Skip to content

Instantly share code, notes, and snippets.

@darranl
Last active January 30, 2018 08:31
Show Gist options
  • Save darranl/fb32297349bf978133d7776dc7e032b4 to your computer and use it in GitHub Desktop.
Save darranl/fb32297349bf978133d7776dc7e032b4 to your computer and use it in GitHub Desktop.
WildFly Elytron - SSL Configuration
Client Cert authentication with fallback to username / password authentication.
# Paths
./path=elytron.project:add(path=/home/darranl/src/wildfly10/wildfly-elytron)
./path=elytron.project.jks:add(path=src/test/resources/ca/jks, relative-to=elytron.project)
./path=elytron.project.properties:add(path=src/test/resources/org/wildfly/security/auth/realm, relative-to=elytron.project)
# KeyStores
./subsystem=elytron/key-store=localhost:add(type=jks, relative-to=elytron.project.jks, path=localhost.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=beetles:add(type=jks, relative-to=elytron.project.jks, path=beetles.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=ca:add(type=jks, relative-to=elytron.project.jks, path=ca.truststore, credential-reference={clear-text=Elytron})
# Key and Trust Managers
./subsystem=elytron/key-managers=localhost-manager:add(algorithm=SunX509, key-store=localhost, credential-reference={clear-text=Elytron})
./subsystem=elytron/trust-managers=ca-manager:add(algorithm=SunX509, key-store=ca)
# Realms
./subsystem=elytron/properties-realm=test-users:add(users-properties={relative-to=elytron.project.properties, path=clear.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=elytron.project.properties, path=groups.properties})
./subsystem=elytron/key-store-realm=key-store-realm:add(key-store=beetles)
# Mappers
./subsystem=elytron/constant-role-mapper=users:add(roles=[Users])
./subsystem=elytron/constant-realm-mapper=key-store-realm:add(realm-name=key-store-realm)
./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)
# Domain
./subsystem=elytron/security-domain=client-cert-domain:add(realms=[{realm=test-users},{realm=key-store-realm}], default-realm=test-users, principal-decoder=x500-decoder,permission-mapper=default-permission-mapper, role-mapper=users)
# HTTP Authentication Factory
./subsystem=elytron/http-authentication-factory=client-cert:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=FORM}])
./subsystem=elytron/http-authentication-factory=client-cert-basic:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=BASIC}])
# SASL Authentication
./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=configured, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=EXTERNAL, realm-mapper=key-store-realm},{mechanism-name=DIGEST-MD5, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
./subsystem=elytron/configurable-sasl-server-factory=configured:write-attribute(name=filters,value=[{pattern-filter=JBOSS-LOCAL-USER}, {pattern-filter=DIGEST-MD5}, {pattern-filter=EXTERNAL}])
# SSLContext
./subsystem=elytron/server-ssl-context=localhost:add(key-managers=localhost-manager, trust-managers=ca-manager, security-domain=client-cert-domain, authentication-optional=true, want-client-auth=true, need-client-auth=false)
# Undertow Subsystem
batch
./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=localhost)
./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
run-batch
./subsystem=undertow/application-security-domain=other:add(http-authentication-factory=client-cert, override-deployment-config=true)
# Management
./core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=localhost)
./core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
./core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=client-cert-basic)
./core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=client-cert-digest)
<?xml version='1.0' encoding='UTF-8'?>
<!--
WildFly Command-line Interface configuration.
-->
<jboss-cli xmlns="urn:jboss:cli:3.1">
<default-protocol use-legacy-override="true">remote+http</default-protocol>
<!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
<default-controller>
<protocol>remote+http</protocol>
<host>localhost</host>
<port>9990</port>
</default-controller>
<!-- Example controller alias named 'Test'
<controllers>
<controller name="Test">
<protocol>remote+http</protocol>
<host>localhost</host>
<port>9990</port>
</controller>
</controllers>
-->
<validate-operation-requests>true</validate-operation-requests>
<!-- Command and operation history log configuration -->
<history>
<enabled>true</enabled>
<file-name>.jboss-cli-history</file-name>
<file-dir>${user.home}</file-dir>
<max-size>500</max-size>
</history>
<ssl>
<key-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore</key-store>
<key-store-password>Elytron</key-store-password>
<trust-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ca.truststore</trust-store>
<trust-store-password>Elytron</trust-store-password>
<modify-trust-store>false</modify-trust-store>
</ssl>
<!-- whether to resolve system properties specified as command argument or operation parameter values
in the CLI VM before sending the operation requests to the controller -->
<resolve-parameter-values>false</resolve-parameter-values>
<!-- Whether to write info and error messages to the terminal output -->
<silent>false</silent>
<!-- Whether to filter out commands and attributes based on user's permissions -->
<access-control>false</access-control>
<!-- Include the prompt with the command into the output for each command executed in non-interactive mode -->
<echo-command>false</echo-command>
<!-- Uncomment to set the command timeout. Element value is in seconds -->
<!-- <command-timeout>30</command-timeout> -->
</jboss-cli>
<?xml version="1.0" encoding="UTF-8"?>
<!--
Set with -Dwildfly.config.url=file:///home/darranl/src/wildfly10/cli-scripts/wildfly-config.xml
-->
<configuration>
<authentication-client xmlns="urn:elytron:1.0">
<key-stores>
<key-store name="ladybird" type="jks" >
<file name="/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore"/>
<key-store-clear-password password="Elytron" />
</key-store>
</key-stores>
<authentication-rules>
<rule use-configuration="default" />
</authentication-rules>
<authentication-configurations>
<configuration name="default">
<allow-sasl-mechanisms names="JBOSS-LOCAL-USER EXTERNAL DIGEST-MD5 PLAIN ANONYMOUS" />
<set-mechanism-properties>
<property key="wildfly.sasl.local-user.quiet-auth" value="true" />
</set-mechanism-properties>
<use-service-loader-providers />
</configuration>
</authentication-configurations>
<ssl-context-rules>
<rule use-ssl-context="default" />
</ssl-context-rules>
<ssl-contexts>
<ssl-context name="default">
<key-store-ssl-certificate key-store-name="ladybird" alias="ladybird">
<key-store-clear-password password="Elytron" />
</key-store-ssl-certificate>
</ssl-context>
</ssl-contexts>
</authentication-client>
</configuration>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment