I’ve just set up a couple of servers running Wildfly 8 and they needed SSL certificates to enable HTTPS. The following documents the steps required to generate the SSL certificate and install/configure it in Wildfly.
You can get some cheap SSL certificates here: https://www.ssls.com or godaddy.com
First you need to create a CSR (certificate signing request). It’s recommended to use at least a 2048 bit key and you can generate one with the following command:
1 openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.com.key -out yourdomain.com.csr
The output will be similar to the following:
Generating a 2048 bit RSA private key
...............................................................................+++
...........+++
writing new private key to 'yourdomain.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Next answer the questions you are prompted for:
Country Name (2 letter code) [AU]:NZ
State or Province Name (full name) [Some-State]:Canterbury
Locality Name (eg, city) []:Christchurch
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dark Horse Software
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:yourdomain.com
Email Address []:<a valid email address> (I use ssl@yourdomain.com)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<secret password>
An optional company name []:
Finally you are ready to request your SSL certificate. Go and purchase a certificate from any trusted SSL certificate provider. A standard certificate is probably all you need for basic security. I get mine from: https://www.ssls.com.
After purchasing you will need to activate your certificate. Your provider will ask you to copy and paste in the CSR you created above. Copy everything in that file.
~$ cat yourdomain.com.csr
-----BEGIN CERTIFICATE REQUEST-----
<Random characters in here>
-----END CERTIFICATE REQUEST-----
After your certificate is issued download it (and unzip if needed). You will also need the CA (Certificate Authority) root bundle. This is basically the SSL certificate providers credentials proving they are trusted. Once you have these you need to create a Java keystore file. This is a two step process. First creating a pkcs12 file from your SSL certificate and then importing that into a keystore file.
Step 1
openssl pkcs12 -export -in yourdomain.com.crt -inkey yourdomain.com.key -out yourdomain.com.p12 -name default -CAfile your_provider_bundle.crt -caname root
Step 2
keytool -importkeystore -deststorepass <secret password> -destkeypass <secret password> -destkeystore yourdomain.com.jks -srckeystore yourdomain.com.p12 -srcstoretype PKCS12 -srcstorepass <secret password used in csr> -alias default
Copy the new keystore file to the your Wildfly configuration directory
sudo cp yourdomain.com.jks /usr/local/wildfly/wildfly-8.1.0.Final/standalone/configuration/
Insert the following into your standalone.xml in the <profile></profile> section.
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
<buffer-cache name="default"/>
<server name="default-server">
<!-- <http-listener name="default" socket-binding="http"/> -->
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
insert the following lines in
<security-realms> </security-realms> section in standalone.xml
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="yourdomain.com.jks" relative- to="jboss.server.config.dir" keystore-password="<secret password>"/>
</ssl>
</server-identities>
</security-realm>
Commands for restarting the wildfly
stop command: from wildfly bin dir ./jboss-cli.sh --connect command=:shutdown
Start command: nohup ./standalone.sh
You can get some cheap SSL certificates here: https://www.ssls.com or godaddy.com
First you need to create a CSR (certificate signing request). It’s recommended to use at least a 2048 bit key and you can generate one with the following command:
1 openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.com.key -out yourdomain.com.csr
The output will be similar to the following:
Generating a 2048 bit RSA private key
...............................................................................+++
...........+++
writing new private key to 'yourdomain.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Next answer the questions you are prompted for:
Country Name (2 letter code) [AU]:NZ
State or Province Name (full name) [Some-State]:Canterbury
Locality Name (eg, city) []:Christchurch
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dark Horse Software
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:yourdomain.com
Email Address []:<a valid email address> (I use ssl@yourdomain.com)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<secret password>
An optional company name []:
Finally you are ready to request your SSL certificate. Go and purchase a certificate from any trusted SSL certificate provider. A standard certificate is probably all you need for basic security. I get mine from: https://www.ssls.com.
After purchasing you will need to activate your certificate. Your provider will ask you to copy and paste in the CSR you created above. Copy everything in that file.
~$ cat yourdomain.com.csr
-----BEGIN CERTIFICATE REQUEST-----
<Random characters in here>
-----END CERTIFICATE REQUEST-----
After your certificate is issued download it (and unzip if needed). You will also need the CA (Certificate Authority) root bundle. This is basically the SSL certificate providers credentials proving they are trusted. Once you have these you need to create a Java keystore file. This is a two step process. First creating a pkcs12 file from your SSL certificate and then importing that into a keystore file.
Step 1
openssl pkcs12 -export -in yourdomain.com.crt -inkey yourdomain.com.key -out yourdomain.com.p12 -name default -CAfile your_provider_bundle.crt -caname root
Step 2
keytool -importkeystore -deststorepass <secret password> -destkeypass <secret password> -destkeystore yourdomain.com.jks -srckeystore yourdomain.com.p12 -srcstoretype PKCS12 -srcstorepass <secret password used in csr> -alias default
Copy the new keystore file to the your Wildfly configuration directory
sudo cp yourdomain.com.jks /usr/local/wildfly/wildfly-8.1.0.Final/standalone/configuration/
Insert the following into your standalone.xml in the <profile></profile> section.
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
<buffer-cache name="default"/>
<server name="default-server">
<!-- <http-listener name="default" socket-binding="http"/> -->
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
insert the following lines in
<security-realms> </security-realms> section in standalone.xml
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="yourdomain.com.jks" relative- to="jboss.server.config.dir" keystore-password="<secret password>"/>
</ssl>
</server-identities>
</security-realm>
Commands for restarting the wildfly
stop command: from wildfly bin dir ./jboss-cli.sh --connect command=:shutdown
Start command: nohup ./standalone.sh
You are done. now you can access the server by https
This works for me but i got one problem , GoDaddy SSL Certificates and Cannot Verify Identity on Mac/Safari can you please help me
ReplyDelete