11 Replies Latest reply on Nov 5, 2007 12:44 AM by (Michael_Sletvold)

    Acrobat 7.0.5 + APS + SSL

    Steffen Kuhnt
      Hello everyone,

      just one question: Has anyone ever managed to connect to APS using Acrobat 7.0.5+ using the automatic APS installation on JBoss?

      I have tried just about everything that came to mind but simply cannot get it to work. Everything runs well if I use Acrobat 7.0 using HTTP.

      Any ideas?

      Thank you VERY much,

        • 1. Re: Acrobat 7.0.5 + APS + SSL
          Hi Steffen,<br /><br />The JBoss auto-install ships with a test SSL certificate, which I believe has expired.  <br /><br />Try the following on the client machine that Acrobat is installed on:<br /><br />1. In Internet Explorer (IE), navigate to the Policy Server web console (https://<yourhost>:<yourport>/edc/Main.do).  <br />2. You should receive a warning that the certificate is not trusted. Select "View Certificate" and then "Install Certificate."<br />3. Close IE and repeat step 1.<br />4. If the web page opens in IE without any warnings, Acrobat should now work.<br />5. If not, you need to correct any problems specified in the warning dialog before Acrobat will connect to APS.<br /><br />NOTE that Acrobat will refuse to connect to Policy Server over SSL if IE shows any warnings when loading the Policy Server web console over SSL.<br /><br />If IE warns that the certificate has expired, you will need to install a new test certificate.  See the JBoss documentation on how to do this using keytool.<br /><br />Hope this helps,<br /><br />-Bill
          • 2. Re: Acrobat 7.0.5 + APS + SSL
            Steffen Kuhnt Level 1
            Thank you for your help, Bill. I think that I will be able to figure out something based on that!

            Thank you,

            • 3. Re: Acrobat 7.0.5 + APS + SSL
              I have installed the test certificate and now a third party SSL certtificate. But when i connect on https in the webbrower i see the APS TEST cer. How can i remove it ?
              • 4. Re: Acrobat 7.0.5 + APS + SSL
                Level 1
                Hi Michael -

                Did you manage to solve the problem of getting the test SSL certificate still being presented? I've followed all of the instructions as to deploying a new certificate to override the test one that's expired, but I don't seem to be able to get the correct certificate displayed.

                Any chance you could point me in the right direction?

                Many thanks,
                • 5. Re: Acrobat 7.0.5 + APS + SSL
                  Level 1
                  Hi Sharma. I found different guides to install the certificate so I will include the one that worked. If you have done this correctly you only have to edit the server.xml so that the right keystore and ports are being used.<br /><br />Guide from:<br /><br />I recently had to configure a production JBoss 3.2.5/Policy Server with<br />a server certificate from Entrust for SSL.  Here are my notes on that.<br /><br />1) Create a keystore as well as a certificate-key pair using the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -genkey -keystore <keystore_filename><br />-storepass <keystore_password> -keypass <keystore_password> -keyalg RSA<br />-validity 365 -alias <alias_name> -dname<br />"cn=<fully_qualified_DNS_name_of_server>, OU=<department_name>,<br />O=<company_name>, ST=<state_or_province_name>, C=<country_name>"<br /><br />note: the quotes are required.  -storepass and -keypass should be the<br />same.  Make sure you get the fully_qualified_DNS_name_of_server exactly<br />right, if not you'll regret it later.<br /><br />2) Create a Certificate Signing Request (CSR) for the certificate in the<br />certificate-key pair you just created with the following command:<br />$JAVA_HOME\jre\bin\keytool -certreq -keystore<br /><full_path_to_the_keystore_filename> -alias <alias_name> -storepass<br /><keystore_password> -keypass <keystore_password> -keyalg RSA -file<br /><filename_for_the_CSR><br /><br />3) Get the customer's IT person in charge of the customer's SSL<br />certificates to login to their Certificate Authority's website to<br />request the Certificate Authority to sign the new certificate with their<br />own certificate.  Copy-paste the contents of the <filename_for_the_CSR>.<br />It'll look like gobbledygook.  The Certificate Authority can be<br />VeriSign, Entrust, Thawte or any other.<br /><br />4) Get the customer's IT person in charge of the customer's SSL<br />certificates to forward to you the response from the Certificate<br />Authority.  If it is in the body of an e-mail, copy-paste the contents<br />(including the BEGIN CERTIFICATE and END CERTIFICATE lines) into a text<br />file, save as "All Files" with any filename like CA_signed_cert.cer<br /><br />5) Import the CA-signed certificate back into your keystore with the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -import -trustcacerts -keystore<br /><keystore_filename> -storepass <keystore_password> -alias <alias_name><br />-keypass <keystore_password> -file <filename_for_the_CA_signed_cert><br /><br />If you fail to add the -trustcacerts parameter, you will get a "failed<br />to establish chain from reply" error.  This is because the file cacerts<br />in $JAVA_HOME\jre\lib\security\ contains the public certificates of all<br />the popular CAs like VeriSign, Entrust and Thawte.  To determine the<br />contents of the cacerts file (to verify if your CA is listed there), use<br />the following command:<br />$JAVA_HOME\jre\bin\keytool -list -keystore<br />$JAVA_HOME\\jre\lib\security\cacerts -storepass changeit<br />You will get an output like what is attached.<br /><br />6) Copy the keystore file to $JBOSS_HOME\conf\<br /><br />7) Edit server.xml in<br />$JBOSS_HOME\server\all\deploy\jbossweb-tomcat50.sar\ to point the<br />SSL/TLS Connector to the new keystore file like this:<br />keystoreFile="${jboss.server.home.dir}/conf/<keystore_filename>"<br />keystorePass="<keystore_password>"<br /><br />8) re-start JBoss.<br /><br />9) Access it with the URL<br />https://<fully_qualified_DNS_name_of_server>:8443<br /><a href=https://<fully_qualified_dns_name_of_server>:8443/> .  It should work<br />and there should be no warning dialogs.<br /><br />- Jayan<br /><br />Jayan Kandathil<br />Adobe Consulting
                  • 6. Re: Acrobat 7.0.5 + APS + SSL
                    Level 1
                    Hi Jayan -

                    Thanks for the information - I've managed to install a certificate successfully and all seems fine on that front. Unfortunately this has caused a very strange error in my Document Security server.

                    I know this list isn't meant for document security server questions, so if you think you could help please take a look at:


                    Many thanks in advance for all of your help. I really appreciate it.

                    • 7. Re: Acrobat 7.0.5 + APS + SSL
                      MichaelDeiss Level 1
                      Dear Anil,

                      you can delete entries in the keystore with the following command:

                      keytool -delete -alias jboss -keypass changeit

                      Of course you have to change the alias and the keypass.

                      Possibly you have to add the keystore option, e.g.:

                      keytool -delete -alias jboss -keypass changeit -keystore C:\jboss\server\all\ssl\.keystore

                      To test if the entry is deleted use the -list option, e.g.:
                      keytool -list -keystore C:\jboss\server\all\ssl\.keystore

                      • 8. Re: Acrobat 7.0.5 + APS + SSL
                        Level 1
                        Hi all, just my two cents:

                        Enabling SSL for HTTPS on JBoss 3.2.5 by Duane Nickull
                        • 9. Re: Acrobat 7.0.5 + APS + SSL
                          Form some reason the APS continues to use de apstest keystore. We must find the XML other than server.xml to give to Jboss the right adress of our new keystore...
                          • 10. Re: Acrobat 7.0.5 + APS + SSL
                            Hey, I've got the same problem as Steffen and it didn't work like Bill said. I really don't know what to do anymore. I need it to be fixed soon, if not I think I may go crazy. Please give me some ideas of what should I do. Thanks
                            • 11. Re: Acrobat 7.0.5 + APS + SSL
                              Level 1
                              Maybe this link can be of help:


                              With Acrobat 7.0 you can use http or https. Higher versions of Acrobat requires SSL. The link should explain the steps needed to implement another keystore than the default one.