Wildfly Openssl

 admin

JBoss Training Overview. This Introduction to JBoss EAP / WildFly Application Server Administration training course demystifies the capabilities and structure of the EAP or WildFly servers and teaches attendees how to install, configure, and manage server installations successfully. Note: This course is taught using the latest version unless an earlier version is requested. // TODO: Add proper implementation return getCreationTime; Calendar is an abstract base class for converting between a Date object and a set of integer fields. WildFly does provide a default one-way SSL/TLS configuration using the legacy core management authentication but does not provide one in the elytron subsystem. You can find more details on configuring SSL/TLS using the elytron subsystem for both the management interfaces as well as for applications in Configure SSL/TLS.

What is it?

This blog demonstrates the configuration of client mutual SSL authentication in JBoss Enterprise Application Platform 6 or WildFly.

Mutual SSL provides the same security as SSL, with the addition of authentication and non-repudiation of the client authentication, using digital signatures. When mutual authentication is used the server would request the client to provide a certificate in addition to the server certificate issued to the client. Mutual authentication requires an extra round trip time for client certificate exchange. In addition the client must buy and maintain a digital certificate.

This quickstart shows how to configure wildfly to enable TLS/SSL configuration for the new wildfly web-subsystem Undertow and enable mutual (two-way) SSL authentication for clients. Before we run this example, we must create certificates and configure the server to use SSL, https listener and require client verification.

To have a look at corresponding Wildfly 10.x quickstart, click here.

System requirements

All you need to build this project is Java 6.0 (Java SDK 1.6) or better, Maven 3.0 or better. The application this project produces is designed to be run on JBoss Enterprise Application Platform 6 or WildFly.

Configure Maven

If you have not yet done so, you must Configure Maven before testing the quickstarts.

Setup CA, server and client keys using openSSL

Certificate Authority, server and client keys can be generated either via traditional openSSL tool or via cross-paltform java keytool.

Setup CA

First of all we need to set up the Certificate Authority (CA) to issue certificate.

  1. Generate a key for your Root CA. Execute the below OpenSSL command at workspace where you have openssl configuration file.
  2. This will ask for passphrase for the key, please provide the passphrase and remember it. This will be used later.
  3. The next step is to create a self-signed certificate for our CA, this certificate will be used to sign and issue other certificates.
  4. You will be asked to provide the following information:-
  5. Export root CA certificate into a keystore
  6. Export root CA certificate into a truststore

Wildfly Openssl Test

Now we can see our CA’s certificate in the Certificates folder and is ready to sign the certificates. The server/client certificate pair can be used when an application is trying to access a web service which is configured to authenticate the client application using the client ssl certificates. We can follow steps below to create server and client certificate using OpenSSL

Create the server and client certificate

  1. Create private key for the server.
  2. Create CSR for the server.
  3. Create server certificate.
  4. Export server certificate into a keystore
  5. Create private key for the client.
  6. Create CSR for the client.
  7. Create client certificate.
  8. Finally export the client certificate to pkcs format.

Setup CA, server and client keys using Java Keytool

Create the server and client certificate

  1. Open a command line and navigate to the JBoss server configuration directory:
  2. Create a certificate for your server using the following command:

    You’ll be prompted for some additional information, such as your name, organizational unit, and location. Enter any values you prefer.

  3. Create the client certificate, which is used to authenticate against the server when accessing a resource through SSL.
  4. Export the client certificate and create a truststore by importing this certificate:
  5. Export client certificate to pkcs12 format
  6. The certificates and keystores are now properly configured.

Wildfly Configuration

Configure Wildlfy for mutual client SSL authentication

  1. Open a command line and navigate to the JBoss server configuration directory:
  2. CopyRootCA.trustsore and server.keystore (or server.keystore and client.truststore) into the JBoss server configuration directory.
Wildfly-openssl-1.0.7.final.jar

Configure The Additional WildFly Security Realm

The next step is to configure the new keystore as a server identity for ssl in the WildFly security-realms section of the standalone.xml (if you’re using -ha or other versions, edit those). Make sure to backup the file:JBOSS_HOME/standalone/configuration/standalone.xml

In case keys and certificates have been generated using openSSL, keystore path can be configured either via RootCA.keystore or server.keystore.

else In case keys and certificates have been generated using java keytool

Configure Undertow Subsystem for SSL

If you’re running with the default-server, add the https-listener to the undertow subsystem:

That’s it, now we are ready to connect to the ssl port of our instance https://localhost:8443/. Note, that we get the privacy error as the server certificate is self signed. If we need to use a fully signed certificate, we mostly get a PEM file from the Certificate Authority. In such a case, we need to import the PEM into the keystore and truststore.

Wildfly Openssl

Test the Server SSL Configuration

Print

To test the SSL configuration, access: <https://localhost:8443&gt;. If it is configured correctly, you should be asked to trust the server certificate.

Import the Certificate into Your Browser

Before you access the application, you must import the clientCert.p12, which holds the client certificate, into your browser.

Import the Certificate into Google Chrome

  1. Click the Chrome menu icon (3 horizontal bars) in the upper right on the browser toolbar and choose ‘Settings’. This takes you to chrome://settings/.
  2. At the bottom of the page, click on the ‘Show advanced settings…’ link.
  3. Find the section ‘HTTPS/SSL’ and click on the ‘Manage certificates…’ button.
  4. In the ‘Certificate manager’ dialog box, choose the ‘Your Certificates’ tab and click the ‘Import’ button.
  5. Select the clientCert.p12 file. You will be prompted to enter the password: keypassword.
  6. The certificate is now installed in the Google Chrome browser.
Wildfly Openssl

Import the Certificate into Mozilla Firefox

  1. Click the ‘Edit’ menu item on the browser menu and choose ‘Preferences’.
  2. A new window will open. Select the ‘Advanced’ icon and after that the ‘Certificates’ tab.
  3. On the ‘Certificates’ tab, mark the option ‘Ask me every time’ and click the ‘View Certificates’ button.
  4. A new window will open. Select the ‘Your Certificates’ tab and click the ‘Import’ button.
  5. Select the clientCert.p12 file. You will be prompted to enter the password: keypassword.
  6. The certificate is now installed in the Mozilla Firefox browser.

Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile

  1. Open a command line and navigate to the root of the JBoss server directory.
  2. The following shows the command line to start the server with the web profile:

Build and Deploy the Quickstart

NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See Build and Deploy the Quickstarts for complete instructions and additional options.

  1. Make sure you have started the Wildfly Server as described above.
  2. Open a command line and navigate to the root directory of one of the quickstart.
  3. Type this command to build and deploy the archive:
  4. This will deploy target/wildfly-helloworld-client-ssl.war to the running instance of the server.

Access the application

The application will be running at the following URL: <https://localhost:8443/wildfly-helloworld-client-ssl>.

Undeploy the Archive

  1. Make sure you have started the JBoss Server as described above.
  2. Open a command line and navigate to the root directory of this quickstart.
  3. When you are finished testing, type this command to undeploy the archive:

Remove the SSL Configuration

  1. If the server is running, stop the JBoss Enterprise Application Platform 6 or WildFly Server.
  2. Replace the WILDFLY_HOME/standalone/configuration/standalone.xml file with the back-up copy of the file.

Run the Quickstart in JBoss Developer Studio or Eclipse

You can also start the server and deploy the quickstarts from Eclipse using JBoss tools.

Debug the Application

Wildfly Openssl Print

If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.

To have a look at corresponding Wildfly 10.x quickstart, click here.