Hi Carl,

I have config for WF11 but it should in WF10.1 as well (you can just have lower schema versions of subsystem but config looks the same). Here is XML snippet:

<management>
<security-realms>
        ...
    <security-realm name="https">
    <server-identities>
        <ssl>
        <keystore path="<path_to_server_key_store>/server.keystore" keystore-password="123456"/>
        </ssl>
    </server-identities>
    </security-realm>
</security-realms>
...
</management>


<subsystem xmlns="urn:jboss:domain:undertow:4.0">
    <buffer-cache name="default"/>
    <server name="default-server">
        ...
        <https-listener name="undertow-https" socket-binding="https" security-realm="https" verify-client="NOT_REQUESTED"/>
        ...
    </server>
</subsystem>

<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.1">
    <server name="default">
    ...
    <http-connector name="https-connector" socket-binding="https" endpoint="https-acceptor">
        <param name="ssl-enabled" value="true"/>
    </http-connector>
    <http-acceptor name="https-acceptor" http-listener="undertow-https"/>
    ...
    </server>
</subsystem>

This is for one way authentication where identity of server is verified but you can simply adjust config so client and server authenticates to each other. If you have standalone JMS client then you need to provide client truststore. This is configured using system properties for example like:

System.setProperty("javax.net.ssl.trustStore", "<path-to-trustore>/client.truststore"); // for server authentication
System.setProperty("javax.net.ssl.trustStorePassword", "123456);

If you need two-way authentication then client needs also keystore configured using "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" system properties and you need change attribute "verify-client" in configuration of https-listener (and of course provide server trustore to "https" security realm.

Cheers,

Mirek

Cool, great! :-)