4 Replies Latest reply on Sep 18, 2015 11:50 PM by yang qingfu

    WildFly SSL configuration - some of ideas

    inspector Newbie

      Hi everybody,

       

      I like to work with JBoss and WildFly. It's a valuable piece of software and I'm quite happy with it. Working with JBoss AS7 (and EAP 6) and later WildFly 8.2 I realized more and more a wish for an improved security configuration especially for TLS / SSL. I'd like to start a discussion about this topic. Let me start with some thoughts and ideas:

       

      In the AS7 you configure SSL for the...

      • ... management interfaces in the management realm
      • ... remote ejb and jndi clients via the corresponding realm
      • ... messaging in the hornetq subsystem with options in the connectors and acceptors
      • ... tomcat in the web subsystem (which featured a very flexible security configuration that I liked)

      Now with WildFly we also configure undertow in a corresponding realm. This is a step I appreciate in terms of centralization of the configuration. But I miss the freedom to configure ciphers for the other interfaces than undertow. I'm not sure if that's just on my system (Oracle JDK 1.7) but for the management interface I have ciphers like RC4 with MD5 active! So I feel quite a need to configure that.

       

      Seeing that, I started thinking about what I would expect from an application server in terms of security configuration:

      • the security configuration should be highly customizable fore every single interface, that includes including and excluding ciphers and protocol versions (sometimes TLS1.2 only is required)
      • the security configuration should have rather secure defaults (exclude ciphers like RC4)
      • the security configuration should be centralized
      • the security implementation should be exchangeable (like with the old tomcat based web subsystem where you could choose between OpenSSL and JSSE)

       

      I'm not sure if the Realm concept is up to that but I see it as a starting point in terms of centralization. In WildFly it is even more decentralized as you specify the keystore etc. in the realm and the ciphers for undertow in the undertow subsystem.

       

      Beeing quite visionary I imagined a thin SSL api that could be used by the different interfaces (undertow, hornetq, ...). This api would pull it's configuration from a central configuration and delegate to some implementation like OpenSSL or JSSE. I know this would require every changes in every place where SSL is being used. But I see this as quite beneficial as you could quickly react to recent security problems (bugs, broken algorithms/protocols) by either reconfiguring the ciphers or completely switching to another SSL implementation.

       

      What do you think about the current state of the security config?

      What do you think is doable to improve the current situation?

      How do other people cope with similar problems?

      Last but not least a question to the WildFly devs: Do you have anything security related on your agenda?

       

      Regards!

        • 1. Re: WildFly SSL configuration - some of ideas
          David Lloyd Master

          Well I certainly have some good news for you.  As a part of the WildFly 10 work, we will be overhauling several security-related areas, and this will include an effort to centralize all SSL configuration in much the way you propose.  Keep your ear to the ground; you should start to notice pull requests coming across for this very shortly after WildFly 9 is branched.

           

          If you're interested in the standalone security project which will be the basis for this work, it's called WildFly Elytron, and it can be found at https://github.com/wildfly-security/wildfly-elytron/ (the bug tracker is at https://issues.jboss.org/browse/ELY).

          • 2. Re: WildFly SSL configuration - some of ideas
            inspector Newbie

            Oh yeah, that's indeed good news . I heard the name elytron once but just in the context of a picketbox replacement.

             

            I had a very quick look into the configuration options the future subsystem will provide. It looks like the crypto provider is meant to be configurable - awesome. Does/will elytron address ciphers as well?

             

            I will definitely check elytron out in more depth.

            • 4. Re: WildFly SSL configuration - some of ideas
              yang qingfu Newbie

              hi,i have some issue like this:

              i config ssl in wildfly 9 in standalone.xml

               

                  <security-realms>

                         <security-realm name="SslRealm">

                              <server-identities>

                                      <ssl>

                                       <keystore path="my.keystore" relative-to="jboss.server.config.dir" keystore-password="Acrosspm@2013"/>

                                      </ssl>

                               </server-identities>

               

              i want to use vault.sh to encrypt this password ,but vault tool in wildfly 9 only support jcks keystore. if i use jks keystore ,it will show wrong like

              =========================================================================

               

               

                JBoss Vault

               

               

                JBOSS_HOME: /opt/wildfly_9/wildfly-9.0.1.Final

               

               

                JAVA: /opt/netwatcher/pm4h2/app/opt/jdk1.8.0_51/bin/java

               

               

              =========================================================================

              **********************************

              ****  JBoss Vault  ***************

              **********************************

              Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

              0

              Starting an interactive session

              Enter directory to store encrypted files: /opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/

              Enter Keystore URL: /opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/my.keystore

              Enter Keystore password:

              Enter Keystore password again:

              Values match

              Enter 8 character salt: 12345678

              Enter iteration count as a number (e.g.: 44): 50

              Enter Keystore Alias: pmserver

              WFLYSEC0056: Initializing Vault

              WFLYSEC0059: Exception encountered:WFLYSEC0045: Exception encountered:

              Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

               

               

              so,i try to use jcks keystore .it works! vault tool support it. and i get my configruation .

                <vault>

                        <vault-option name="KEYSTORE_URL" value="/opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/wildfly.store"/>

                        <vault-option name="KEYSTORE_PASSWORD" value="MASK-0Mvr5Mh9WycddzuV1sSsHL"/>

                        <vault-option name="KEYSTORE_ALIAS" value="wildflyVault"/>

                        <vault-option name="SALT" value="12345678"/>

                        <vault-option name="ITERATION_COUNT" value="50"/>

                        <vault-option name="ENC_FILE_DIR" value="/opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/"/>

                     </vault>

               

               

              but the jcks keystore is can not used in wildfly 9‘s standalone.xml  for ssl  configuration .when i start wildfly ,it not works!. i think the ssl configuration in wildfly is only support jck keystore.

               

              so i don’t known how to config  ssl configuration with a vault expressions.please give me some advice.