Hardening WildFly Communication

Created by kylin.27th, Dec

Agenda

  • Securing your application using HTTPS
  • Securing specific application using HTTPS
  • Securing WildFly Console using HTTPS
  • Securing Domain and Host controllers communication using HTTPS

Securing your application using HTTPS

            
//
$ cd $JBOSS_HOME
$ cp -a standalone sec-std-node-1
$ cd sec-std-node-1/configuration
$ keytool -v -genkey -alias wildfly.ssl -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore wildfly.ssl.keystore
$ keytool -list -v -keystore wildfly.ssl.keystore

/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path=wildfly.ssl.keystore, keystore-relative-to=jboss.server.config.dir,keystore-password=redhat, alias=wildfly.ssl, key-password=redhat)
:reload()

/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=SSLRealm)
            
        

Securing specific application using HTTPS

            
//
$ cp -a standalone sec-std-node-2
$ keytool -v -genkey -alias wildfly.ssl.app -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore wildfly.ssl.app.keystore
$ keytool -list -v -keystore wildfly.ssl.app.keystore

/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path=wildfly.ssl.app.keystore, keystore-relative-to=jboss.server.config.dir,keystore-password=redhat, alias=wildfly.ssl.app, key-password=redhat)
:reload()

/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=SSLRealm)

            
                
                
                    
                    
                
            
            
        

Securing WildFly console using HTTPS

            
//
$ cd $JBOSS_HOME
$ cp -a standalone sec-std-node-mgmt
$ cd sec-std-node-mgmt/configuration
$ keytool -v -genkey -alias wildfly.management -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore wildfly.management.keystore
$ keytool -list -v -keystore wildfly.management.keystore

/core-service=management/security-realm=SecureManagementRealm:add()
/core-service=management/security-realm=SecureManagementRealm/authentication=local:add(skip-group-loading=true, default-user="$local")
/core-service=management/security-realm=SecureManagementRealm/authentication=properties:add(path=mgmt-users.properties, relative-to=jboss.server.config.dir)
/core-service=management/security-realm=SecureManagementRealm/authorization=properties:add(path=mgmt-groups.properties, relative-to=jboss.server.config.dir)
/core-service=management/security-realm=SecureManagementRealm:write-attribute(name=map-groups-to-roles,value=false)
/core-service=management/security-realm=SecureManagementRealm/server-identity=ssl:add(keystore-path=wildfly.management.keystore, keystore-relative-to=jboss.server.config.dir,keystore-password=redhat, alias=wildfly.management, key-password=redhat)

/core-service=management/management-interface=http-interface:write-attribute(name=security-realm,value=SecureManagementRealm)
/core-service=management/management-interface=http-interface:write-attribute(name=socket-binding,value=management-https)
:reload()

$ java -cp modules/system/layers/base/org/jboss/sasl/main/jboss-sasl-1.0.4.Final.jar org.jboss.sasl.util.UsernamePasswordHashUtil securewildfly SecureManagementRealm redhat >> sec-std-node-mgmt/configuration/mgmt-users.properties
            
        

Securing DC and HC communication using HTTPS

            
//
$ cd $JBOSS_HOME
$ cp -a domain sec-dmn-master
$ cp -a domain sec-dmn-node-1
$ cp -a domain sec-dmn-node-2

$ mv sec-dmn-master/configuration/host-master.xml sec-dmn-master/configuration/host.xml
$ mv sec-dmn-node-1/configuration/domain.xml sec-dmn-node-1/configuration/domain.xml.unused
$ mv sec-dmn-node-1/configuration/host-slave.xml sec-dmn-node-1/configuration/host.xml
$ mv sec-dmn-node-2/configuration/domain.xml sec-dmn-node-2/configuration/domain.xml.unused
$ mv sec-dmn-node-2/configuration/host-slave.xml sec-dmn-node-2/configuration/host.xml
            
        

THE END