Author: Giriraj Sharma, Stefan Guilhen
Level: Beginner
Technologies: SSL, Undertow
Summary: The helloworld-ssl
quickstart is a basic example that demonstrates server side SSL configuration in WildFly.
Target Product: WildFly
Source: https://github.com/wildfly/quickstart/
This helloworld-ssl
quickstart demonstrates the configuration of SSL in WildFly Application Server.
This quickstart shows how to configure WildFly to enable TLS/SSL configuration for the new undertow
web subsystem.
Before you run this example, you must create certificates and configure the server to use SSL.
The applications these projects produce are designed to be run on WildFly Application Server 11 or later.
All you need to build these projects is Java 8.0 (Java SDK 1.8) or later and Maven 3.3.1 or later. See Configure Maven for WildFly 11 to make sure you are configured correctly for testing the quickstarts.
To run these quickstarts with the provided build scripts, you need the WildFly distribution ZIP. For information on how to install and run JBoss, see the WildFly Application Server Documentation Getting Started Guide located on the Customer Portal.
You can also use JBoss Developer Studio or Eclipse to run the quickstarts.
In the following instructions, replace WILDFLY_HOME
with the actual path to your WildFly installation. The installation path is described in detail here: Use of WILDFLY_HOME and JBOSS_HOME Variables.
configuration
directory:
For Linux: standalone/configuration
For Windows: standalone\configuration
$>keytool -genkey -alias mycert -keyalg RSA -sigalg MD5withRSA -keystore server.keystore -storepass secret -keypass secret -validity 9999
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: wildfly
What is the name of your organization?
[Unknown]: jboss
What is the name of your City or Locality?
[Unknown]: Raleigh
What is the name of your State or Province?
[Unknown]: Carolina
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=wildfly, O=jboss, L=Raleigh, ST=Carolina, C=US correct?
[no]: yes
Make sure to put your desired "hostname" into the "first and last name" field, otherwise you might run into issues while permanently accepting this certificate as an exception in some browsers. Chrome does not have an issue with that though.
These steps assume you are running the server in standalone mode and using the default standalone.xml
supplied with the distribution.
You configure the SSL context by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a configure-ssl.cli
script provided in the root directory of this quickstart.
Before you begin, back up your server configuration file
WILDFLY_HOME/standalone/configuration/standalone.xml
Start the WildFly server by typing the following:
For Linux: WILDFLY_HOME/bin/standalone.sh
For Windows: WILDFLY_HOME\bin\standalone.bat
configure-ssl.cli
file in the root of this quickstart directory. Comments in the script describe the purpose of each block of commands.Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing WILDFLY_HOME with the path to your server:
For Linux: WILDFLY_HOME/bin/jboss-cli.sh --connect --file=configure-ssl.cli
For Windows: WILDFLY_HOME\bin\jboss-cli.bat --connect --file=configure-ssl.cli
You should see the following result when you run the script:
The batch executed successfully
process-state: reload-required
Stop the WildFly server.
Now you're ready to connect to the SSL port of your instance https://localhost:8443/. Note, that you get the privacy error as the server certificate is self-signed. If you need to use a fully signed certificate you mostly get a PEM file from the Certificate Authority. In such a case, you need to import the PEM into the keystore.
After stopping the server, open the WILDFLY_HOME/standalone/configuration/standalone.xml
file and review the changes.
The following key-store
was added to the elytron
subsystem:
<key-stores>
<key-store name="qsKeyStore">
<credential-reference clear-text="secret"/>
<implementation type="JKS"/>
<file path="server.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
The following key-manager
was added to the elytron
subsystem:
<key-managers>
<key-manager name="qsKeyManager" key-store="qsKeyStore">
<credential-reference clear-text="secret"/>
</key-manager>
</key-managers>
The following ssl-context
was added to the elytron
subsystem:
<server-ssl-contexts>
<server-ssl-context name="qsSSLContext" protocols="TLSv1.2" key-manager="qsKeyManager"/>
</server-ssl-contexts>
The https-listener
in the undertow
subsystem was changed to reference the qsSSLContext
ssl-context
:
<https-listener name="https" socket-binding="https" ssl-context="qsSSLContext" enable-http2="true"/>
To test the SSL configuration, access: https://localhost:8443
For Linux: bin/standalone.sh
For Windows: bin\standalone.bat
NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See Build and Deploy the Quickstarts for complete instructions and additional options.
mvn clean package wildfly:deploy
This will deploy target/helloworld-ssl.war
to the running instance of the server.
The application will be running at the following URL: https://localhost:8443/helloworld-ssl/.
mvn wildfly:undeploy
You can restore the original server configuration by running the restore-configuration.cli
script provided in the root directory of this quickstart or by manually restoring the back-up copy the configuration file.
For Linux: WILDFLY_HOME/bin/standalone.sh
For Windows: WILDFLY_HOME\bin\standalone.bat
For Linux: WILDFLY_HOME/bin/jboss-cli.sh --connect --file=restore-configuration.cli
For Windows: WILDFLY_HOME\bin\jboss-cli.bat --connect --file=restore-configuration.cli
This script reverts the changes made to the undertow
subsystem and it also removes the ssl-context
, key-manager
and key-store
from the elytron
subsystem. You should see the following result when you run the script:
The batch executed successfully
process-state: reload-required
WILDFLY_HOME/standalone/configuration/standalone.xml
file with the back-up copy of the file.configuration
directory:
For Linux: standalone/configuration
For Windows: standalone\configuration
You can also start the server and deploy the quickstarts or run the Arquillian tests from Eclipse using JBoss tools. For general information about how to import a quickstart, add a WildFly server, and build and deploy a quickstart, see Use JBoss Developer Studio or Eclipse to Run the Quickstarts.
If you want to debug the source code of any library in the project, run the following command to pull the source into your local repository. The IDE should then detect it.
mvn dependency:sources