search cancel

How To Configure HTTPS and Remove HTTP from IM Wildfly 8.x

book

Article ID: 239423

calendar_today

Updated On:

Products

CA Identity Portal CA Identity Manager

Issue/Introduction

How To Configure HTTPS and Remove HTTP from IM Wildfly 8.x

Environment

IdentityMinder(Identity Manager) with Wildfly 8.x

Resolution

Some notes before starting:

Note 1: Check if you have more than one Java installed on your Server. If you have more than one, check what the Java version used by JBoss/Wildfly during its startup. Usually, during the JBoss startup you can see the one being used. Make sure that your JAVA_HOME environment variable is pointing to the correct path.

Note 2: This document describe the process using Self-signed certificate, if you want to use MS Certificate for example, please see the Microsoft support website to know how to do that.

Creating the self-signed certificate

Open a command prompt and enter the following keytool command for example which is located under folder %JAVA_HOME%\bin folder where -alias defines the alias to use for adding an entry to the keystore and -keyalg specifies the algorithm to use to generate the key pair. 

    keytool -genkey -alias idmssl -keyalg RSA -keystore server.keystore

Follow the keytool utility prompts to create the certificate. For “first and last name” question, type the FQDN of your CA Identity Manager Server. In the above example command the server.keystore file is created and will need to be copied to your JBoss/Wildfly folder “<JBoss_Installation_folder>/standalone/configuration”

Add Your Digital Certificate to the Keystore 

Now, we need to export the digital certificate from the CA Identity Manager server and import this certificate into keystore.

Follow these steps:

Stop JBoss/Wildfly if it is running and open the command prompt window where you the server.keystore self-signed certificate is located and run the following keytool command to export the digital certificate from the server.keystore where password matches what was used in steps above:

 "%JAVA_HOME%\bin\keytool" -v -export -alias idmssl -keystore server.keystore -storepass <password> -file idmssl.cer
 
Import the digital certificate to the jvm cacerts keystore which is being used by the JBoss/Wildfly with the following command. By default the password for the cacerts keystore is changeit. Say yes when prompted to trust the certificate:

    "%JAVA_HOME%\bin\keytool" -v -import -alias idmssl -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass changeit -file idmssl.cer
 
Edit the JBoss/Wildfly standalone bat file

Stop JBoss/Wildfly if it is running and edit the JBoss/Wildfly \bin\standalone.bat file and find the following line where the JAVA_OPTS are being set:

set "JAVA_OPTS=-Dprogram.name=%PROGNAME% %JAVA_OPTS%"

Add two additional lines below this with the following assuming JAVA_HOME resolves to where the certificate was imported in the above steps:

set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="%JAVA_HOME%\jre\lib\security\cacerts"
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

Edit the JBoss/Wildfly standalone XML file

Stop JBoss/Wildfly if it is running and edit the JBoss/Wildfly standalone XML being used by the application as determined by the standalone.bat file configuration.

Locate the <security-realms> section and add the following:

<security-realm name="SslRealm">
 <server-identities>
  <ssl>
   <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="idmssl"/>
        </ssl>
    </server-identities>
</security-realm>

Locate the following line and change the value from http value to management-https

<socket-binding http="management-http"/>

Locate the following two lines and change the socket-binding values to https

<http-connector name="http-connector" socket-binding="http">
<http-connector name="http-connector-throughput" socket-binding="http">

Locate the following two lines and change the http-listener values to default-ssl

<http-acceptor http-listener="default" name="http-acceptor"/>
<http-acceptor http-listener="default" name="http-acceptor-throughput">

Locate the following line and change the connector-ref value to default-ssl

<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>

Locate the following line and the change name value to default-ssl and change the socket-binding value to https and add a new parameter of security-realm with the value of SslRealm

<http-listener name="default" socket-binding="http"/>

Locate the <subsystem xmlns="urn:jboss:domain:webservices:1.2"> section and add the following:

<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-port>8080</wsdl-port>
<wsdl-secure-port>8443</wsdl-secure-port>

You can now remove the following two lines to remove http:

<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>

Additional Information

Found the following link which helped resolve IM start up errors when attempting to remove the HTTP related socket-bindings

https://access.redhat.com/solutions/3464611

Basically it said to add the following lines in the standalone xml under the webservices subsystem to specify wsdl-port, wsdl-secure-port, and modify-wsdl-address.

   <modify-wsdl-address>true</modify-wsdl-address>
   <wsdl-port>8080</wsdl-port>
   <wsdl-secure-port>8443</wsdl-secure-port>