"<br /><br />8) re-start JBoss.<br /><br />9) Access it with the URL<br />https://<fully_qualified_DNS_name_of_server>:8443<br /><a href=https://<fully_qualified_dns_name_of_server>:8443/> .  It should work<br />and there should be no warning dialogs.<br /><br />- Jayan<br /><br />Jayan Kandathil<br />Adobe Consulting
     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2006 5:32 AM   in reply to Steffen Kuhnt
    Hi Jayan -

    Thanks for the information - I've managed to install a certificate successfully and all seems fine on that front. Unfortunately this has caused a very strange error in my Document Security server.

    I know this list isn't meant for document security server questions, so if you think you could help please take a look at:

    http://www.adobeforums.com/cgi-bin/webx/.3bc1feb7

    Many thanks in advance for all of your help. I really appreciate it.

    Anil.
     
    |
    Mark as:
  • Currently Being Moderated
    Nov 8, 2006 7:26 AM   in reply to Steffen Kuhnt
    Dear Anil,

    you can delete entries in the keystore with the following command:

    keytool -delete -alias jboss -keypass changeit

    Of course you have to change the alias and the keypass.

    Possibly you have to add the keystore option, e.g.:

    keytool -delete -alias jboss -keypass changeit -keystore C:\jboss\server\all\ssl\.keystore

    To test if the entry is deleted use the -list option, e.g.:
    keytool -list -keystore C:\jboss\server\all\ssl\.keystore

    Michael
     
    |
    Mark as:
  • Currently Being Moderated
    Nov 11, 2006 7:10 AM   in reply to Steffen Kuhnt
    Hi all, just my two cents:

    Enabling SSL for HTTPS on JBoss 3.2.5 by Duane Nickull
    http://www.adobe.com/devnet/livecycle/articles/enabling_ssl_jboss3.2.5 .html
     
    |
    Mark as:
  • Currently Being Moderated
    Nov 21, 2006 8:38 AM   in reply to Steffen Kuhnt
    Form some reason the APS continues to use de apstest keystore. We must find the XML other than server.xml to give to Jboss the right adress of our new keystore...
     
    |
    Mark as:
  • Currently Being Moderated
    Nov 2, 2007 12:32 PM   in reply to Steffen Kuhnt
    Hey, I've got the same problem as Steffen and it didn't work like Bill said. I really don't know what to do anymore. I need it to be fixed soon, if not I think I may go crazy. Please give me some ideas of what should I do. Thanks
     
    |
    Mark as:
  • Currently Being Moderated
    Nov 5, 2007 12:44 AM   in reply to Steffen Kuhnt
    Maybe this link can be of help:

    http://www.adobe.com/devnet/livecycle/articles/enabling_ssl_jboss3.2.5 .html

    With Acrobat 7.0 you can use http or https. Higher versions of Acrobat requires SSL. The link should explain the steps needed to implement another keystore than the default one.

    Regards
    Michael
     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)