|
|
You can configure WildFly to allow https access to Squore Server instead of http by following the instructions below.
These instructions are based on the standard WildFly instructions from https://docs.jboss.org/author/display/WFLY10/Security+Realms#SecurityRealms-DetailedConfiguration for securing the web server and use a self-signed certificate managed in the Java keystore, which may show a warning in users' browsers.
If your company supply their own certificate and you want to import it instead of generating one, refer to the instructions in the section called “Key and Certificate Management”.
It is also possible to use Apache as a reverse proxy on top of Squore Server to achieve the same result. For more information, consult the section called “Proxying Squore Server with Apache”.
Generate a secret key/certificate and store it in a file called a "key store" (foo.keystore in the current directory). The certificate is valid for 30 years (10950 days). The password use for encryption is "secret". One important issue is the common name (CN) of the certificate. For some reason this is referred to as "first and last name". It should however match the name of the web server, or some browsers like IE will claim the certificate to be invalid although you may have accepted it already.
$ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950 Enter keystore password: secret Re-enter new password: secret What is your first and last name? [Unknown]: foo.acme.com What is the name of your organizational unit? [Unknown]: Foo What is the name of your organization? [Unknown]: acme corp What is the name of your City or Locality? [Unknown]: Duckburg What is the name of your State or Province? [Unknown]: Duckburg What is the two-letter country code for this unit? [Unknown]: WD Is CN=foo.acme.com, OU=Foo, O=acme corp, L=Duckburg, ST=Duckburg, C=WD correct? [no]: yes Enter key password for <deva> secret (RETURN if same as keystore password): Re-enter new password: secret
Create a new security realm in WildFly's <SQUORE_HOME>/server/standalone/configuration/standalone.xml to configure an SSL Server identity:
<management> <security-realms> <security-realm name="SslRealm"> <server-identities> <ssl> <keystore path="/path/to/foo.keystore" keystore-password="keystore_password" alias="foo" key-password="key_password" /> </ssl> </server-identities> </security-realm> <security-realm name="ManagementRealm"> ... </security-realm> </security-realms> </management>
Add a HTTPS listener next to the default HTTP listener in <SQUORE_HOME>/server/standalone/configuration/standalone.xml:
<http-listener [...] name="default" socket-binding="http" [...] /> <https-listener name="default-ssl" socket-binding="https" max-post-size="0" security-realm="SslRealm"/>
Start Squore Server. The SSL port is 8443 + the offset selected at installation. By default you should therefore be able to access the web interface via https://localhost:8543 in your browser.