Author: Giriraj Sharma Level: Intermediate Technologies: SSL, Wildfly Summary: Basic examples that demonstrates Mutual client SSL authentication in wildlfy.
These examples demonstrates the use of Mutual client SSL authentication in JBoss Enterprise Application Platform 6 or WildFly.
This quickstart shows how to to use wildfly to authenticate users using the mutual client ssl scheme. Before you run this example, you must create certificates and configure the server to use SSL and validate client certificates.
All you need to build this project is Java 6.0 (Java SDK 1.6) or better, Maven 3.0 or better.
The application this project produces is designed to be run on JBoss Enterprise Application Platform 6 or WildFly.
If you have not yet done so, you must Configure Maven before testing the quickstarts.
-
Open a command line and navigate to the JBoss server
configurationdirectory:For Linux: JBOSS_HOME/standalone/configuration For Windows: JBOSS_HOME\standalone\configuration -
Create a certificate for your server using the following command:
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -storepass change_it -validity 365You'll be prompted for some additional information, such as your name, organizational unit, and location. Enter any values you prefer.
-
Create the client certificate, which is used to authenticate against the server when accessing a resource through SSL.
keytool -genkey -alias client -keystore client.keystore -storepass change_it -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12 -dname "CN=client, OU=Org. Unit, O=Company, ST=NC, C=US" -
Export the client certificate and create a truststore by importing this certificate:
keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass change_it -alias client -keypass change_it -file client.cer keytool -import -file client.cer -alias client -keystore client.truststore -
The certificates and keystores are now properly configured.
Now that the certificates and keystores are properly configured, you must enable SSL in the server configuration. Check out configuration/openssl to use available keystore and truststore files. To directly configure wildfly standalone.xml, replace it with configuration/wildfly/*/standalone.xml.
-
Start the JBoss Enterprise Application Platform 6 or WildFly Server by typing the following:
For Linux: WILDFLY_HOME/bin/standalone.sh For Windows: WILDFLY_HOME\bin\standalone.bat -
Open a new command line, navigate to the root directory of this quickstart, and run the following command, replacing WILDFLY_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-https.cli
This script adds and configures the https connector to the web subsystem in the server configuration. You should see the following result when you run the script:
{"outcome" => "success"}
{"outcome" => "success"}
{"outcome" => "success"}
This command reloads the server configuration before completion. You don`t need to manually stop/start the server to the configuration take effect.
Configure the HTTPS Connector in the Web Subsystem by Manually Editing the Server Configuration File
-
If it is running, stop the JBoss Enterprise Application Platform 6 or WildFly Server.
-
Backup the file:
JBOSS_HOME/standalone/configuration/standalone.xml -
Open the
JBOSS_HOME/standalone/configuration/standalone.xmlfile in an editor and locate the subsystemurn:jboss:domain:web. -
Add the following XML to the
websubsystem:<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"> <ssl name="localhost-ssl" key-alias="server" password="change_it" certificate-key-file="${jboss.server.config.dir}/server.keystore" protocol="TLSv1" verify-client="required" ca-certificate-file="${jboss.server.config.dir}/client.truststore"/> </connector>
To test the SSL configuration, access: https://localhost:8443
If it is configured correctly, you should be asked to trust the server certificate.
Before you access the application, you must import the client.cer, which holds the client certificate, into your browser.
- Click the Chrome menu icon (3 horizontal bars) in the upper right on the browser toolbar and choose 'Settings'. This takes you to chrome://settings/.
- At the bottom of the page, click on the 'Show advanced settings...' link.
- Find the section 'HTTPS/SSL' and click on the 'Manage certificates...' button.
- In the 'Certificate manager' dialog box, choose the 'Your Certificates' tab and click the 'Import' button.
- Navigate to the
WILDFLY_HOME/standalone/configuration/directory and select theclient.keystorefile. You will be prompted to enter the password:change_it. - The certificate is now installed in the Google Chrome browser.
- Click the 'Edit' menu item on the browser menu and choose 'Preferences'.
- A new window will open. Select the 'Advanced' icon and after that the 'Certificates' tab.
- On the 'Certificates' tab, mark the option 'Ask me every time' and click the 'View Certificates' button.
- A new window will open. Select the 'Your Certificates' tab and click the 'Import' button.
- Navigate to the
WILDFLY_HOME/standalone/configuration/directory and select theclient.keystorefile. See the Create the Client Certicates section for more details. - You will be prompted to enter the password:
change_it. - The certificate is now installed in the Mozilla Firefox browser.
-
Open a command line and navigate to the root of the JBoss server directory.
-
The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh For Windows: JBOSS_HOME\bin\standalone.bat
NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See Build and Deploy the Quickstarts for complete instructions and additional options.
-
Make sure you have started the Wildfly Server as described above.
-
Open a command line and navigate to the root directory of one of the quickstart.
-
Type this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy For WildFly: mvn -Pwildfly clean package wildfly:deploy -
This will deploy
target/helloworld*.warto the running instance of the server.
The application will be running at the following URL: https://localhost:8080/wildfly-helloworld*.
-
Make sure you have started the JBoss Server as described above.
-
Open a command line and navigate to the root directory of this quickstart.
-
When you are finished testing, type this command to undeploy the archive:
For EAP 6: mvn jboss-as:undeploy For WildFly: mvn -Pwildfly wildfly:undeploy
You can remove the security domain configuration by running the remove-https.cli script provided in the root directory of this quickstart or by manually restoring the back-up copy the configuration file.
-
Start the JBoss Enterprise Application Platform 6 or WildFly Server by typing the following:
For Linux: WILDFLY_HOME_SERVER_1/bin/standalone.sh For Windows: WILDFLY_HOME_SERVER_1\bin\standalone.bat -
Open a new command line, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
WILDFLY_HOME/bin/jboss-cli.sh --connect --file=remove-https.cli
This script removes the https connector from the web subsystem in the server configuration. You should see the following result when you run the script:
{"outcome" => "success"}
{"outcome" => "success"}
- If it is running, stop the JBoss Enterprise Application Platform 6 or WildFly Server.
- Replace the
WILDFLY_HOME/standalone/configuration/standalone.xmlfile with the back-up copy of the file.
You can also start the server and deploy the quickstarts from Eclipse using JBoss tools.
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc