To be compliant with the customer’s security rule, I had to configure SSL for a JBoss application server that holds the Documentum Foundation Services (DFS). I used the following procedure:

1. Generate a keystore

Change it to a temporary location, e. g. /var/tmp/SSL:

keytool -genkey -dname ", ou=DEV, o=NICE, l=Delemont, s=Switzerland, c=CH" -keyalg "rsa" -validity 730 -alias tomcat -keysize 2048 -keystore dfs.keystore
Enter keystore password:  xxxx
Enter key password for 
        (RETURN if same as keystore password): xxxx


  • always use tomcat for the alias
  • enter a validity value, otherwise it will be 90 days

Warning: Due the Bugzilla issue 38217, both keystore and key passwords have to be the same!

2. Create a Certificate request

keytool -certreq -alias tomcat -file jbossDfs.csr -keystore dfs.keystore
Enter keystore password:  xxxx
Enter key password for xxxx


3. Send the jbossDfs.csr file to the service that will signe the certificate

In our case, the customer has its own CA system and will return the signed certificate plus the trusted chain composed of root.cer and user.cer.

4. Import the certificates

Once all needed certificates are delivered, they can be imported into the keystore. Before importing the signed certificate, import the chain one.

4.1 Import the root certificate

keytool -import -alias cert1 -file root.cer -keystore dfs.keystore
Enter keystore password:  xxxx
Owner: CN=....
Issuer: CN=....
Serial number: .....
Valid from: Mon Feb 04 09:23:02 CET 2013 until: Wed Feb 04 09:33:01 CET 2037
Certificate fingerprints:
         MD5:  94:40:.....
         SHA1: D0:10:....Trust this certificate? [no]:  yes
Certificate was added to keystore


4.2 Import the user certificate

keytool -import -alias cert2 -file user.cer -keystore dfs.keystore
Enter keystore password:  xxxx
Certificate was added to keystore


4.3. Import the signed certificate

keytool -import -trustcacerts -alias tomcat -file jbossDfs.cer -keystore dfs.keystore
Enter keystore password:  xxxx
Enter key password for xxxx
Certificate reply was installed in keystore


5. Update server.xml to activate SSL

cd $DOCUMENTUM_SHARED/jboss4.2.0/server/DctmServer_MethodServer/deploy/jboss-web.deployer/

With vi update server.xml:

  • uncomment the SSL definition
  • set SSLEnabled from false to true
  • Change the default password “changeit” to the one you used to secure the keystore password:
maxThreads="150" scheme="https" secure="true"
keystoreFile="${jboss.server.home.dir}/conf/dfs.keystore" keystorePass="xxxx"
clientAuth="false" sslProtocol="TLS" />


6. Change the server.xml permission

If groups and users can read the file, change the file permission to allow only the owner to read/write:

chmod 600 server.xml


7. Copy the keystore to the correct location



8. Restart the JBoss server

You can check the server.log to see if everything is starting fine.

9. Test it

Perform a test using using the URL https//
The JBoss server now should be ready to manage https requests!
Please note that the client part is not covered in this post.