5 Replies Latest reply on Feb 13, 2019 8:56 AM by Gerrit Hohl

    Different SSL certificates for different web applications

    Gerrit Hohl Newbie

      Hello everyone,

       

      I'm running WildFly Full 14.0.1.Final here. I already managed to including a public SSL certificate into the keystore which is used by WildFly. Means the server presents the right certificate on HTTPS port 8443.

       

      Now I wanted to have a different SSL certificate on a different port, which also was no problem:

      • I added a 2nd security-realm which points to the 2nd keystore containing the 2nd SSL certificate (let's call it "ApplicationRealmB").
      • I added a 2nd security-domain pointing to that 2nd security-realm (let's call it "ApplicationDomainB").
      • I added a mechanism-realm for the 2nd security-realm in the SASL section (so in addition to the "ApplicationRealm" there is now also an entry for "ApplicationRealmB").
      • In the undertow section I added a separate HTTPS listener for that security realm (HTTPS listener "https-B" for security-realm "ApplicationRealmB").
      • In the socket-binding-group I added a socket-binding for that HTTPS listener (HTTPS listener "https-B" listening on port 8444).

      So far everything works well. The server presents the right SSL certificates on the corresponding ports. All web applications are accessible by HTTPS through the 2 ports (8443 & 8444).

       

      But now I want the web applications only be accessible through 1 of the ports (means security-realms / security-domains). I read that you can do that by putting the security-domain into the jboss-web.xml of your web application:

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web>
      <jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.jboss.org/schema/jbossas
          http://www.jboss.org/schema/jbossas/jboss-web_7_2.xsd">
          
          <context-root>/applicationB</context-root>
          <security-domain>ApplicationDomainB</security-domain>
      </jboss-web>
      

      But somehow that doesn't work. The web application is still accessible through both ports (8443 & 8444).

       

      Any clue what the problem is / might be?

        • 1. Re: Different SSL certificates for different web applications
          Gerrit Hohl Newbie

          Okay, after playing around with my Maven build I finally got an error while deploying:

           

          {
            "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.ApplicationDomainB"],
            "WFLYCTL0180: Services with missing/unavailable dependencies" => [
              "jboss.deployment.subunit.\"services-ear-1.0.0.ear\".\"service1-1.0.0.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.ApplicationDomainB]",
              "jboss.deployment.subunit.\"services-ear-1.0.0.ear\".\"service2-1.0.0.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.ApplicationDomainB]",
              "jboss.deployment.subunit.\"services-ear-1.0.0.ear\".\"service2-1.0.0.war\".component.ServiceResource.CREATE is missing [jboss.security.security-domain.ApplicationDomainB]"
            ]
          }

           

          Seems WildFly doesn't know the security-domain ApplicationDomainB also I entered it into the configuration.

           

          And when having a look at my standalone-full.xml file again, I saw that there are two types of security-domains defined:

          • In the Elytron 4.0 subsystem I have security-domains and security-realms. There I also have configured my "ApplicationDomainB" security-domain which can't be found when deploying.
          • In the Security 2.0 subsystem there are 4 security-domains pre-defined: other, jboss-web-policy, jaspitest and jboss-ejb-policy. As these are not SSL related I also didn't enter or alter anything here.

           

          How are these two connected? Can I enter a SSL based security-domain in the Security 2.0 subsystem? Or reference an Elytron 4.0 security-domain?

          • 2. Re: Different SSL certificates for different web applications
            Martin Choma Master

            Please step back. "I want the web applications only be accessible through 1 port. I read that you can do that by putting the security-domain into the jboss-web.xml of your web application". This is not true.  Where have you read that?

             

            Certificate is related to hostname (not port, not app).  You can do virtual hosts with Undertow and specify wildcard Certificate for https-listener. Or use load balancer in front of WildFly. But you can not configure two certificates for one https-listener.

            • 3. Re: Different SSL certificates for different web applications
              Gerrit Hohl Newbie

              Hello Martin,

               

              of course I can bind one certificate only to one HTTPS port. That's exactly what I did and it also works. Means depending on which port you connect to with your e.g. browser via HTTPS, you get the corresponding certificate.

               

              But now my problem is how can I bind different web applications to different HTTPS ports. Means I want to have web application A be presented on HTTPS port 8443 (having certificate I) while I want to have web application B be presented on HTTPS port 8444 (having certificate II).

               

              P.S.: Sorry for the late reply.

              • 5. Re: Different SSL certificates for different web applications
                Gerrit Hohl Newbie

                Got the answer on StackOverflow:

                https://stackoverflow.com/questions/54667022/wildfly-how-to-separate-web-applications

                 

                That and this page:

                http://www.mastertheboss.com/jboss-web/jbosswebserver/jboss-as-virtual-host-configuration

                 

                helped me solving the issue and get everything running. The jboss-web.xml has to have an additional parameter:

                <?xml version="1.0" encoding="UTF-8"?>
                <!DOCTYPE jboss-web>
                <jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="http://www.jboss.org/schema/jbossas http://www.jboss.org/schema/jbossas/jboss-web_7_2.xsd">
                    
                    <context-root>/myapp</context-root>
                    <service-instance>myapp-server</service-instance>
                    <virtual-host>myapp-host</virtual-host>
                </jboss-web>
                
                

                <service-instance> will define which web server instance should be used. In that case WildFly will look for the <virtual-server> in the configuration of that web server.

                You can find a snippet of that configuration here: Re: Webservice on separate port