I am planning to configure a Log4j2 Socket Appender with a TCP-SSL Appender.
Here is the configuration I see in Log4j2 website.
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn" name="MyApp" packages="">
<Appenders>
<Socket name="socket" host="localhost" port="9500">
<JsonLayout properties="true"/>
<SSL>
<KeyStore location="log4j2-keystore.jks" password="guessme!"/>
<TrustStore location="truststore.jks" password="guessme!"/>
</SSL>
</Socket>
</Appenders>
<Loggers>
<Root level="error">
<AppenderRef ref="socket"/>
</Root>
</Loggers>
</Configuration>
In this config, what do the Keystore and TrustStore files contain? I don't have these files.
I want to send my logs to Splunk TCP port.
Do I need to create truststore.jks with SSL certs from my Splunk server so that my server trusts Splunk?
What is log4j2-keystore.jks, and where can I download it? Do I need a KeyStore file? What should go in it? Does Splunk need a corresponding public key or trusted certs?
The keystore contains your personal key and public key if you have and want to use them. It can be left out completely.
The truststore contains the server's certificate. You can download and package it as jks like this:
$ echo -n | openssl s_client -connect log-server.tld:5010 -servername log-server.tld \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee "server.crt"
$ keytool -import -alias log-server-certificate-alias -keystore log-server-cert.jks -file server.crt
The latter prompts you for the password you will then use in the log configuration.
I had a similar issue with logstash and posted a brief summary of my findings here: https://rekowski.info/home/technical/java/log4j2-socket-appender-logstash-kibana-ssl-tls.md
Related
We are trying to migrate Wildfly from 8.1.0.Final to 26.0.1.Final. Currently Wildfly is running in standalone mode hence standalone.xml is in used for configurations and no domain configuration so far.
Everything is working that includes, management console, package deployments etc but requesting URL with https gives us "This site can't be reached". It appears there is something wrong with SSL configuration in Wildfly 26.0.1.Final because same SSL certificate have been used in version 8.1.0.Final.
Here is SSL/TLS configuration we are using:
<tls>
<key-stores>
<key-store name="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
<implementation type="JKS"/>
<file path="abc-keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
We've removed generate-self-signed-certificate-host="localhsot" from configuration because certificate is not self-signed in our case.
Like I mentioned before, same SSL certificate have been used in version 8.1.0.
Please be noted that this is specifically related to version 26.0.1.Final and I have no idea if any more configuration is required apart from the above.
Any help is highly appreciated.
This is how I sorted out with the help of Wildfly support. In my case it's standalone mode.
TLS Block:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="C:\wildfly26\application.keystore.jks"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" protocols="TLSv1.2" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
Reference SSL context in https-listener
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
Socket Binding under socket-binding-group
Change port from 8443 to 443
<socket-binding name="https" port="${jboss.https.port:443}"/>
Configure Interface
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
</interfaces>
I ran into the same problem since they removed the security realms. I used the top part of this manual: https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html
My setup was that I had a .cer certificate and key, I had to re-create the keystore using these two answers: How to create an empty java trust store? and How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
create keystore with dummy certificate: keytool -genkeypair -alias boguscert -storepass changeit -keypass changeit -keystore server.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"
delete dummy certificate from keystore: keytool -delete -alias boguscert -storepass changeit -keystore server.keystore
Create pkcs12 certificate from key and .crt file openssl pkcs12 -export -in <SERVERNAME>.crt -inkey <SERVERNAME>.key -out server.p12 -name server
import pkcs12 certificate into empty keystore: keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias server
I then followed the top part of jboss documentation I linked above above using the the wildfly-cli located in the bin directory. This writes the needed xml into the standalone.xml so make sure you use the vanilla one that ships with wildfly 26.0.1. After that I had to enable the ssl redirection using this: Redirect http requests to https in wildfly 10
Hope it helps
Here is how my Widfly (20) is configured regarding SSL.
Assuming you have already setup a Java keystore whose entry named 'server' is containing your certificate/key, you have to tell Wildfly to look for that particular alias ('server') in your keystore:
<management>
<security-realms>
...
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="..." alias="server" key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
I am trying to run keycloak on HTTPS using a self-signed certificate.
I followed this doc https://wjw465150.gitbooks.io/keycloak-documentation/content/server_installation/topics/network/https.html.
I have done everything as mentioned but skipped the CA certificate request because I need self-signed.
But it is still running in HTTP and not HTTPS .
It would be great if anyone would be able to guide me in this.
I have created the certificate with the following command:
keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
I have made the following changes in standalone.xml:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" alias="localhost" keystore-password="my_passward" />
</ssl>
</server-identities>
</security-realm>
and changed the HTTPS listener part to the new security realm :
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
What am I missing? why is it not running in HTTPS?
Thanks in advance.
You need to add the new security realm element using CLI tools.
Do refer to this official documentation for more.
I'm trying to enable SSL on my wildfly 11 application server, i bought an ssl certificate in godaddy and downloaded a zip file with this inside:
1. 22c8728db3996008.crt
2. 22c8728db3996008.pem
3. gd_bundle-g2-g1.crt
I follow this steps to install, with this commands:
1. keytool -genkey -alias myalias -keyalg RSA -keystore keystore.jks
2. keytool -import -alias root -keystore keystore.jks -trustcacerts -file C:\path\to\cert\22c8728db3996008.crt
3. keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file C:\path\to\cert\gd_bundle-g2-g1.crt
Then copy the keystore.jks file on the standalone/configuration directory
And modify standalone.xml file:
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="myalias" key-password="mypassword"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
And
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
Then restart the server but booting appears this error:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SslRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SslRealm.key-manager: Failed to start service
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
... 3 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:114)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
... 7 more
How can i install and use my ssl certificate?
After many tries, I was able to solve it.
First to create a keystore file (.keystore), install KeyStore Explorer and follow this steps.
Second for add the keytore file to Wildfly follow this steps.
To redirect all traffic from the server to HTTPS do with this.
And that's it, the SSL certificate works ok.
Hope this help to someone.
So I bought a certificate I got a certificate, a key, and intermediate that has 2 beginnings I dont know if that counts or should be add as separated intermediate.
I added the certificate and the intermidate like this.
keytool -import -trustcacerts -alias rootmydomain -file rootmydomain.crt -keystore mykeystore.keystore
keytool -import -trustcacerts -alias interm.mydomain -file interm.mydomain.crt -keystore mykeystore.keystore
I didnt have a problem so far, it crated a mykeystore.keystore file in my wildfly/standalone/configuration/ folder. I was even able to list my entries in mykeystore.keystore.
Then added the following to my standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="mykeystore.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="rootmydomain" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I get the followin error:
04:55:22,538 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ssl-realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ssl-realm.key-manager: WFLYDM0083: The KeyStore /opt/wildfly-10.0.0.Final/standalone/configuration/mykeystore.keystore does not contain any keys.
I had the same configuration with an cert generated by myself and it worked. I dont know why I am not able to make is work like this.
Based on the commands you issued, there are indeed no keys in your keystore, just certificates. You need to get your private key in the keystore in order for Wildfly to be able to pick it up.
importing an existing x509 certificate and private key in Java keystore to use in ssl is an example of how it can be done.
I checked Wildfly docs and also other sources, but I just can't get SSL to work in Wildfly.
I exported my keystore file:
openssl pkcs12 -export -out output_cert.pfx -inkey domain.key -in domain.crt -certfile ../ca.crt
keytool -v -importkeystore -srckeystore output_cert.pfx -srcstoretype PKCS12 -destkeystore output_store.jks -deststoretype JKS
I got no errors in the commands above.
Then I configured standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="SSL/output_store.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="1" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I added this to the default-server.
<https-listener name="https" security-realm="ssl-realm" socket-binding="https"/>
I started Wildfly, no errors appeared in the log and I found this line:
10:17:58,475 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTPS listener https listening on my_ip:8443
Then I deployed an application to the root (/) web context and tried to access it through my_ip:8443, https://my_ip, my_domain:8443, https://my_domain.
However I always get a page with the message "The connection was reset". If I change the URL to my_ip:8080, the application can be found through http.
Anyone have any idea what I might be doing wrong?
It was a really silly mistake.
I had to try to access https://my_domain:8443.
I had tried all combinations, except the correct one.