NOTES:

Note 1: This document describe the process importing a certificate into a Wildfly or Jboss based Identity Manager deployment using a Self-signed certificate.  If you want to use a Certificate Authority (CA) provided Certificate for example, the 'Creating the Self Signed Certificate' steps below are replaced with 'Obtain a SSL certificate from your Certificate Authority (CA)'  
The CA should provide a top level certificate, {e.g; IGA_domain.crt), the private key associated with it (e.g., IGA_server-prv.key), and any intermediate/CA certificates (e.g., IGA_ca-cert.crt).

Note 2: For Virtual Appliance please see the IGA Virtual Appliance documentation as the steps are different.

Note 3: Check if you have more than one Java installed on your Server. If you have more than one, check what the Java version used by JBoss during its startup. Usually, during the JBoss startup you can see the JBoss used. Make sure that your JAVA_HOME environment variable is pointing to the correct path, in the example below the JAVA_HOME should be "[path_to}\{Java}\{jdk_version}\{version number}” (e.g., /Java/jdk1.8.0_181)

Creating the self-signed certificate

1) Open a command prompt

2) Enter the following command (keytool.exe is located under folder %JAVA_HOME%\bin)

          keytool -genkey -alias name -keyalg RSA -keystore IDM.keystore

              -alias - Defines the alias to use for adding an entry to the keystore.

              -keyalg - Specifies the algorithm to use to generate the key pair.

The keytool utility starts.

3) For “first and last name” question, type the FQDN of your CA Identity Manager Server

4) A IDM.keystore file is created and placed in the specified folder.

5) Copy IDM.keystore file to your JBoss folder “<JBoss_Installation_folder>/standalone/configuration”

Add Your Digital Certificate to the Keystore 

Now, we need to export the digital certificate from the CA Identity Manager server and import this certificate into keystore.

Follow these steps:

1) Stop JBoss if it is running

2) Open the command prompt window where you created the self-signed certificate 

3) Export the digital certificate from the server to JBoss with the following command:

                       "%JAVA_HOME%\bin\keytool" -v -export -alias name -keystore IDM.keystore -storepass password -file IDM.cer

4) Import the digital certificate to the keystore with the following command:

                      "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts"-storepass password -file IDM.cer

If you didn’t change the “cacerts” keystore password, it is “changeit” without quotes

5) Copy the example.cer file to the following JDK security folder:

               /Java/jdk1.8.0_181/jre/lib/security

6) Add the certificate to the local certificate store.

               keytool -importcert -alias <alias> -keystore /opt/CA/java/{jre}/lib/security/cacerts -file <path to certificate> 

Activate SSL Communication in JBoss

To activate SSL communication in JBoss, block the default port and edit the server.xml file to include the certificate path and password.

Follow these steps:

1) Stop JBoss if it is running.

2) Locate standalone-full.xml in the following folder and open it for editing:

              <JBoss_installation_folder>\standalone\configuration\

3) Disable default port 8080. Locate and comment out the following code section (Wrap in "<!-- ...  -->":

         <!-- <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> -->

CAUTION:  when disabling 8080, external services may no longer be able to access Identity Manager until repointed at the secure address and the Certificate Trust established. 
You have disabled default port 8080.  

4) Edit the JBoss standalone-full.xml file to enable SSL and to include the certificate path and password.

              a. Locate the following section:

                       <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

              b. Add a line directly below and paste the following code:

                   <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">

                              <ssl name="ssl" password="password" key-alias="Alias-Name" certificate-key-file="<JBoss_Installation_folder>/standalone/configuration/IDM.keystore" />

                   </connector>

               c. Replace the password with the keystore password

               d. Replace the Alias-Name with the value type when you generate the IDM.keystore file

5) Save and close the standalone-full.xml file

6) Locate standalone.bat in the following folder and open it for editing:

            <JBoss_installation_folder>\bin\standalone.bat

7) Edit standalone.bat 

         a. Locate the following line

                set "JAVA_OPTS=-Dprogram.name=%PROGNAME% %JAVA_OPTS%"

         b. Add the lines directly below and paste the following:

                set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="C:\Configure\SSL\cacerts" 

                set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

8) Save and close standalone.bat

9) Start JBoss

You have activated SSL communication in JBoss

Additional Information:

To integrate Identity Manager and Identity Governance both with SSL

1) Copy the .cer file generated in section “Add Your Digital Certificate to the Keystore” step 3 to Identity Governance machine

2) From Identity Governance machine, run the keytool command line to import it to JDK cacerts, the same command from section “Add Your Digital Certificate to the Keystore”, step 4, but now the change to Identity Governance certificate file

          "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass password -file identitygovernance.cer

3) Restart JBoss (IdM) service