-
1. Re: Setting up https connector, is it the same as AS7?
lafr Jun 20, 2013 3:14 AM (in response to pgarner)1 of 1 people found this helpfulUnderow is the new web-server component in WildFly replacing jboss-web.
jboss-web is still availabe, so you could go back to jboss-web by replacing undertow subsystem with the old jboss-web subsystem in your standalone.xml file.
There also is a sample config file name standalone-jbossweb.xml.
But this might work only for a limited time.
To use undertow:
Under /server/management/security-realms add a security-realm like
{code:xml}
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="xxx" alias="mycert" key-password="xxx" />
</ssl>
</server-identities>
</security-realm>
{code}
Then you can declare the https-listener
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" /> additionally to the existing http-listener.
-
2. Re: Setting up https connector, is it the same as AS7?
pgarner Jun 20, 2013 9:37 AM (in response to lafr)Hmm the security realm configuration you posted has one file (server.keystore) and two passwords(keystore-password and key-password) whereas the one I'm familiar with uses two files (newkey.pem and newcert.pem) and one password.
When I set up SSL in my development environment using AS7 a year or so ago I recall following the quickstart how-to at https://docs.jboss.org/jbossweb/latest/ssl-howto.html.
Looking at the project documentation for Wildfly 8 under Quickstarts at https://docs.jboss.org/author/display/WFLY8/Contributing+a+Quickstart and on Github https://github.com/jboss-jdf/jboss-as-quickstart/ I'm having difficulty finding the new SSL configuration how-to. Can you elaborate a bit on how to set up the keystore, or provide a link to the how-to documentation?
-
3. Re: Setting up https connector, is it the same as AS7?
lafr Jun 20, 2013 12:46 PM (in response to pgarner)1 of 1 people found this helpfulI know that we're using
$JAVA_HOME/jre/bin/keytool -genkey -alias mycert -keyalg RSA -sigalg MD5withRSA -keystore $KEYSTOREFILE -storepass $KEYSTOREPASS -dname "cn=$MACHINE" -keypass $KEYSTOREPASS -validity 9999
to create just this one file. It's not a officially certified file.
That worked with all JBoss releases, 4.2, 6.x, 7.x, 8.0.
Documentation about undertow is a big dilemma, very few available.
I know I mostly used xml-Schema documents
docs/schema/jboss-as-config_2_0.xsd
docs/schema/wildfly-undertow_1_0.xsd
to find out how to.
-
4. Re: Setting up https connector, is it the same as AS7?
christian.beikov Aug 15, 2013 11:24 AM (in response to pgarner)I am using the keystore from my AS7 version like this:
First I added the following security-realm:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="../standalone/configuration/localhost.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" />
</ssl>
</server-identities>
</security-realm>
Then I added the following to the undertow subsystem under the element server:
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
This actually works for me and I only need one password for the keystore.
-
5. Re: Setting up https connector, is it the same as AS7?
christiaan Aug 8, 2014 10:27 AM (in response to pgarner)Patrick Garner wrote:
Hmm the security realm configuration you posted has one file (server.keystore) and two passwords(keystore-password and key-password) whereas the one I'm familiar with uses two files (newkey.pem and newcert.pem) and one password.
...
Did you (or anyone else) found a solution for pem certificates?
-
6. Re: Setting up https connector, is it the same as AS7?
ctomc Aug 8, 2014 1:05 PM (in response to christiaan)Christiaan Ypma wrote:
Did you (or anyone else) found a solution for pem certificates?
Just convert the cert to jks or p12 cert.
http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store
http://serverfault.com/questions/483465/import-of-pem-certificate-chain-and-key-to-java-keystore
i would recommend you http://keystore-explorer.sourceforge.net/ for easier importing / conversion.
-
7. Re: Setting up https connector, is it the same as AS7?
yazdania Aug 29, 2014 6:09 PM (in response to christian.beikov)I have tried to setup the SSL like you did.
Wildfly comes up with no error, saying that it has SSL on port 8443, which is great.
But when I try to connect to that from a browser I get SSL errors
on filefox: ssl_error_internal_error_alert
on chrome: ERR_SSL_PROTOCOL_ERROR
am I missing something here?
-
8. Re: Re: Setting up https connector, is it the same as AS7?
christian.beikov Aug 30, 2014 5:24 AM (in response to yazdania)Sorry but I don't think that I can help you with that. Also I changed the security realm to
<security-realm name="ssl-realm"> <server-identities> <ssl> <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="server" key-password="secret"/> </ssl> </server-identities> </security-realm>
and I recreated my keystore. I am not sure if I had the same problem before. If wildfly can't read the keystore it still starts up, so maybe that's the problem.
-
9. Re: Re: Re: Setting up https connector, is it the same as AS7?
yazdania Sep 2, 2014 2:20 PM (in response to christian.beikov)Thanks Christian,
I've created a new key, and a new keystore via
keytool -genkey -v -keyalg RSA -keysize 4096 -validity 3650 -alias 'key' -dname 'CN=*.mydomain.com, ...' -keypass 'keypass' -storepass 'storepass' -keystore store.keystore
Well this is exactly my configuration:
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="store.keystore" relative-to="jboss.server.config.dir" alias="key" keystore-password="storepass" key-password="keypass"/>
</ssl>
</server-identities>
</security-realm>
and for undertow -> default-server
<https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>
Jboss starts with no error. I get this line:
[org.wildfly.extension.undertow] (MSC service thread 1-9) JBAS017519: Undertow HTTPS listener default-https listening on localhost/127.0.0.1:8443
But when I go to https://localhost:8443 I get the errors
On firefox:
(Error code: ssl_error_internal_error_alert)
On chrome:
Error code: ERR_SSL_PROTOCOL_ERROR
On Safari:
Browser can't establish secure connection.
any help is much appreciated.
-
10. Re: Re: Re: Setting up https connector, is it the same as AS7?
shinzo May 7, 2015 4:25 PM (in response to yazdania)Hello Amin,
I have spent days to get SSL working in Wildfly 8.1 and 8.2. Like you I got always the Errors "ssl_error_internal_error_alert" in Firefox and "ERR_SSL_PROTOCOL_ERROR" in Google Chrome.
I configured everything like you did.
<security-realm name="SSLRealm"> <server-identities> <ssl> <keystore path="my.keystore" relative-to="jboss.server.config.dir" keystore-password="Kennwort123" alias="cert" key-password="geheim" /> </ssl> </server-identities> </security-realm>
<server name="default-server"> <http-listener name="default" socket-binding="http"/> <https-listener name="https" socket-binding="https" security-realm="SSLRealm"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server>
However, when i changed the name of the realm from "SSLRealm" to "UndertowRealm" (security-realm & https-listener) it finally worked correctly in Firefox and Chrome.
It seems that this is a bug in Wildfly 8.1 and 8.2 and the Realm-Name is somehow hardcoded into the source-code of the Server and not documented.