How to add https-listener to WildFly's default-server?

Question

I'm following the tutorial from: https://github.com/jbosstm/quickstart/tree/master/XTS/ssl

Using jboss-cli successfully added the security-realm:

/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add( \
   keystore-path=./standalone/configuration/server.keystore, \
   keystore-password=client, \
   alias=client)

When I try to add an https-listener:

/subsystem=undertow/server=default-server/https-listener=https:add( \
    socket-binding="https", security-realm="SSLRealm" \
)

WildFly throws an exception:

{
  "outcome" => "failed",
  "failure-description" => "JBAS014750: Operation handler failed to complete",
  "rolled-back" => true
}

Any ideas how to add the https-listener?

Answer 1

Here is what worked for me on WildFly 8.1:

Add a realm:

[standalone@localhost:9990 /] /core-service=management/security-realm=WebSocketRealm:add()
{"outcome" => "success"}

Configure it:

[standalone@localhost:9990 /] /core-service=management/security-realm=WebSocketRealm/server-identity=ssl:add(keystore-path=websocket.keystore, keystore-relative-to=jboss.server.config.dir, keystore-password=websocket)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Add a new listener:

[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=WebSocketRealm)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}

And then restart:

[standalone@localhost:9990 /] reload

This added the following fragments to standalone/configuration/standalone.xml:

<security-realm name="WebSocketRealm">
            <server-identities>
                <ssl>
                    <keystore path="websocket.keystore" relative-to="jboss.server.config.dir" keystore-password="websocket"/>
                </ssl>
            </server-identities>
        </security-realm>

and

<https-listener name="https" socket-binding="https" security-realm="WebSocketRealm"/>

What version of WildFly are you using ?

Answer 2

I did this by adapting the standalone.xml. As far as I can remember the steps are:

1. Adding a security realm for the ssl listener

   <security-realm name="SSLRealm">
     <server-identities>
       <ssl protocol="TLS">
         <keystore path="keystore-name" relative-to="jboss.server.config.dir" keystore-password="password" alias="alias"/>
       </ssl>
     </server-identities>
     <authentication>
       <truststore path="truststorename" relative-to="jboss.server.config.dir" keystore-password="password"/>
     </authentication>
   </security-realm>
   

2. Adding the https-listener to the undertow configuration

   <https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>
   

3. Adding the socket binding for the https-listener to the list of socket bindings

   <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
   

I've not yet tried to add this listener using the management interface but the above approach worked perfectly.

Answer 3

In my case the keystore that was used in the security-realm was not present when I tried to add the https-listener. After I copied the keystore to the config directory and executed reload in the CLI, I could add the https-listener with the CLI.

Although the CLI does not print out a informative error message, the console tells you that wildfly cannot find the keystore.