See: https://github.com/jboss-developer/jboss-eap-quickstarts/blob/7.2.0.GA/helloworld-mutual-ssl-secured
cd $JBOSS_HOME/standalone/configuration
KS_NAME=server.keystore
KS_STOREPASS=secret
KS_KEYPASS=secret
KS_DNAME="CN=localhost, OU=R&D, O=tdlabs, L=Saarbrücken, ST=SL, C=DE"
keytool -genkey \
-keyalg RSA \
-keystore $KS_NAME \
-storepass $KS_STOREPASS \
-keypass $KS_KEYPASS \
-dname "$KS_DNAME" \
-validity 365
CLIENT_KS_NAME=client.keystore
CLIENT_KS_STOREPASS=secret
CLIENT_KS_KEYPASS=secret
CLIENT_CERT_CN=keycloak-admin
CLIENT_KS_DNAME="CN=$CLIENT_CERT_CN, OU=R&D, O=tdlabs, L=Saarbrücken, ST=SL, C=DE"
keytool -genkey \
-keyalg RSA \
-keystore $CLIENT_KS_NAME \
-storepass $CLIENT_KS_STOREPASS \
-keypass $CLIENT_KS_KEYPASS \
-dname "$CLIENT_KS_DNAME" \
-validity 365 \
-keysize 2048 \
-storetype pkcs12
keytool -exportcert \
-keystore $CLIENT_KS_NAME \
-storetype pkcs12 \
-storepass $CLIENT_KS_STOREPASS \
-keypass $CLIENT_KS_KEYPASS \
-file client.crt
keytool -import \
-file client.crt \
-alias $CLIENT_CERT_CN \
-keystore client.truststore \
-storepass $CLIENT_KS_STOREPASS \
-noprompt
keytool -importkeystore \
-srckeystore $CLIENT_KS_NAME \
-srcstorepass $CLIENT_KS_STOREPASS \
-destkeystore clientCert.p12 \
-srcstoretype PKCS12 \
-deststoretype PKCS12 \
-deststorepass $CLIENT_KS_STOREPASS
# Batch script to configure mutual(two way) SSL and role based access control in the JBoss EAP server
# embed-server -c=standalone.xml --std-out=echo
# embed-server -c=standalone-ha.xml --std-out=echo
# Start batching commands
batch
set kcKeystorePassword=${env.KEYCLOAK_KEYSTORE_PASSWORD:secret}
set httpCipherSuites="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
# Add the keystores, key manager, trust manager and ssl context configuration in the elytron subsystem
/subsystem=elytron/key-store=kcKeyStore:add(path=server.keystore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=$kcKeystorePassword})
/subsystem=elytron/key-store=kcTrustStore:add(path=client.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=$kcKeystorePassword})
/subsystem=elytron/key-manager=kcKeyManager:add(key-store=kcKeyStore,credential-reference={clear-text=$kcKeystorePassword})
/subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
/subsystem=elytron/server-ssl-context=kcAdminSSLContext:add( \
key-manager=kcKeyManager, \
trust-manager=kcTrustManager, \
cipher-suite-filter=$httpCipherSuites, \
protocols=[TLSv1.2], \
need-client-auth=true \
)
# Configure dedicated https-listener for admin console access with custom port
/socket-binding-group=standard-sockets/socket-binding=https-admin/:add(port=${jboss.https-admin.port:8444})
/subsystem=undertow/server=default-server/https-listener=https-admin:add( \
socket-binding=https-admin, \
proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:true}", \
enable-http2=true, \
ssl-context=kcAdminSSLContext \
)
# Restrict access to /auth/admin to port 8444
/subsystem=undertow/configuration=filter/expression-filter=portAccess:add(expression="path-prefix('/auth/admin') and not equals(%p, 8444) -> response-code(403)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=portAccess:add()
# Run the batch commands
run-batch