SSL configuration is not working in Wildfly 26.0.1

Question

We are trying to migrate Wildfly from 8.1.0.Final to 26.0.1.Final . Currently Wildfly is running in standalone mode hence standalone.xml is in used for configurations and no domain configuration so far.

Everything is working that includes, management console, package deployments etc but requesting URL with https gives us " This site can't be reached ". It appears there is something wrong with SSL configuration in Wildfly 26.0.1.Final because same SSL certificate have been used in version 8.1.0.Final.

Here is SSL/TLS configuration we are using:

            <tls>
                <key-stores>
                    <key-store name="abc-keystore">
                        <credential-reference clear-text="clearpasswordonetwothree"/>
                        <implementation type="JKS"/>
                        <file path="abc-keystore.jks" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="abc-keystore">
                        <credential-reference clear-text="clearpasswordonetwothree"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
            </tls>

We've removed generate-self-signed-certificate-host="localhsot" from configuration because certificate is not self-signed in our case. Like I mentioned before, same SSL certificate have been used in version 8.1.0.

Please be noted that this is specifically related to version 26.0.1.Final and I have no idea if any more configuration is required apart from the above.

Any help is highly appreciated.

Answer 1

This is how I sorted out with the help of Wildfly support. In my case it's standalone mode.

TLS Block:

<tls>
                <key-stores>
                    <key-store name="applicationKS">
                        <credential-reference clear-text="password"/>
                        <implementation type="JKS"/>
                        <file path="C:\wildfly26\application.keystore.jks"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" protocols="TLSv1.2" key-manager="applicationKM"/>
                </server-ssl-contexts>
            </tls>

Reference SSL context in https-listener

<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>

Socket Binding under socket-binding-group Change port from 8443 to 443

<socket-binding name="https" port="${jboss.https.port:443}"/>

Configure Interface

<interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        <interface name="public">
            <inet-address value="${jboss.bind.address:0.0.0.0}"/>
        </interface>
    </interfaces>

Answer 2

I ran into the same problem since they removed the security realms. I used the top part of this manual: https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html
My setup was that I had a.cer certificate and key, I had to re-create the keystore using these two answers: How to create an empty java trust store? and How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

1. create keystore with dummy certificate: keytool -genkeypair -alias boguscert -storepass changeit -keypass changeit -keystore server.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"
2. delete dummy certificate from keystore: keytool -delete -alias boguscert -storepass changeit -keystore server.keystore
3. Create pkcs12 certificate from key and.crt file openssl pkcs12 -export -in <SERVERNAME>.crt -inkey <SERVERNAME>.key -out server.p12 -name server
4. import pkcs12 certificate into empty keystore: keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias server

I then followed the top part of jboss documentation I linked above above using the the wildfly-cli located in the bin directory.
This writes the needed xml into the standalone.xml so make sure you use the vanilla one that ships with wildfly 26.0.1.
After that I had to enable the ssl redirection using this: Redirect http requests to https in wildfly 10

Hope it helps

Answer 3

Here is how my Widfly (20) is configured regarding SSL.

Assuming you have already setup a Java keystore whose entry named 'server' is containing your certificate/key, you have to tell Wildfly to look for that particular alias ('server') in your keystore:

<management>
    <security-realms>            
            ...
        <security-realm name="ApplicationRealm">
            <server-identities>
                <ssl>
                    <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="..." alias="server" key-password="..." generate-self-signed-certificate-host="localhost"/>
                </ssl>
            </server-identities>