7 Replies Latest reply on Nov 14, 2018 5:00 PM by Claudio Miranda

    Can't access Wildfly 10 console through TLS/HTTPS port.

    Al Koch Newbie

      Hello,

       

      I am running Wildfly 10 on Ubuntu 16.4 and have implemented TLS using a certificate from Let's Encrypt.  Here is standalone.xml:

       

      <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

          <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:<ConsoleHTTPPort>}"/>

          <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:<ConsoleTLSPort>}"/>

          <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>

          <socket-binding name="http" port="${jboss.http.port::<AppHTTPPort>}"/>

          <socket-binding name="https" port="${jboss.https.port:<AppTLSPort>}"/>

          <socket-binding name="txn-recovery-environment" port="4712"/>

          <socket-binding name="txn-status-manager" port="4713"/>

          <outbound-socket-binding name="mail-smtp">

              <remote-destination host="localhost" port="25"/>

          </outbound-socket-binding>

      </socket-binding-group>

       

      <subsystem xmlns="urn:jboss:domain:undertow:3.1">

      <buffer-cache name="default"/>

      <server name="default-server">

          <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>

          <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

          ...

       

      Everything appears to be functioning properly except that I am not able to access the Wildfly console using HTTPS through the port I associated with HTTPS. I am able to access the console using HTTP.

       

      For example, this connects to the console as http:

      http://<DomainInCert>:<ConsoleHTTPPort>/console/App.html#home

       

      But this times out:

      https://<DomainInCert>:<ConsoleTLSPort>/console/App.html#home

       

      If it helps I also have seen this:

       

      Submitting https://<DomainInCert>:<AppTLSPort>/ shows the Welcome to WildFly 10 page.

       

      If I hover over the Administration Console link on that page it shows https://<DomainInCert>:<AppTLSPort>/console which seems correct for TLS access.

       

      Clicking that link brings up the console but we get a popup requesting a Login with the message:

      http://<DomainInCert>:<ConsoleHTTPPort> is requesting your username and password. The site says: “ManagementRealm”.

      Even though the link I clicked was correct for TLS access this message shows a http link.

       

      I log in and the address bar URL shows http://<DomainInCert>:<ConsoleHTTPPort>/console/App.html#home which is an http connection and not TLS.

       

       

      Can someone tell me what:

      1) What do I need to do to get console TRL access?

      2)  What does redirect-socket do in this:

      <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>

       

      Thank you in advance.

        • 1. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
          Claudio Miranda Expert

          1) For the web management console in https, you should set the secure-socket-binding of /core-service=management/management-interface=http-interface

           

          /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,value=management-https)

           

          2) If a request is received for which a matching <security-constraint> requires SSL transport, undertow will automatically redirect the request to the socket binding port specified here. In the case it will redirect to "https"

          • 2. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
            Al Koch Newbie

            Hi Claudio,

             

            Thanks for the prompt response.  However, I can't locate any details on how/where to implement your suggestion.  Would you point me to documentation that describes how to do this, or if possible, could you explain the details?  Is this added to standalone.xml?  The statements you listed aren't in the <...> <...> XML format I am used to seeing so I don't understand what is to be added (to what).

             

            Thanks.

            • 3. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
              Claudio Miranda Expert

              You can use a tool called jboss-cli.sh in bin directory, it is a tool to make any change in Wildfly, it is recommended to use this tool instead to edit xml files by hand.

              Any way, the xml change is below, you must locate the <http-interface> xml element on your standalone.xml file

               

              <http-interface security-realm="ManagementRealm">
                  <http-upgrade enabled="true"/>
                  <socket-binding http="management-http" https="management-https"/>
              </http-interface>
               
                  
              • 4. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
                Al Koch Newbie

                Hi Claudio,

                 

                Thanks again for your response.  I am aware of jboss-cli but haven't used it enough to have recognized the command sequence as being for jboss-cli.

                 

                I tried both approaches you described (manually updating stanadalone.xml and - after undoing the manual change - running jboss-cli).  In both cases I restart the server and it gives this error:

                 

                2018-11-09 19:21:50,598 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.serverManagement.controller.management.http: org.jboss.msc.service.StartException in service jboss.

                serverManagement.controller.management.http: WFLYSRV0083: Failed to start the http-interface service

                        at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:275)

                        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)

                        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)

                        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

                        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

                        at java.lang.Thread.run(Thread.java:748)

                Caused by: java.lang.IllegalArgumentException: WFLYDMHTTP0012: A secure socket has been defined for the HTTP interface, however the referenced security realm is not supplying a SSLContext.

                        at org.jboss.as.domain.http.server.ManagementHttpServer.create(ManagementHttpServer.java:172)

                        at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:235)

                        ... 5 more

                 

                Research doesn't reveal what is causing this.  Can you help?

                 

                Thank you.

                • 5. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
                  Claudio Miranda Expert

                  See this blog post on how to enable SSL for the web management console. Does your management realm includes a certificate ?

                  can you show your realm configuration ?

                  • 6. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
                    Al Koch Newbie

                    Hi Claudio,

                     

                    Thank you very much for providing the link to your blog posting. That led me to finally figuring out what was going wrong. I now have the console connecting over TLS and also a straight HTTP console connection times out which is exactly what I want.

                     

                    So that any one else reading this incident is made aware, in WildFly 10 the standalone.XML file places the HTTPS entries in the ApplicationRealm!  What I mean is that when I examined the default standalone.XML I discovered the following (note the ApplicationRealm in the following):

                     

                    <security-realm name="ApplicationRealm">

                                    <server-identities>

                                        <ssl>

                                            <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>

                                        </ssl>

                                    </server-identities>

                    and

                    <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

                     

                    Your blog post however uses ManagementRealm (which makes sense to me). I had a mix between these two Realms and it appears that is what was causing the failure.

                     

                    Once again, thank you very much for your help.

                    • 7. Re: Can't access Wildfly 10 console through TLS/HTTPS port.
                      Claudio Miranda Expert

                      The ApplicationRealm is for end user applications to access the regular 443 port. The ManagementRealm is for users to manage the Wildfly itself, that is the distinction. However, you are free to create other realms to manage them.