Configure JBoss EAP 7 so that EJB connections use 2-way SSL

Solution Unverified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7

Issue

  • How can I configure 2-way SSL?

Resolution

JBoss EAP 7 needs to be configured as follows:

  1. Build the keystores and truststores for the client and the server, see Creating a keystore and self-signed X.509 certificate for TLS/SSL using keytool utility provided by Java on how to create the keystores and truststores.

  2. Add a keystore and truststore to the ApplicationRealm:

         <security-realm name="ApplicationRealm">
         <server-identities>
             <ssl>
                 <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
             </ssl>
         </server-identities>
         <authentication>
             <truststore path="server.truststore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
             <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
         </authentication>
         <authorization>
             <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
         </authorization>
     </security-realm>

  3. Change the connector-ref to https on the remoting connector:

     <subsystem xmlns="urn:jboss:domain:remoting:3.0">
     <endpoint/>
     <http-connector name="http-remoting-connector" connector-ref="https" security-realm="ApplicationRealm"/>
 </subsystem>

  4. Configure the security-domain to use the Remoting and RealmDirect login modules:

             <security-domain name="jmx-console" cache-type="default">
             <authentication>
                 <login-module code="Remoting" flag="optional">
                     <module-option name="password-stacking" value="useFirstPass"/>
                 </login-module>
                 <login-module code="RealmDirect" flag="required">
                     <module-option name="password-stacking" value="useFirstPass"/>
                 </login-module>
             </authentication>
         </security-domain>

  5. Configure Undertow to have an https-listener:

     <subsystem xmlns="urn:jboss:domain:undertow:3.0">
     <buffer-cache name="default"/>
     <server name="default-server">
         <http-listener name="default" redirect-socket="https" socket-binding="http"/>
         <https-listener name="https" verify-client="REQUIRED" security-realm="ApplicationRealm" socket-binding="https"/>
         <host name="default-host" alias="localhost">

  6. Configure the client to use the https-remoting protocol by adding the following entry to the jboss-ejb-client.properties file:

     remote.connection.default.protocol=https-remoting

    Note: if there's not a jboss-ejb-client.properties, it goes on the classpath. In Maven, add it to the root of src/main/resources/

Diagnostic Steps

  • Enable TRACE level logging on the following categories, reproduce the issue and check the server.log file:

    • org.jboss.as.domain.management.security
    • org.jboss.remoting
    • org.jboss.sasl
    • org.jboss.as.security
    • org.jboss.security
    • org.wildfly.security
    • org.undertow

    NOTE: see Change logging levels using the CLI command in JBoss EAP 6 or 7 for more information about setting logging levels.

  • Enable SSL/TLS debug logging by adding the following line to the bin/standalone.conf file:

    JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl:handshake"

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.