11 Replies Latest reply on Nov 5, 2007 12:44 AM by (Michael_Sletvold)

    Acrobat 7.0.5 + APS + SSL

    Steffen Kuhnt
      Hello everyone,

      just one question: Has anyone ever managed to connect to APS using Acrobat 7.0.5+ using the automatic APS installation on JBoss?

      I have tried just about everything that came to mind but simply cannot get it to work. Everything runs well if I use Acrobat 7.0 using HTTP.

      Any ideas?

      Thank you VERY much,

        • 1. Re: Acrobat 7.0.5 + APS + SSL
          Level 1
          Hi Steffen,<br /><br />The JBoss auto-install ships with a test SSL certificate, which I believe has expired.  <br /><br />Try the following on the client machine that Acrobat is installed on:<br /><br />1. In Internet Explorer (IE), navigate to the Policy Server web console (https://<yourhost>:<yourport>/edc/Main.do).  <br />2. You should receive a warning that the certificate is not trusted. Select "View Certificate" and then "Install Certificate."<br />3. Close IE and repeat step 1.<br />4. If the web page opens in IE without any warnings, Acrobat should now work.<br />5. If not, you need to correct any problems specified in the warning dialog before Acrobat will connect to APS.<br /><br />NOTE that Acrobat will refuse to connect to Policy Server over SSL if IE shows any warnings when loading the Policy Server web console over SSL.<br /><br />If IE warns that the certificate has expired, you will need to install a new test certificate.  See the JBoss documentation on how to do this using keytool.<br /><br />Hope this helps,<br /><br />-Bill
          • 2. Re: Acrobat 7.0.5 + APS + SSL
            Steffen Kuhnt Level 1
            Thank you for your help, Bill. I think that I will be able to figure out something based on that!

            Thank you,

            • 3. Re: Acrobat 7.0.5 + APS + SSL
              I have installed the test certificate and now a third party SSL certtificate. But when i connect on https in the webbrower i see the APS TEST cer. How can i remove it ?
              • 4. Re: Acrobat 7.0.5 + APS + SSL
                Hi Michael -

                Did you manage to solve the problem of getting the test SSL certificate still being presented? I've followed all of the instructions as to deploying a new certificate to override the test one that's expired, but I don't seem to be able to get the correct certificate displayed.

                Any chance you could point me in the right direction?

                Many thanks,
                • 5. Re: Acrobat 7.0.5 + APS + SSL
                  Level 1
                  Hi Sharma. I found different guides to install the certificate so I will include the one that worked. If you have done this correctly you only have to edit the server.xml so that the right keystore and ports are being used.<br /><br />Guide from:<br /><br />I recently had to configure a production JBoss 3.2.5/Policy Server with<br />a server certificate from Entrust for SSL.  Here are my notes on that.<br /><br />1) Create a keystore as well as a certificate-key pair using the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -genkey -keystore <keystore_filename><br />-storepass <keystore_password> -keypass <keystore_password> -keyalg RSA<br />-validity 365 -alias <alias_name> -dname<br />"cn=<fully_qualified_DNS_name_of_server>, OU=<department_name>,<br />O=<company_name>, ST=<state_or_province_name>, C=<country_name>"<br /><br />note: the quotes are required.  -storepass and -keypass should be the<br />same.  Make sure you get the fully_qualified_DNS_name_of_server exactly<br />right, if not you'll regret it later.<br /><br />2) Create a Certificate Signing Request (CSR) for the certificate in the<br />certificate-key pair you just created with the following command:<br />$JAVA_HOME\jre\bin\keytool -certreq -keystore<br /><full_path_to_the_keystore_filename> -alias <alias_name> -storepass<br /><keystore_password> -keypass <keystore_password> -keyalg RSA -file<br /><filename_for_the_CSR><br /><br />3) Get the customer's IT person in charge of the customer's SSL<br />certificates to login to their Certificate Authority's website to<br />request the Certificate Authority to sign the new certificate with their<br />own certificate.  Copy-paste the contents of the <filename_for_the_CSR>.<br />It'll look like gobbledygook.  The Certificate Authority can be<br />VeriSign, Entrust, Thawte or any other.<br /><br />4) Get the customer's IT person in charge of the customer's SSL<br />certificates to forward to you the response from the Certificate<br />Authority.  If it is in the body of an e-mail, copy-paste the contents<br />(including the BEGIN CERTIFICATE and END CERTIFICATE lines) into a text<br />file, save as "All Files" with any filename like CA_signed_cert.cer<br /><br />5) Import the CA-signed certificate back into your keystore with the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -import -trustcacerts -keystore<br /><keystore_filename> -storepass <keystore_password> -alias <alias_name><br />-keypass <keystore_password> -file <filename_for_the_CA_signed_cert><br /><br />If you fail to add the -trustcacerts parameter, you will get a "failed<br />to establish chain from reply" error.  This is because the file cacerts<br />in $JAVA_HOME\jre\lib\security\ contains the public certificates of all<br />the popular CAs like VeriSign, Entrust and Thawte.  To determine the<br />contents of the cacerts file (to verify if your CA is listed there), use<br />the following command:<br />$JAVA_HOME\jre\bin\keytool -list -keystore<br />$JAVA_HOME\\jre\lib\security\cacerts -storepass changeit<br />You will get an output like what is attached.<br /><br />6) Copy the keystore file to $JBOSS_HOME\conf\<br /><br />7) Edit server.xml in<br />$JBOSS_HOME\server\all\deploy\jbossweb-tomcat50.sar\ to point the<br />SSL/TLS Connector to the new keystore file like this:<br />keystoreFile="${jboss.server.home.dir}/conf/<keystore_filename>"<br />keystorePass="<keystore_password>"<br /><br />8) re-start JBoss.<br /><br />9) Access it with the URL<br />https://<fully_qualified_DNS_name_of_server>:8443<br /><a href=https://<fully_qualified_dns_name_of_server>:8443/> .  It should work<br />and there should be no warning dialogs.<br /><br />- Jayan<br /><br />Jayan Kandathil<br />Adobe Consulting
                  • 6. Re: Acrobat 7.0.5 + APS + SSL
                    Level 1
                    Hi Jayan -

                    Thanks for the information - I've managed to install a certificate successfully and all seems fine on that front. Unfortunately this has caused a very strange error in my Document Security server.

                    I know this list isn't meant for document security server questions, so if you think you could help please take a look at:


                    Many thanks in advance for all of your help. I really appreciate it.

                    • 7. Re: Acrobat 7.0.5 + APS + SSL
                      MichaelDeiss Level 1
                      Dear Anil,

                      you can delete entries in the keystore with the following command:

                      keytool -delete -alias jboss -keypass changeit

                      Of course you have to change the alias and the keypass.

                      Possibly you have to add the keystore option, e.g.:

                      keytool -delete -alias jboss -keypass changeit -keystore C:\jboss\server\all\ssl\.keystore

                      To test if the entry is deleted use the -list option, e.g.:
                      keytool -list -keystore C:\jboss\server\all\ssl\.keystore

                      • 8. Re: Acrobat 7.0.5 + APS + SSL
                        Level 1
                        Hi all, just my two cents:

                        Enabling SSL for HTTPS on JBoss 3.2.5 by Duane Nickull
                        • 9. Re: Acrobat 7.0.5 + APS + SSL
                          Level 1
                          Form some reason the APS continues to use de apstest keystore. We must find the XML other than server.xml to give to Jboss the right adress of our new keystore...
                          • 10. Re: Acrobat 7.0.5 + APS + SSL
                            Hey, I've got the same problem as Steffen and it didn't work like Bill said. I really don't know what to do anymore. I need it to be fixed soon, if not I think I may go crazy. Please give me some ideas of what should I do. Thanks
                            • 11. Re: Acrobat 7.0.5 + APS + SSL
                              Level 1
                              Maybe this link can be of help:


                              With Acrobat 7.0 you can use http or https. Higher versions of Acrobat requires SSL. The link should explain the steps needed to implement another keystore than the default one.