5 Replies Latest reply on Jul 29, 2019 3:44 PM by brian.stansberry

Wildfly 17.0.1-Not working configured SSL using legacy security-realm in ManagementRealm on host.xml

tarakfs Jul 29, 2019 11:29 AM

We need your suggestion to fix SSL configuration issue in legacy security-realm in ManagementRealm on host.xml, and it is causing not to start master node with legacy SSL settings in Wildfly 17.0.1 Final version. Below are the example setting we used to configure,same settings working in Wildfly 15.0.1.

Wildfly 17 document referenced link is below

https://docs.wildfly.org/17/Admin_Guide.html#enable-ssl

6.10.2. Enable SSL

SSL

<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="keystore_password" alias="server" key-password="key_password" />
</ssl>
</server-identities>
<authentication>
<truststore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="truststore_password" />
<local default-user="$local"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>

1. Re: Wildfly 17.0.1-Not working configured SSL using legacy security-realm in ManagementRealm on host.xml

brian.stansberry Jul 29, 2019 11:37 AM (in response to tarakfs)

Perhaps you have hit [WFCORE-4560] HTTP management interface fails to start if backed by a "https" socket-binding - JBoss Issue Tracker ?

The workaround suggested at Not able to use admin console on HTTPS in wildfly 17 was to configure both the 'https' and 'http' attributes on management interface socket-binding.

<socket-binding https="management-https" http="management-http"/>
Actions
2. Re: Wildfly 17.0.1-Not working configured SSL using legacy security-realm in ManagementRealm on host.xml

tarakfs Jul 29, 2019 12:59 PM (in response to brian.stansberry)

Hi Brian,

Proposed configuration settings from you is related to standalone.xml file. The issue we are facing is within the SSL cluster concept on host.xml(master) file also called manageDoman. Per your given suggestion tried to enable both http and https sockets, but we faced an issue stating 'socket' can't appear more than once within the http-interface element in Host Controller; we think it is a bug in WildFly 17.0.1, what do you say ?
error message is of like below

<socket interface="management" port="9990"/>
[Host Controller] | <socket interface="managements" secure-port="9993"/>
[Host Controller] | ^^^^ 'socket' can't appear more than once within the http-interface element
Actions
3. Re: Wildfly 17.0.1-Not working configured SSL using legacy security-realm in ManagementRealm on host.xml

brian.stansberry Jul 29, 2019 3:07 PM (in response to tarakfs)

Hi Tarak,

Sorry; I forgot the host.xml config is different. This should do it:

<socket interface="management" port="${jboss.management.http.port:9990}" secure-port="${jboss.management.https.port:9993}"/>
Actions
4. Re: Wildfly 17.0.1-Not working configured SSL using legacy security-realm in ManagementRealm on host.xml

tarakfs Jul 29, 2019 3:26 PM (in response to tarakfs)

Thank you, Brian. yes we are able to configure SSL port along with non-secure port, without non-secure port not allowing us to configure SSL port alone to avoid vulnerabilities.
Actions
5. Re: Wildfly 17.0.1-Not working configured SSL using legacy security-realm in ManagementRealm on host.xml

brian.stansberry Jul 29, 2019 3:44 PM (in response to tarakfs)

You can also add a 'secure-interface', which would allow you to limit the http socket to localhost, e.g.

<socket interface="localonly" secure-interface="management" port="${jboss.management.http.port:9990}" secure-port="${jboss.management.https.port:9993}"/>

and in the interfaces section, assuming you want the HTTPS interface on 192.168.200.10:

     <interfaces>
        <interface name="localonly">
            <inet-address value="127.0.0.1"/>
        </interface>
        <interface name="management">
            <inet-address value="192.168.200.10"/>
        </interface>

That's not ideal but it's better than having HTTP on an external interface.
Actions

Go to original post