配置 WildFly 以使用 HTTPS

配置 WildFly 以使用 HTTPS

我正在使用 WildFly25,并使用默认设置运行它。

服务器控制台

WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3938ms - Started 308 of 547 services (338 services are lazy, passive or on-demand)
Http management interface listening on http://127.0.0.1:9990/management
Admin console listening on http://127.0.0.1:9990

我想更新配置,以便它在 https 上使用 SSL/TLS 运行。

所以我关注了 WildFly文档使用 WildFly CLI 进行配置(建议使用 CLI 而不是手动编辑 XML,因为出现错误的可能性较小)。

配置

通过 CLI 连接:

/home/jboss/wildfly/wildfly-25.0.0.Final/bin ./jboss-cli.sh
connect

我有一个密钥库 ( mykeystore.jks)。因此我将密钥库添加到 WildFly 配置中:

/subsystem=elytron/key-store=httpsKS:add(path=/home/jboss/wildfly/wildfly-25.0.0.Final/standalone/configuration/mykeystore.jks,credential-reference={clear-text=password},type=JKS)

/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=password})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])

当我检查时security-realm

/subsystem=undertow/server=default-server/https-listener=https:read-attribute(name=security-realm)
{
    "outcome" => "success",
    "result" => undefined
}

这可见于独立文件

        <tls>
            <key-stores>
                <key-store name="applicationKS">
                    <credential-reference clear-text="password"/>
                    <implementation type="JKS"/>
                    <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                </key-store>
                <key-store name="httpsKS">
                    <credential-reference clear-text="password"/>
                    <implementation type="JKS"/>
                    <file path="/home/jboss/wildfly/wildfly-25.0.0.Final/standalone/configuration/mykeystore.jks"/>
                </key-store>
            </key-stores>
            <key-managers>
                <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                    <credential-reference clear-text="password"/>
                </key-manager>
                <key-manager name="httpsKM" key-store="httpsKS">
                    <credential-reference clear-text="password"/>
                </key-manager>
            </key-managers>
            <server-ssl-contexts>
                <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                <server-ssl-context name="httpsSSC" protocols="TLSv1.2" key-manager="httpsKM"/>
            </server-ssl-contexts>
        </tls>

<security-realm>但是我在 xml 中没有看到任何内容:

        <security-realms>
            <identity-realm name="local" identity="$local"/>
            <properties-realm name="ApplicationRealm">
                <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
                <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
            </properties-realm>
            <properties-realm name="ManagementRealm">
                <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
                <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
            </properties-realm>
        </security-realms>

按照原样security-realmundefined在进行任何更改之前和之后),我运行以下命令(来自 WildFly文档),但它没有影响。 (这看起来好像它将设置security-realmundefined,所以它不应该对已经的产生任何影响undefined security-realm)。

batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
run-batch

reload

问题

我错过了什么?按照 WildFly 文档操作后,我期望获得以下内容(即服务器在https和 端口上监听管理控制台9993):

服务器控制台

WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3938ms - Started 308 of 547 services (338 services are lazy, passive or on-demand)
Http management interface listening on https://127.0.0.1:9993/management
Admin console listening on https://127.0.0.1:9993

更多信息

[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
{
    "outcome" => "failed",
    "failure-description" => "WFLYSRV0259: If attribute secure-socket-binding is defined ssl-context must also be defined",
    "rolled-back" => true
}

答案1

当我运行它时它开始工作:

/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,value=httpsSSC)
reload
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
reload

控制台输出:

09:25:59,234 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0062: Http management interface listening on http://127.0.0.1:9990/management and https://127.0.0.1:9993/management
09:25:59,234 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0053: Admin console listening on http://127.0.0.1:9990 and https://127.0.0.1:9993

相关内容