Learn to Enable Https or Ssl for Wildfly
Here are the steps I run through to enable SSL / HTTPS for Wildfly 14. Notice that instead of generating a key / certificate pair we inste...
https://www.czetsuyatech.com/2018/12/wildfly-enable-https-or-ssl.html
Here are the steps I run through to enable SSL / HTTPS for Wildfly 14.
Notice that instead of generating a key / certificate pair we instead use a special type of container for java which is a keystore. A keystore is a single file that contains both the key and the certificate.
Assuming we are trying to secure the website broodcamp.com, here are the steps:
1.) Generate the key, in the Firstname and Lastname entry, enter your FQDN, which in our case broodcamp.com
>keytool -genkey -alias broodcamp.com -keyalg RSA -keystore keycloak.jks
2.) Convert the keystore to pkcs12 format.
>keytool -importkeystore -srckeystore keycloak.jks -destkeystore keycloak.jks -deststoretype pkcs12
3.) Generate a certificate request that we will submit to a certificate broker like namecheap.com. We will be using a Comodo PositiveSSL certificate from namecheap: https://www.namecheap.com/security/ssl-certificates/comodo/positivessl.aspx.
>keytool -certreq -alias broodcamp.com -keystore keycloak.jks > keycloak.careq
*In order to validate the certificate, I use domain validation and added a CNAME. You can also use email, etc.
4.) After validation, you should received a zipped file from namecheap that contains 3 files, the certificate, the bundle and the p7b. We will use the p7b which already contain the certificate chain and import to our keystore.
>keytool -import -alias broodcamp.com -trustcacerts -file broodcamp_com.p7b -keystore keycloak.jks
keytool -list -v -keystore keycloak.jks
*Now we have a signed certificate and here's how it should look like in Windows.
Manifest
/rest/manifest/manifest
CONFIDENTIAL
Notice that instead of generating a key / certificate pair we instead use a special type of container for java which is a keystore. A keystore is a single file that contains both the key and the certificate.
Assuming we are trying to secure the website broodcamp.com, here are the steps:
1.) Generate the key, in the Firstname and Lastname entry, enter your FQDN, which in our case broodcamp.com
>keytool -genkey -alias broodcamp.com -keyalg RSA -keystore keycloak.jks
2.) Convert the keystore to pkcs12 format.
>keytool -importkeystore -srckeystore keycloak.jks -destkeystore keycloak.jks -deststoretype pkcs12
3.) Generate a certificate request that we will submit to a certificate broker like namecheap.com. We will be using a Comodo PositiveSSL certificate from namecheap: https://www.namecheap.com/security/ssl-certificates/comodo/positivessl.aspx.
>keytool -certreq -alias broodcamp.com -keystore keycloak.jks > keycloak.careq
*In order to validate the certificate, I use domain validation and added a CNAME. You can also use email, etc.
4.) After validation, you should received a zipped file from namecheap that contains 3 files, the certificate, the bundle and the p7b. We will use the p7b which already contain the certificate chain and import to our keystore.
>keytool -import -alias broodcamp.com -trustcacerts -file broodcamp_com.p7b -keystore keycloak.jks
keytool -list -v -keystore keycloak.jks
*Now we have a signed certificate and here's how it should look like in Windows.
Next series of steps are to modify Wildfly's standalone.xml file to enable SSL.
5.) Modify ApplicationRealm and add the keystore.
After: <security-realm name="ApplicationRealm"> add:
<ssl>
<keystore alias="server" generate-self-signed-certificate-host="localhost" key-password="password" keystore-password="password" path="application.keystore" relative-to="jboss.server.config.dir"></ssl>
6.) Search for: <server name="default-server"> and add:
7.) If you're using java and you have a web.xml in your application, you need to enable the SSL transport. For example you have a resource manifest and want to secure it.
And before I forgot, if you are using Wildfly, it means you are running on port 8080 by default and 8443 for HTTPS. So make sure to redirect the request to 8443 and not 443.
Post a Comment