We are trying to migrate Wildfly from 8.1.0.Final to 26.0.1.Final. Currently Wildfly is running in standalone mode hence standalone.xml is in used for configurations and no domain configuration so far.
Everything is working that includes, management console, package deployments etc but requesting URL with https gives us "This site can't be reached". It appears there is something wrong with SSL configuration in Wildfly 26.0.1.Final because same SSL certificate have been used in version 8.1.0.Final.
Here is SSL/TLS configuration we are using:
<tls>
<key-stores>
<key-store name="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
<implementation type="JKS"/>
<file path="abc-keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
We've removed generate-self-signed-certificate-host="localhsot" from configuration because certificate is not self-signed in our case.
Like I mentioned before, same SSL certificate have been used in version 8.1.0.
Please be noted that this is specifically related to version 26.0.1.Final and I have no idea if any more configuration is required apart from the above.
Any help is highly appreciated.
This is how I sorted out with the help of Wildfly support. In my case it's standalone mode.
TLS Block:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="C:\wildfly26\application.keystore.jks"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" protocols="TLSv1.2" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
Reference SSL context in https-listener
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
Socket Binding under socket-binding-group
Change port from 8443 to 443
<socket-binding name="https" port="${jboss.https.port:443}"/>
Configure Interface
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
</interfaces>
I ran into the same problem since they removed the security realms. I used the top part of this manual: https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html
My setup was that I had a .cer certificate and key, I had to re-create the keystore using these two answers: How to create an empty java trust store? and How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
create keystore with dummy certificate: keytool -genkeypair -alias boguscert -storepass changeit -keypass changeit -keystore server.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"
delete dummy certificate from keystore: keytool -delete -alias boguscert -storepass changeit -keystore server.keystore
Create pkcs12 certificate from key and .crt file openssl pkcs12 -export -in <SERVERNAME>.crt -inkey <SERVERNAME>.key -out server.p12 -name server
import pkcs12 certificate into empty keystore: keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias server
I then followed the top part of jboss documentation I linked above above using the the wildfly-cli located in the bin directory. This writes the needed xml into the standalone.xml so make sure you use the vanilla one that ships with wildfly 26.0.1. After that I had to enable the ssl redirection using this: Redirect http requests to https in wildfly 10
Hope it helps
Here is how my Widfly (20) is configured regarding SSL.
Assuming you have already setup a Java keystore whose entry named 'server' is containing your certificate/key, you have to tell Wildfly to look for that particular alias ('server') in your keystore:
<management>
<security-realms>
...
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="..." alias="server" key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
Related
I'm trying to enable SSL on my wildfly 11 application server, i bought an ssl certificate in godaddy and downloaded a zip file with this inside:
1. 22c8728db3996008.crt
2. 22c8728db3996008.pem
3. gd_bundle-g2-g1.crt
I follow this steps to install, with this commands:
1. keytool -genkey -alias myalias -keyalg RSA -keystore keystore.jks
2. keytool -import -alias root -keystore keystore.jks -trustcacerts -file C:\path\to\cert\22c8728db3996008.crt
3. keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file C:\path\to\cert\gd_bundle-g2-g1.crt
Then copy the keystore.jks file on the standalone/configuration directory
And modify standalone.xml file:
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="myalias" key-password="mypassword"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
And
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
Then restart the server but booting appears this error:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SslRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SslRealm.key-manager: Failed to start service
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
... 3 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:114)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
... 7 more
How can i install and use my ssl certificate?
After many tries, I was able to solve it.
First to create a keystore file (.keystore), install KeyStore Explorer and follow this steps.
Second for add the keytore file to Wildfly follow this steps.
To redirect all traffic from the server to HTTPS do with this.
And that's it, the SSL certificate works ok.
Hope this help to someone.
I was trying to install SSL certificate on wildfly application server which is hosted in aws Ec2 instance.
I purchased SSL certificate in godaddy. I downloaded SSL ssl certificate zip from godaddy portal. Which consists of following
1 .gd_bundle-g2-g1.crt
2 .gdig2.crt.pem
3. 70c350d31695.crt
4. 70c350d31695.pem
Created keystore and imported certificates in to keystore with following command
keytool -genkey -alias wildfly -keyalg RSA -keystore wildfly.jks
keytool -import -alias root -keystore wildfly.jks -trustcacerts -file 70c350d31695.crt
keytool -import -alias intermed -keystore wildfly.jks -trustcacerts -file gd_bundle-g2-g1.crt
Also done configuration in wildfly as follows
standalone.xml
<security-realm`enter code here` name="SslRealm">
<server-identities>
<ssl>
<keystore path="/home/centos/ssl/newssl/wildfly.jks" alias="wildfly" keystore-password="OHGv216TZDhbd" />
</ssl>
</server-identities>
</security-realm>
and
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
But after restarts application, keystore recognized but https certificates not recognized. When i am double click on certificate in browesr it has only keystore information not certificate information.
Please help me to fix this.
In browser certificate error like following
You need a single entry I think in your keystore with all the details. You might find it easier using KSE (https://keystore-explorer.org/) rather than the cli
So I bought a certificate I got a certificate, a key, and intermediate that has 2 beginnings I dont know if that counts or should be add as separated intermediate.
I added the certificate and the intermidate like this.
keytool -import -trustcacerts -alias rootmydomain -file rootmydomain.crt -keystore mykeystore.keystore
keytool -import -trustcacerts -alias interm.mydomain -file interm.mydomain.crt -keystore mykeystore.keystore
I didnt have a problem so far, it crated a mykeystore.keystore file in my wildfly/standalone/configuration/ folder. I was even able to list my entries in mykeystore.keystore.
Then added the following to my standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="mykeystore.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="rootmydomain" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I get the followin error:
04:55:22,538 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ssl-realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ssl-realm.key-manager: WFLYDM0083: The KeyStore /opt/wildfly-10.0.0.Final/standalone/configuration/mykeystore.keystore does not contain any keys.
I had the same configuration with an cert generated by myself and it worked. I dont know why I am not able to make is work like this.
Based on the commands you issued, there are indeed no keys in your keystore, just certificates. You need to get your private key in the keystore in order for Wildfly to be able to pick it up.
importing an existing x509 certificate and private key in Java keystore to use in ssl is an example of how it can be done.
I checked Wildfly docs and also other sources, but I just can't get SSL to work in Wildfly.
I exported my keystore file:
openssl pkcs12 -export -out output_cert.pfx -inkey domain.key -in domain.crt -certfile ../ca.crt
keytool -v -importkeystore -srckeystore output_cert.pfx -srcstoretype PKCS12 -destkeystore output_store.jks -deststoretype JKS
I got no errors in the commands above.
Then I configured standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="SSL/output_store.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="1" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I added this to the default-server.
<https-listener name="https" security-realm="ssl-realm" socket-binding="https"/>
I started Wildfly, no errors appeared in the log and I found this line:
10:17:58,475 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTPS listener https listening on my_ip:8443
Then I deployed an application to the root (/) web context and tried to access it through my_ip:8443, https://my_ip, my_domain:8443, https://my_domain.
However I always get a page with the message "The connection was reset". If I change the URL to my_ip:8080, the application can be found through http.
Anyone have any idea what I might be doing wrong?
It was a really silly mistake.
I had to try to access https://my_domain:8443.
I had tried all combinations, except the correct one.
I'm trying to setup SSL in my local Tomcat 6 installation. For this, I followed the official How-To doing the following:
$JAVA_HOME/bin/keytool -genkey -v -keyalg RSA -alias
tomcat -keypass changeit -storepass changeit
$JAVA_HOME/bin/keytool -export -alias tomcat -storepass
changeit -file /root/server.crt
Then changing the $CATALINA_BASE/conf/server.xml, in-commenting this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/.keystore" keystorePass="changeit" />
After starting Tomcat, I get this Exception:
INFO: Initializing Coyote HTTP/1.1 on http-8080
30.06.2011 10:15:24 org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SCHWERWIEGEND: Failed to load keystore type JKS with path /root/.keystore
due to Invalid keystore format
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
When I look into the keystore with keytool -list I get
root#host:~# $JAVA_HOME/bin/keytool -list
Enter key store password: changeit
Key store type: gkr
Key store provider: GNU-CRYPTO
Key store contains 1 entry(ies)
Alias name: tomcat
Creation timestamp: Donnerstag, 30. Juni 2011 - 10:13:40 MESZ
Entry type: key-entry
Certificate fingerprint (MD5): 6A:B9:...C:89:1C
Obviously, the keystore types are different. How can I change the type and will this fix my problem? Thank you!
It looks like the keytool you're using the GNU implementation, not the one from Oracle/Sun or OpenJDK. From the output of keytool -list, it generates a gkr store type, which is a GNU Keyring Store.
I'm not sure whether your run Apache Tomcat using an OpenJDK or Sun/Oracle JRE, in which case this format wouldn't be supported without additional security providers.
If you run Apache Tomcat with a GNU JRE that supports gkr (or at least a JRE where you've added a security provider that supports gkr), you can try keystoreType="gkr" in your <Connector /> configuration.
However, the easiest is probably to use keytool as provided by Oracle or OpenJDK and use the JKS storetype (which would be the default type if you run Apache Tomcat with the OpenJDK or Sun/Oracle JRE). It was probably installed with your JRE but it doesn't look like the $JAVA_HOME you're using point to an Oracle or OpenJDK JAVA_HOME. Some Linux distributions have mechanisms to install multiple JREs and configure links (update-alternatives in the Debian/Ubuntu family).
(As a side-note, it's usually not recommended to run Apache Tomcat as root, which you seem to be doing since $HOME/.keystore is /root/.keystore in your example.)
As Bruno said, I used the "wrong" keytool!
There are those keytools on my Debian 6 installation
root#host:~# locate keytool
/etc/alternatives/keytool
/etc/alternatives/keytool.1.gz
/root/glassfish3/jdk/bin/keytool
/root/glassfish3/jdk/jre/bin/keytool
/root/glassfish3/jdk/man/ja_JP.eucJP/man1/keytool.1
/root/glassfish3/jdk/man/man1/keytool.1
/root/glassfish3/mq/bin/imqkeytool
/root/glassfish3/mq/bin/imqkeytool.exe
/usr/bin/gkeytool
/usr/bin/gkeytool-4.4
/usr/bin/keytool
/usr/bin/jre1.6.0_25/bin/keytool
/usr/bin/jre1.6.0_25/man/ja_JP.eucJP/man1/keytool.1
/usr/bin/jre1.6.0_25/man/man1/keytool.1
/usr/lib/jvm/java-1.5.0-gcj-4.4/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/jre/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/man1/keytool.1.gz
/usr/share/man/man1/gkeytool-4.4.1.gz
/usr/share/man/man1/gkeytool.1.gz
/usr/share/man/man1/keytool.1.gz
/var/lib/dpkg/alternatives/keytool
root#host:~# echo $JAVA_HOME
/usr
Now I used
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool -genkey -v -keyalg RSA -alias tomcat
-keypass changeit -storepass changeit
To create the keystore- file. Tomcat starts without any problems!
Try specifying your storetype: -storetype JKS (see: http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
If you use the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order get it to work: keystoreType="gkr" algorithm="JessieX509"
The algorithm is mentioned at here