It is possible to create certificates using other methods (e.g. openssl); however, the java keytool utility is used in this example. Throughout the example, it is important to keep in mind that you should replace the parameter values being passed to be values that makes sense for your environment.
Creating the server certificate
Creating the client certificate
Exporting the client certificate
Exporting the server certificate
Importing the server certificate to the client
Importing the client certificate to the server
Configure Two Way SSL for the management Interface in EAP 7
This step assumes the server keystore generated above has been moved to the following location:
Using the CLI to configure the management interface
Updating the ManagementRealm for SSL
Configure https listener for the undertow subsystem on EAP 7 for SSL
For simplicity, we will use the ManagementRealm in this step. In practice, you may want to setup a new realm for applications or configure the ApplicationRealm.
Configuring the jboss-cli.sh for two-way SSL
Running the CLI after adding ssl configuration:
Update jboss-cli.xml defaults (Optional)
After changing the defaults, it is possible to run the cli without additional parameters.
Configuring HTTPS does not enforce the use of https. To prevent the possibility of unsecure connections, you can do a number of things.
To completely remove http as an option, you can remove the undertow http listener and update the references to it. When an edge approapriate proxy is sitting in front of EAP (e.g. apache/nginx), this configuration typically makes the most sense. If there was no proxy redirecting http to https, this setup would not be ideal since it would prevent http redirects to https.
Enforcing HTTPS without removing http listener
Add Strict-Transport-Security header
Use servlet api transport guarantee
Add transport guarantee to web.xml
Subscribe to our newsletter for a round-up of the week's most popular articles.