Apply SSL and establish HTTPS Connection to Wildfly application server

For security reason, we need to configure ssl for our wildfly. In this post we will show you how to create key and set up HTTPS for management console and application. Additionally, I will show you how to create certificate for clients. For my environment, I use wildfly 10.0.1 Final.

Create server key store for ManagementRealm and Application Realm.

For key store creation, you can use keytol or openssl to create. I used keytooll to create two key stores. One is for management realm and one is ApplicationRealm. You can create key as below.
$keytool -genkey  -keystore application.keystore  -alias server  -keyalg RSA  -storetype pkcs12 -keysize 2048  -validity 36500  -storepass 'password'  -keypass 'password' -dname "CN=wildfly.itstikk.pro, o=itstikk, c=LA"
After creating key store for ApplicationRealm, you need to change permission for key store.
$chmod 600 application.keystore
In the same way, you can create key store for ManagementRealm.
$keytool -genkey -keystore server.keystore -alias server -keyalg RSA -storetype pkcs12 -keysize 2048 -validity 36500 -storepass 'password' -keypass 'password' -dname "CN=wildfly.itstikk.pro, o=itstikk, c=LA"
then change permission
$chmod 600 server.keystore
copy server.keystore and application.keystore to $JBOSS_HOME/standalone/configuration
$cp server.keystore application.keystore $JBOSS_HOME/standalone/configuration

Set up SSL and HTTTPS for wildfly

Next is to set up SSL and HTTPS for your wildfly application. You need to edit standalone.xml file.

$cd $JBOSS_HOME/standalone/configuration/
$vi standalone.xml
Edit as below.For ManagementRealm
<security-realm name="ManagementRealm">
                <server-identities>
                    <ssl>
                        <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
For ApplicationRealm, edit as below.
<security-realm name="ApplicationRealm">
    <server-identities>
       <ssl>
           <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
      </ssl>
   </server-identities>
</security-realm>
Next edit as below.
 <management-interfaces>
            <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
                <socket-binding https="management-https"/>
            </http-interface>
 </management-interfaces>

Redirection HTTP to HTTPS

In order to redirect just edit standalone.xml as below. First is add filter
 <filters>
   <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
     <rewrite name="http-to-https" target="https://wildfly.itstikk.pro:8443%U" redirect="true"/>
 </filters>
Next is add filter reference.
<server name="default-server">
      <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
      <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
       <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                    <filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
       </host>
 </server>
the rest is only restarting server.
$cd $JBOSS_HOME/bin/
$bash standalone.sh
Last but not least, you need to open firewall for your HTTPS port(8443 and 9993).
Please refer my configuration file here

Create Client Certificate.

In some cases, we need client certificate to access and establish connection over HTTPS. We need to create new and client certificate. This enable, only client who has client certificate could be able to access application. Configuration for TLS and client certificate authentication on Wildfly.

In order, first you need to create server key store (app.keystore) and client key store (client.keystore).
Next export certificate for both server key store (app.cer) and client key store (client.cer). After you export from server certificate and client certificate, you need to import client certificate to server key store and import server certificate to client key store. After import certifcate to key store, you need to maintain server key store in the server and maintain client key store in client site (Firefox, Chrome, IE, etc). Here is step to do.

Create Key Store for Server and Client

Create server key store
$keytool -genkey -alias app -keyalg RSA  -storetype pkcs12 -keysize 2048  -validity 36500  -storepass 'password' -keypass 'password' -dname "CN=wildfly.itstikk.pro, o=itstikk, c=LA" -keystore app.keystore
Create client key store
keytool -genkey -alias client -keyalg RSA  -storetype pkcs12 -keysize 2048  -validity 36500  -storepass 'password' -keypass 'password' -dname "CN=wildfly.itstikk.pro, o=itstikk, c=LA" -keystore client.keystore
Now you have server key store (app.keystore) and client keystore (client.keystore)
$ ls -l
-rw-rw-r-- 1 wildfly wildfly 3377 Jan 27 00:47 app.keystore
-rw-rw-r-- 1 wildfly wildfly 3391 Jan 27 00:47 client.keystore
Next is to export server and client certificate. First is server certificate.
keytool -exportcert -alias client -storetype pkcs12 -file client.cer -keystore client.keystore -storepass 'password'
Second is client certificate.
keytool -exportcert -alias server -storetype pkcs12 -file application.cer -keystore application.keystore -storepass 'password'
you could get certificate as below.
$ls -la
-rw-rw-r-- 1 wildfly wildfly 799 Jan 28 00:23 app.cer
-rw-rw-r-- 1 wildfly wildfly 799 Jan 28 00:23 client.cer
Next is to import certificate to keystore. First is to import client or clients (in case you have many clients). you can import many clients' certificate to server key store.
$keytool -importcert -keystore app.keystore -alias client -file client.cer -storepass 'password' -noprompt

Next is to import server certificate to client key store
$keytool -importcert -keystore client.keystore -alias server -file app.cer -storepass 'password' -noprompt
You can check import certificate in key store as below command.
$keytool -list -keystore app.keystore -storepass 'password'
$keytool -list -keystore client.keystore -storepass 'password'
Maintain Server key store in Wildfly, you need to copy your keys to $JBOSS_HOME/standalone/configuration
$chmod 600 app.keystore client.keystore
$mv app.keystore client.keystore $JBOSS_HOME/standalone/configuration/
Next is to edit standalone.xml
<security-realm name="ApplicationRealm">
    <server-identities>
        <ssl>
            <keystore path="app.keystore" relative-to="jboss.server.config.dir" keystore-password="password"  key-password="password" generate-self-signed-certificate-host="localhost"/>
         </ssl>
    </server-identities>
    <authentication>
        <truststore path="app.keystore" relative-to="jboss.server.config.dir" keystore-password="password"/>
        <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    <authorization>
         <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
     </authorization>
   </security-realm>
</security-realms>

And add
 <server name="default-server">
      <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
       <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" verify-client="REQUIRED" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                    <filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
                </host>
   </server>

Maintain client key store in the Firefox certificate.

You can refer my configuration here

Reference

No comments:

Post a Comment

Subscribe to: Posts (Atom)

Feature Recently

Running Wildfly Application Server in Domain Mode

  Wildfly application server provides two modes of how to run application one wildfly application server. It is very simple if you run your ...

Most Views