Skip to content

Instantly share code, notes, and snippets.

@timoteoponce

timoteoponce/wildfly-8-https-how-to.md

Created June 9, 2017 17:42
Show Gist options
  • Save timoteoponce/74d5500534c7e5d27dfb183ee0325c19 to your computer and use it in GitHub Desktop.
Save timoteoponce/74d5500534c7e5d27dfb183ee0325c19 to your computer and use it in GitHub Desktop.
Download ZIP
Describes the steps needed to enable https on wildfly-8
Raw
wildfly-8-https-how-to.md

Generate a certificate (only for testning)

  • Generate key
keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950
Enter keystore password: secret
Re-enter new password: secret
What is your first and last name?
  [Unknown]:  foo.acme.com
What is the name of your organizational unit?
  [Unknown]:  Foo
What is the name of your organization?
  [Unknown]:  acme corp
What is the name of your City or Locality?
  [Unknown]:  Duckburg
What is the name of your State or Province?
  [Unknown]:  Duckburg
What is the two-letter country code for this unit?
  [Unknown]:  WD
Is CN=foo.acme.com, OU=Foo, O=acme corp, L=Duckburg, ST=Duckburg, C=WD correct?
  [no]:  yes

Enter key password for <deva> secret
    (RETURN if same as keystore password):  
Re-enter new password: secret

Configure the certificate into wildfly-8

  • Copy the generated keystore into the configuration folder
cp foo.keystore /opt/wildfly-8.2/standalone/configuration/.
  • Add a new security realm, file: standalone/configuration/standalone.xml
<management>
    <security-realms>
      <security-realm name="SslRealm">
        <server-identities>
          <ssl>
            <keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="secret"/>
            </ssl>
          </server-identities>
        </security-realm>
  ...
  • Configure the https-listener and force redirects from http to https
<server name="default-server">
  <http-listener name="default" socket-binding="http" redirect-socket="https"/> 
  <https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
  ...

Force the application to require HTTPS

  • Add to web.xml
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure URLs</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment