Search code examples
ssljbosswildflywildfly-9

How to set up SSL on WildFly 9 Domain Mode?

I currently have a WildFly 9 cluster up and running with access to my application over port 8080, I would like to set up SSL and have access only on port 8443, but I cannot seem to find any documentation for where the security realm and https listener are placed in Domain mode.

I have the keystore and certificate all set up and was able to get https working in a demo using standalone mode, but I need to be able to do it in domain mode.

Can anyone help me out and share how they've accomplished this?

Solution

  • Solved it! It turns out for some reason JBoss was not registering my Security Realm and HTTPS listener. To do this you need to use bin/jbosscli and the commands:

    RUN THE "CONNECT" COMMAND FIRST

    /host=master/core-service=management/security-realm=SSLRealm/:add()

    ---where SSLRealm is the name of the realm

    /host=master/core-service=management/security-realm=SSLRealm/server-identity=ssl/:add(keystore-path=Keystore.jks, keystore-relative-to=jboss.domain.config.dir, keystore-password=password)

    ---this assumes the keystore lives in the domain/configuration directory

    Restart the server.

    I then ran into issues figuring out the command to register the HTTPS listener, but I found the WildFly web console at serverURL:9990 has a way to do it too:

    Once logged in to the webconsole Configuration->Profiles->for each profile which is used->Undertow->HTTP->View

    From there

    HTTP Server->default-server->view

    Finally

    HTTPS Listener->ADD enter a name like: default-https, Security Realm: the name chosen for the security realm (for this example SSLRealm), Socket Binding: https and click save

    Restart again

    You should now have access at your serversURL:8443

    To set it up on slave servers you should only need to copy the keystore to each slave servers domain/configuration and then add the security realm replacing /host=master/ with /host=slave/ in the command. And then restart the server.

    Double check the Domain.xml file on the slave has the https listener you created originally in the webconsole (it should automatically be put into all of the clusters domain.xml files)