5 Replies Latest reply on Feb 7, 2017 6:52 AM by roberto perini

    How to set up SSL in domain mode?

    Udit Mishra Novice

      I want to know how to set up SSL in domain mode? I searched and I saw all the examples are for standalone mode. If there is any step by step guide, it would be really helpful..

        • 1. Re: How to set up SSL in domain mode?
          Tristan Tarrant Master

          Not much different. Security Realm configuration is based on WildFly's, so read https://docs.jboss.org/author/display/WFLY10/Detailed+Configuration

          • 2. Re: How to set up SSL in domain mode?
            Udit Mishra Novice

            I am facing some problems. I created the server certificate, added the server certificate to the truststore file. I placed the certificates in my domain/configuration directory. Then I modifed the xml accordingly. It gives me error like this -

             

            [Host Controller] 14:57:46,076 ERROR [org.jboss.as.controller.management-operati

            on] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([[Host Controller]    ("host" => "Udit"),

            [Host Controller]    ("core-service" => "management"),

            [Host Controller]    ("management-interface" => "native-interface")

            [Host Controller] ]) - failure description: {"WFLYCTL0288: One or more services

            were unable to start due to one or more indirect dependencies not being availabl

            e." => {

            [Host Controller]    "Services that were unable to start:" => [

            [Host Controller]        "jboss.remoting.authentication_provider.management",

            [Host Controller]        "jboss.remoting.server.management"

            [Host Controller]    ],

            [Host Controller]    "Services that may be the cause:" => ["jboss.server.path.\

            "jboss.server.config.dir\""]

            [Host Controller] }}

             

            Am I missing something? Do I have to put standalone-hotrod-ssl.xml file somewhere?

            • 3. Re: How to set up SSL in domain mode?
              Udit Mishra Novice

              It was my mistake. Now I have configured it properly, its working fine. Thank you nadirx

               

              One doubt I have is that even if I specify require-ssl-client-auth="false" in  <encryption> tag of <hotrod-connector> tag in domain.xml , then also why do I need to pass the keystore file in ConfigurationBuilder? Does that mean both the truststore and keystore file are required at the client side? I want to know that if I make that property to true and put a <management>/<security-realms>/<security-realm name="ApplicationRealm">/<truststore> entry, will it also authenticate the hotrod client (assuming client has the copy of keystore and truststore files) apart from encrypting the entire channel with SSL?? If yes, then I guess, I don't need to authenticate my client using DIGEST-MD5, which I was doing earlier. Am I right?

               

              Which files actually do I need at the server side i.e. on all the cluster nodes and on client? Right now, I have kept both the files (keystore.jks and trustore.jks) in both the places, and its working fine.

               

              Sorry, I asked too many questions, but I really need these answers, please bear with me

              • 4. Re: How to set up SSL in domain mode?
                Tristan Tarrant Master

                Let's distinguish encryption from authentication using certificates.

                 

                Encryption

                When enabling encryption, the server needs to present its certificate to the incoming clients. This certificate is stores in the keystore and all the nodes in the cluster will use the same one. Generally you set this up once.

                When clients connect, they need to be able to recognize this certificate so, unless you have it signed by one of the Root CAs present in the JRE (jre/lib/security/cacerts), you will also need the clients to know about it.

                 

                Authentication using client-certificates

                Clients can authenticate themselves using their own certificate. In this scenario, each client will be issued with its own certificate, which also needs to be stored in the server's truststore.

                • 5. Re: How to set up SSL in domain mode?
                  roberto perini Newbie

                  I have the same problem and the same message log, where was the mistake in your configuration ? Thanks