How to disable SSLv3 in Wildfly app server. Following configuration
<server-identities>
<ssl protocol="TLSv1">
<keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
</ssl>
</server-identities>
falls back to SSLv3, if SSLv3 requested. Looks like associated bug https://bugzilla.redhat.com/show_bug.cgi?id=1153853 in redhat is closed as "WONTFIX"
Add [enabled-protocols="TLSv1,TLSv1.1,TLSv1.2"] to element. It works with Wildfly 8.2
Related
I have a problem where I don´t know why it happens.
I have LetsEncrypt Certificates which I use to create a .pfx file.
openssl pkcs12 -export -out /tmp/certificate.pfx -inkey /etc/letsencrypt/live/ds-gym.de/privkey.pem -in /etc/letsencrypt/live/ds-gym.de/cert.pem -certfile /etc/letsencrypt/live/ds-gym.de/chain.pem
I set up keycloak 8.0.1. as service by following this tutorial (https://medium.com/#hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9) and it worked fine. Keycloak seems to set up a self-signed certificate which is not what I want. First I set up Keycloak for SSL.
With the JBoss-cli.sh file I do the following (described here: https://www.keycloak.org/docs/latest/server_installation/#setting-up-https-ssl)
/core-service=management/security-realm=UndertowRealm:add()
/core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-path=keycloak.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=secret)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value=UndertowRealm)
Not my security tealm looks like this:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>
</ssl>
</server-identities>
</security-realm>
I import the certificate now:
keytool -importkeystore -srckeystore /tmp/certificate.pfx -srcstoretype pkcs12 -destkeystore /opt/keycloak/standalone/configuration/keycloak.jks -deststoretype JKS
Then I restart keycloak:
systemctl restart keycloak
Now I get the following error:
HTTP ERROR 502
You can also check the network tab of my website if that helps.
The keycloak service is up and running, however it seems it does not work on port 8443 anymore.
Listener look like this:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
Any idea why this happens? Are my certificates wrong? I´m quite desperate with Keycloak already :-(
Edit:
This is my logged Error:
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.core.management.security.realm.UndertowRealm.key-manager"
=> "WFLYDM0018: Unable to start service
Caused by: java.security.UnrecoverableKeyException: Cannot recover key"}} 2019-12-23 19:12:57,421 INFO [org.jboss.as.server]
(ServerService Thread Pool -- 43) WFLYSRV0010: Deployed
"keycloak-server.war" (runtime-name : "keycloak-server.war")
2019-12-23 19:12:57,423 INFO [org.jboss.as.controller] (Controller
Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186:
Services which failed to start: service
org.wildfly.core.management.security.realm.UndertowRealm.key-manager:
WFLYDM0018: Unable to start service WFLYCTL0448: 2 additional services
are down due to their dependencies being missing or failed 2019-12-23
19:12:57,569 INFO [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0212: Resuming server 2019-12-23 19:12:57,578 INFO
[org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management
interface listening on http://127.0.0.1:9990/management 2019-12-23
19:12:57,579 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
2019-12-23 19:12:57,580 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: Keycloak 8.0.1 (WildFly Core 10.0.3.Final) started (with
errors) in 41093ms - Started 586 of 888 services (4 services failed or
missing dependencies, 604 services are lazy, passive or on-demand)
It looks like the keystore is incorrectly generated. Check that:
You set the value of keystore-password to match actual keystore password.
You set alias root for root certificate.
You set alias yourdomain.com for the domain certificate.
Try to follow the steps exactly as described in the documentation.
I am using Wildfly 13 standalone with JMX enabled:
<remoting-connector/>
The management interface is going through https:
<management-interfaces>
<http-interface security-realm="ManagementRealm">
<http-upgrade enabled="true"/>
<socket-binding https="management-https"/>
SSL is set up:
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path=.../>
</ssl>
</server-identities>
When I start JConsole and try to connect on
service:jmx:remote+http://localhost:9993
I don't get connection.
When I revert the binding to http I can connect to service:jmx:remote+http://localhost:9990
Is it possible to have JMX with SSL using the remote+http protocol?
Thanks,
--Ivo
It should be service:jmx:remote+https://<server>:9993
I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.
Server version:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
Error:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.
<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />
I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.
In your configuration I do not see keyStore elements for defaultKeyStore and defaultTrustStore. If they are missing that will cause outboundSSLConfig to be an invalid SSL configuration. Can you please add them and see if things work.
I would like to know the correct way of configuring the SSL protocol on wildfly.
On looking at examples, I found two different ways of doing so. I want to know which one is the proper way of doing it -
Adding it in the protocol section as below:
<security-realm name="sslRealm">
<server-identities>
<ssl protocol="TLSv1.2">
Or adding it in the https listener as below :
<https-listener name="https" socket-binding="https" security-
realm="sslRealm" enabled-protocols="TLSv1.2"/>
I'm using wildfly-8.2.0.Final.
Configuration options shown here apply also to Wildfly 9 and 10
The correct way is using both of them. They are intimately related, see below how.
<https-listener ..>
The Wildfly Undertow subsystem support enabled-protocols attribute, which is a comma separated list of protocols to be supported. For example:
enabled-protocols="TLSv1.1,TLSv1.2"
With just TLSv1.2, many vulnerabilities are plugged. However, by default, Wildfly support all versions of TLS (v1.0, v1.1 and v1.2) even though versions below 1.2 are considered weak.
<server-identities />
Here, basically, you can choose one of the previously enabled protocols.
<security-realm name="sslRealm">
<server-identities>
<ssl protocol="TLSv1.2">
The protocol attribute by default is set to TLS and in general does not need to be set.
Note that without any change in the default configuration, you get a https server that supports TLSv1.0, TLSv1.1 and TLSv1.2.
For checking the effects of those configurations, use this:
nmap --script ssl-enum-ciphers -p 8443 <your wildfly IP>
I'm having issues with a web service I'm trying to host.
Running on CentOS 6.5 amd64 / linux x86_64, Tomcat 8.0.9, Java 1.7.0_60, CXF 3.0.
When I setup my Connector as such:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="${catalina.base}/conf/server.jks"
keyAlias="salesproxy.<domain>.com"
keystorePass="<password>"
clientAuth="false" sslProtocol="TLS" />
I can pull the WSDL via HTTPS and view the certificate and all is good.
But, if I set clientAuth="true" and add truststoreFile, truststoreType and truststorePass attributes to the Connector, I can't even access the WSDL via HTTPS. I receive a "Error code: ERR_SSL_PROTOCOL_ERROR" message from Chrome.
In my log with javax.net.debug=ssl set, below are the last few lines:
*** ServerHelloDone
http-nio-443-exec-4, WRITE: SSLv3 Handshake, length = 13028
http-nio-443-exec-6, READ: SSLv3 Alert, length = 2
http-nio-443-exec-6, RECV SSLv3 ALERT: warning, no_certificate
SSL -- handshake alert: no_certificate
http-nio-443-exec-6, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
%% Invalidated: [Session-67, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
http-nio-443-exec-6, SEND SSLv3 ALERT: fatal, description = internal_error
http-nio-443-exec-6, WRITE: SSLv3 Alert, length = 2
http-nio-443-exec-6, called closeOutbound()
http-nio-443-exec-6, closeOutboundInternal()
In Chrome and Windows 8 certmgr, I've installed the Client Cert in every place that makes any sense to me without change in behavior. One point to note is that the server is using a GoDaddy wildcard SSL certificate. I've used wildcard certs before, but not with 2-way SSL auth.
Any help/suggestions/recommendations would be greatly appreciated!