3 Replies Latest reply on Aug 2, 2017 9:20 PM by nurubhas

Is it possible to configure multiple SSL certificates for one server group In Jboss EAP 7 ?

nurubhas Jul 27, 2017 10:48 PM

Hello All,

I have requirement, I have to configure SSL certificates for my two applications. & that two applications i have assigned to one server group.

Initially.. I have created a realm for one application name as Test1 realm & I configured the same in Undertow subsystem in domain box(like for reference)...

Then ..I could see that 1st application is accessible with https.

for Second application ... I have created another security relam named as Test2-realm( Reason.. we can't keep two identities in single Realm--- I thought).

then... in domain box the same profile sub system... I have to configure Test2 realm... when i am doing CLI got some error(Reason: defult server it wont take tow https protocols--- like duplicate)

for that... I have added another server in undertow subsystem named as default-server2 & I started domain box... everything came up as usual... but while starting the JVM(apps hosted JVM) get the below error.

please suggest.. is there any other way to configure multiple https protocol in one server group.

domain.xml configuration :

==========================

<http-listener name="default" socket-binding="http" redirect-socket="https"/>

<https-listener name="https" secure="true" enabled-protocols="TLSv1.1,TLSv1.2" security-realm="Test-Realm" socket-binding="https"/>

<filter-ref name="server-header"/>

<filter-ref name="x-powered-by-header"/>

</host>

</server>

<server name="default-server2"> ------------------------------------- > Added below lines

<http-listener name="default" socket-binding="http" redirect-socket="https"/>

<https-listener name="https" secure="true" enabled-protocols="TLSv1.1,TLSv1.2" security-realm="Test2-Realm" socket-binding="https"/>

<host name="default-host" alias="localhost">

<location name="/" handler="welcome-content"/>

<filter-ref name="server-header"/>

<filter-ref name="x-powered-by-header"/>

</host>

</server>

Host-slave.xml:

==============

<security-realm name="Test-Realm">

<server-identities>

<ssl>

</ssl>

</server-identities>

</security-realm>

<security-realm name="Test2-Realm">

<server-identities>

<ssl>

</ssl>

</server-identities>

</security-realm>

</security-realms>

ERROR: Message:

[Server:Test-server-2] 07:48:26,667 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2

[Server:Test-server-2] 07:48:27,143 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 59) WFLYCTL0013: Operation ("add") failed - address: ([

[Server:Test-server-2] ("subsystem" => "undertow"),

[Server:Test-server-2] ("server" => "default-server2"),

[Server:Test-server-2] ("http-listener" => "default")

[Server:Test-server-2] ]): org.jboss.msc.service.DuplicateServiceException: Service jboss.undertow.listener.default is already registered

[Server:Test-server-2] at org.jboss.msc.service.ServiceRegistrationImpl.setInstance(ServiceRegistrationImpl.java:158)

[Server:Test-server-2] at org.jboss.msc.service.ServiceControllerImpl.startInstallation(ServiceControllerImpl.java:235)

[Server:Test-server-2] at org.jboss.msc.service.ServiceContainerImpl.install(ServiceContainerImpl.java:768)

[Server:Test-server-2] at org.jboss.msc.service.ServiceTargetImpl.install(ServiceTargetImpl.java:223)

[Server:Test-server-2] at org.jboss.msc.service.ServiceControllerImpl$ChildServiceTarget.install(ServiceControllerImpl.java:2401)

[Server:Test-server-2] at org.jboss.msc.service.ServiceTargetImpl.install(ServiceTargetImpl.java:223)

[Server:Test-server-2] at org.jboss.msc.service.ServiceControllerImpl$ChildServiceTarget.install(ServiceControllerImpl.java:2401)

[Server:Test-server-2] at org.jboss.msc.service.ServiceBuilderImpl.install(ServiceBuilderImpl.java:317)

[Server:Test-server-2] at org.jboss.as.controller.OperationContextImpl$ContextServiceBuilder.install(OperationContextImpl.java:2129)

[Server:Test-server-2] at org.wildfly.extension.undertow.ListenerAdd.performRuntime(ListenerAdd.java:112)

1. Re: Is it possible to configure multiple SSL certificates for one server group In Jboss EAP 7 ?

mchoma Jul 28, 2017 4:31 AM (in response to nurubhas)

You need another configuration for default-server2. Another *-listener names and another soket-bindigs.

<http-listener name="default2" socket-binding="http2" redirect-socket="https2"/>
<https-listener name="https2" secure="true" enabled-protocols="TLSv1.1,TLSv1.2" security-realm="Test2-Realm" socket-binding="https2"/>

Note, SSL certificate should match hostname (port doesn't matter), otherwise browser will complain.

Unfortunately SNI (matching multiple certificates to one IP address) is not supported by wildfly yet [1]

[1] [UNDERTOW-750] SNI Support in Undertow - JBoss Issue Tracker
Actions
2. Re: Is it possible to configure multiple SSL certificates for one server group In Jboss EAP 7 ?

nurubhas Jul 28, 2017 5:13 AM (in response to mchoma)

Hi Martin,

Thanks for reply...

I will check..that

Thanks
Nurubhas
Actions
3. Re: Is it possible to configure multiple SSL certificates for one server group In Jboss EAP 7 ?

nurubhas Aug 2, 2017 9:20 PM (in response to mchoma)

Hi Martin,

I have updated the configuration in socket bindings.. I could able to start the server without any issue... and I could see both http2 & https2 listeners are available.
but my final destination is 2 applications run with individual certificates.

Assume benefits.war should be accessed with benefits.jks and other app browsestore should access with browse.jks.

I have attached snippets.. I could able to access the apps http & https both... but I am looking to apps should run with individual.

https://192.168.127.129:8493 ----> should be browsestore applicaion
https://192.168.127.129:1894 ----> should be benefits application

Thanks
Nurubhas
Actions

Go to original post