10 Replies Latest reply on May 7, 2015 4:25 PM by shinzo

    Setting up https connector, is it the same as AS7?

    pgarner

      Taking a quick look at standalone.xml, I notice that <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host"> has been removed, which is where I configured the https connector in my development environment.  It seems that it may have been replaced by <subsystem xmlns="urn:jboss:domain:undertow:1.0">.  Where do I put the connector entry?  Should I copy <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host"> over or should the connector entry go inside of the undertow node?

       

      This is what I had before:

       

          <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host">
              <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
              <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
                  <ssl password="changeit" certificate-key-file="F:\jboss-as-7.2.0.Alpha1-SNAPSHOT\standalone\configuration\newkey.pem" certificate-file="F:\jboss-as-7.2.0.Alpha1-SNAPSHOT\standalone\configuration\newcert.pem"/>
              </connector>
              <virtual-server name="default-host" enable-welcome-root="true">
                  <alias name="localhost"/>
                  <alias name="example.com"/>
              </virtual-server>
          </subsystem>

       

      This is what I'm seeing now:

       

          <subsystem xmlns="urn:jboss:domain:undertow:1.0">
              <buffer-caches>
                  <buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10"/>
              </buffer-caches>
              <server name="default-server">
                  <http-listener name="default" socket-binding="http"/>
                  <host name="default-host" alias="localhost">
                      <location name="/" handler="welcome-content"/>
                  </host>
              </server>
              <servlet-container name="default">
                  <jsp-config/>
              </servlet-container>
              <handlers>
                  <file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
              </handlers>
          </subsystem>
        • 1. Re: Setting up https connector, is it the same as AS7?
          lafr

          Underow is the new web-server component in WildFly replacing jboss-web.

          jboss-web is still availabe, so you could go back to jboss-web by replacing undertow subsystem with the old jboss-web subsystem in your standalone.xml file.

          There also is a sample config file name standalone-jbossweb.xml.

          But this might work only for a limited time.

           

          To use undertow:

          Under /server/management/security-realms add a security-realm like

          {code:xml}

          <security-realm name="UndertowRealm">

          <server-identities>

          <ssl>

          <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="xxx" alias="mycert" key-password="xxx" />

          </ssl>

          </server-identities>

          </security-realm>

          {code}

          Then you can declare the https-listener


          <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" />

          additionally to the existing http-listener.

          1 of 1 people found this helpful
          • 2. Re: Setting up https connector, is it the same as AS7?
            pgarner

            Hmm the security realm configuration you posted has one file (server.keystore) and two passwords(keystore-password and key-password) whereas the one I'm familiar with uses two files (newkey.pem and newcert.pem) and one password. 

             

            When I set up SSL in my development environment using AS7 a year or so ago I recall following the quickstart how-to at https://docs.jboss.org/jbossweb/latest/ssl-howto.html.

             

            Looking at the project documentation for Wildfly 8 under Quickstarts at https://docs.jboss.org/author/display/WFLY8/Contributing+a+Quickstart and on Github https://github.com/jboss-jdf/jboss-as-quickstart/ I'm having difficulty finding the new SSL configuration how-to.  Can you elaborate a bit on how to set up the keystore, or provide a link to the how-to documentation?

            • 3. Re: Setting up https connector, is it the same as AS7?
              lafr

              I know that we're using

              $JAVA_HOME/jre/bin/keytool -genkey -alias mycert -keyalg RSA -sigalg MD5withRSA -keystore $KEYSTOREFILE -storepass $KEYSTOREPASS -dname "cn=$MACHINE" -keypass $KEYSTOREPASS -validity 9999

              to create just this one file. It's not a officially certified file.

              That worked with all JBoss releases, 4.2, 6.x, 7.x, 8.0.

               

              Documentation about undertow is a big dilemma, very few available.

              I know I mostly used xml-Schema documents

              docs/schema/jboss-as-config_2_0.xsd

              docs/schema/wildfly-undertow_1_0.xsd

              to find out how to.

              1 of 1 people found this helpful
              • 4. Re: Setting up https connector, is it the same as AS7?
                christian.beikov

                I am using the keystore from my AS7 version like this:

                 

                First I added the following security-realm:

                 

                            <security-realm name="UndertowRealm">

                                <server-identities>

                                    <ssl>

                                        <keystore path="../standalone/configuration/localhost.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" />

                                    </ssl>

                                </server-identities>

                            </security-realm>

                 

                Then I added the following to the undertow subsystem under the element server:

                 

                                <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>

                 

                This actually works for me and I only need one password for the keystore.

                • 5. Re: Setting up https connector, is it the same as AS7?
                  christiaan

                  Patrick Garner wrote:

                   

                  Hmm the security realm configuration you posted has one file (server.keystore) and two passwords(keystore-password and key-password) whereas the one I'm familiar with uses two files (newkey.pem and newcert.pem) and one password. 

                   

                  ...

                  Did you (or anyone else) found a solution for pem certificates?

                  • 6. Re: Setting up https connector, is it the same as AS7?
                    ctomc

                    Christiaan Ypma wrote:

                     

                    Did you (or anyone else) found a solution for pem certificates?

                    Just convert the cert to jks or p12 cert.

                     

                    http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store

                    http://serverfault.com/questions/483465/import-of-pem-certificate-chain-and-key-to-java-keystore

                     

                    i would recommend you http://keystore-explorer.sourceforge.net/ for easier importing / conversion.

                    • 7. Re: Setting up https connector, is it the same as AS7?
                      yazdania

                      I have tried to setup the SSL like you did.

                      Wildfly comes up with no error, saying that it has SSL on port 8443, which is great.

                       

                      But when I try to connect to that from a browser I get SSL errors

                      on filefox: ssl_error_internal_error_alert

                      on chrome: ERR_SSL_PROTOCOL_ERROR

                       

                      am I missing something here?

                      • 8. Re: Re: Setting up https connector, is it the same as AS7?
                        christian.beikov

                        Sorry but I don't think that I can help you with that. Also I changed the security realm to

                         

                        <security-realm name="ssl-realm">
                            <server-identities>
                                <ssl>
                                    <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="server" key-password="secret"/>
                                </ssl>
                            </server-identities>
                        </security-realm>
                        

                        and I recreated my keystore. I am not sure if I had the same problem before. If wildfly can't read the keystore it still starts up, so maybe that's the problem.

                        • 9. Re: Re: Re: Setting up https connector, is it the same as AS7?
                          yazdania

                          Thanks Christian,

                           

                          I've created a new key, and a new keystore via

                          keytool -genkey -v -keyalg RSA -keysize 4096 -validity 3650 -alias 'key' -dname 'CN=*.mydomain.com, ...' -keypass 'keypass' -storepass 'storepass' -keystore store.keystore

                           

                          Well this is exactly my configuration:

                           

                          <security-realm name="SSLRealm">    

                          <server-identities>

                          <ssl>

                          <keystore path="store.keystore" relative-to="jboss.server.config.dir" alias="key" keystore-password="storepass" key-password="keypass"/>

                          </ssl>

                          </server-identities>

                          </security-realm>

                           

                          and for undertow -> default-server

                           <https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>

                           

                          Jboss starts with no error. I get this line:

                          [org.wildfly.extension.undertow] (MSC service thread 1-9) JBAS017519: Undertow HTTPS listener default-https listening on localhost/127.0.0.1:8443

                          But when I go to https://localhost:8443 I get the errors

                           

                          On firefox:

                          (Error code: ssl_error_internal_error_alert)

                          On chrome:

                          Error code: ERR_SSL_PROTOCOL_ERROR

                          On Safari:

                          Browser can't establish secure connection.

                           

                          any help is much appreciated.

                          • 10. Re: Re: Re: Setting up https connector, is it the same as AS7?
                            shinzo

                            Hello Amin,

                             

                            I have spent days to get SSL working in Wildfly 8.1 and 8.2. Like you I got always the Errors "ssl_error_internal_error_alert" in Firefox and "ERR_SSL_PROTOCOL_ERROR" in Google Chrome.

                            I configured everything like you did.

                             

                            <security-realm name="SSLRealm">
                               <server-identities>
                                  <ssl>
                                     <keystore path="my.keystore" relative-to="jboss.server.config.dir" keystore-password="Kennwort123" alias="cert" key-password="geheim" />
                                  </ssl>
                               </server-identities>
                            </security-realm>
                            
                            
                            
                            

                             

                             

                             

                            <server name="default-server">
                               <http-listener name="default" socket-binding="http"/>
                               <https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>
                               <host name="default-host" alias="localhost">
                                  <location name="/" handler="welcome-content"/>
                                  <filter-ref name="server-header"/>
                                  <filter-ref name="x-powered-by-header"/>
                               </host>
                            </server>
                            
                            
                            
                            
                            
                            
                            

                             

                             

                            However, when i changed the name of the realm from "SSLRealm" to "UndertowRealm" (security-realm & https-listener) it finally worked correctly in Firefox and Chrome.

                            It seems that this is a bug in Wildfly 8.1 and 8.2 and the Realm-Name is somehow hardcoded into the source-code of the Server and not documented.