-
1. Re: How to set up SSL in domain mode?
Not much different. Security Realm configuration is based on WildFly's, so read https://docs.jboss.org/author/display/WFLY10/Detailed+Configuration
-
2. Re: How to set up SSL in domain mode?
I am facing some problems. I created the server certificate, added the server certificate to the truststore file. I placed the certificates in my domain/configuration directory. Then I modifed the xml accordingly. It gives me error like this -
[Host Controller] 14:57:46,076 ERROR [org.jboss.as.controller.management-operati
on] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([[Host Controller] ("host" => "Udit"),
[Host Controller] ("core-service" => "management"),
[Host Controller] ("management-interface" => "native-interface")
[Host Controller] ]) - failure description: {"WFLYCTL0288: One or more services
were unable to start due to one or more indirect dependencies not being availabl
e." => {
[Host Controller] "Services that were unable to start:" => [
[Host Controller] "jboss.remoting.authentication_provider.management",
[Host Controller] "jboss.remoting.server.management"
[Host Controller] ],
[Host Controller] "Services that may be the cause:" => ["jboss.server.path.\
"jboss.server.config.dir\""]
[Host Controller] }}
Am I missing something? Do I have to put standalone-hotrod-ssl.xml file somewhere?
-
3. Re: How to set up SSL in domain mode?
It was my mistake. Now I have configured it properly, its working fine. Thank you nadirx
One doubt I have is that even if I specify require-ssl-client-auth="false" in <encryption> tag of <hotrod-connector> tag in domain.xml , then also why do I need to pass the keystore file in ConfigurationBuilder? Does that mean both the truststore and keystore file are required at the client side? I want to know that if I make that property to true and put a <management>/<security-realms>/<security-realm name="ApplicationRealm">/<truststore> entry, will it also authenticate the hotrod client (assuming client has the copy of keystore and truststore files) apart from encrypting the entire channel with SSL?? If yes, then I guess, I don't need to authenticate my client using DIGEST-MD5, which I was doing earlier. Am I right?
Which files actually do I need at the server side i.e. on all the cluster nodes and on client? Right now, I have kept both the files (keystore.jks and trustore.jks) in both the places, and its working fine.
Sorry, I asked too many questions, but I really need these answers, please bear with me
-
4. Re: How to set up SSL in domain mode?
Let's distinguish encryption from authentication using certificates.
Encryption
When enabling encryption, the server needs to present its certificate to the incoming clients. This certificate is stores in the keystore and all the nodes in the cluster will use the same one. Generally you set this up once.
When clients connect, they need to be able to recognize this certificate so, unless you have it signed by one of the Root CAs present in the JRE (jre/lib/security/cacerts), you will also need the clients to know about it.
Authentication using client-certificates
Clients can authenticate themselves using their own certificate. In this scenario, each client will be issued with its own certificate, which also needs to be stored in the server's truststore.
-
5. Re: How to set up SSL in domain mode?
I have the same problem and the same message log, where was the mistake in your configuration ? Thanks