How To Configure HTTPS and Remove HTTP from Wildfly in PAMSC
Article ID: 276628
Updated On:
Products
Issue/Introduction
Privileged Access Manager Server Control (PAMSC) and also Privileged Identity Managemer (PIM) in their various versions relay on Wildfly or JBoss respectively as the application server for the Enterprise (ENTM) and Endpoint Mangement components .
There may be the need to remove altogether http access from either ENTM or Endpoint management, leaving only https to comply with the security standards of some customers, as both types of access are possible by default.
This is not a procedure covered in the documentation, but in the past there have been some documents on how to perform this operation in the case of Jboss, so PIM.
No similar document exists until now for Wildfly, shipping with PAM SC.
The present document discusses the steps to apply in this latter case.
Environment
PAMSC 14.1.X ENTM Windows
Cause
Removal of http access to the ENTM console is required for compliance with security standards
Resolution
This procedure requires changes to files standalone-full.xml, jboss-cli.xml as well as the registry
standalone-full.xml changes
Please note that the tags in the xml items may not be in the same order we are presenting them here
1. Stop WildFly
2. Change the following items from the standalone-full.xml, jboss-cli.xml and modify the registry
- Navigate to management->security-realms->security-relm name="ApplicationRealm" and make a copy of the <server-identities> block
For instance:
For a plain keystore password
<server-identities>
<ssl>
<keystore alias="entm" keystore-password="secret" path="<WILDFLY_HOME>\standalone\deployments\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore"/>
</ssl>
</server-identities>
For an encrypted keystore password
<server-identities>
<ssl>
<keystore alias="entm" keystore-password="${VAULT::vb::keystore_password::1}" path="<WILDFLY_HOME>\standalone\deployments\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore"/>
</ssl>
</server-identities>
- Navigate to management->security-realms->security-realm name="ManagementRealm" and paste the previously copied <server-identities> information
From
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
To the following...
For Plain Keystore Password:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
<server-identities>
<ssl>
<keystore alias="entm" keystore-password="secret" path="<WILDFLY_HOME>\standalone\deployments\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore"/>
</ssl>
</server-identities>
</security-realm>
For Encrypted Keystore Password:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
<server-identities>
<ssl>
<keystore alias="entm" keystore-password="${VAULT::vb::keystore_password::1}" path="<WILDFLY_HOME>\standalone\deployments\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore"/>
</ssl>
</server-identities>
</security-realm>
- Locate the following line and change the value from http value to management-https
<socket-binding http="management-http"/>
To
<socket-binding https="management-https"/>
- Locate the following two lines and change the socket-binding values to https
<http-connector endpoint="http-acceptor" name="http-connector" socket-binding="http"/>
<http-connector endpoint="http-acceptor-throughput" name="http-connector-throughput" socket-binding="http">
To
<http-connector endpoint="http-acceptor" name="http-connector" socket-binding="https"/>
<http-connector endpoint="http-acceptor-throughput" name="http-connector-throughput" socket-binding="https">
- Locate the following two lines and change the http-listener values to https
<http-acceptor http-listener="default" name="http-acceptor"/>
<http-acceptor http-listener="default" name="http-acceptor-throughput">
To
<http-acceptor http-listener="https" name="http-acceptor"/>
<http-acceptor http-listener="https" name="http-acceptor-throughput">
- Locate the following line and change the connector-ref value to https
<http-connector connector-ref="default" name="http-remoting-connector" security-realm="ApplicationRealm"/>
To
<http-connector connector-ref="https" name="http-remoting-connector" security-realm="ApplicationRealm"/>
- Locate the following line and comment it or remove it.
<http-listener enable-http2="true" name="default" redirect-socket="https" socket-binding="http"/>
To
<!- <http-listener enable-http2="true" name="default" redirect-socket="https" socket-binding="http"/> -->
- Locate the following lines and comment it or remove them.
<socket-binding interface="management" name="management-http" port="19990"/>
<socket-binding name="http" port="18080"/>
To
<!-- <socket-binding interface="management" name="management-http" port="19990"/> -->
<!-- <socket-binding name="http" port="18080"/> -->
jboss-cli.xml changes
Update file jboss-cli.xml present under <WILDFLY_HOME>/bin
- In <default-controller>, update the value of <protocol> to remote+https
- In <default-controller>, update the value of <port> to 19993
The resulting XML should look like:
<default-protocol use-legacy-override="true">remote+https</default-protocol>
<!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
<default-controller>
<protocol>remote+https</protocol>
<host>localhost</host>
<port>19993</port>
</default-controller>
Add Trust Store information:
Plain Keystore Password
Add the following information after the <resolve-parameter-values> tag.
<ssl>
<trust-store><WILDFLY_HOME>\standalone\deployments\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore</trust-store>
<trust-store-password>secret</trust-store-password>
</ssl>
Encrypted Keystore Password
Get <vault>....</vault> and Encrypted Keystore information from standalone-full.xml
Add the following information after the <resolve-parameter-values> tag
<ssl>
<vault>
<vault-option name="KEYSTORE_URL" value="<WILDFLY_HOME>\bin\vault\vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="<PASSWORD_VALUE>"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="1234abcd"/>
<vault-option name="ITERATION_COUNT" value="120"/>
<vault-option name="ENC_FILE_DIR" value="<WILDFLY_HOME>\bin\vault"/>
</vault>
<trust-store>C:\wildfly-15.0.1.Final\standalone\deployments\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore</trust-store>
<trust-store-password>VAULT::vb::keystore_password::1</trust-store-password>
</ssl>
Registry Changes
- Open the Registry Editor
- Navigate to the following location
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\Wildfly\Parameters\Stop
- Right click on Params
- Select Modify
- Change port from 19990 to 19993
/c jboss-cli.bat --controller=localhost:19990 --connect --command=:shutdown
To
/c jboss-cli.bat --controller=localhost:19993 --connect --command=:shutdown
Click OK to save
3. Delete the tmp directory (Path: <WILDFLY_HOME>\standalone\tmp) from the WildFly Installed directory
4. Start WildFly
Feedback
