Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Access credential store file created with jboss-cli in wildfly-config.xml
26 views
Skip to first unread message
Élie WILHELM
May 15, 2025, 5:55:50 AMMay 15
to WildFly
Hello,
I have configured a crendential store, two keystores and an ssl context for my wildfly server.
My JAX-RS code has to communicate with an other server that use mtls to authenticate my server. And apparently it doesn't use the same ssl context so I have to tell him all over again what are the things to trust and what certificate to use to authenticate (these are the same as the server ssl context).
I would like to be able to reuse the configuration or at least the keystore and credential store files.
At the moment I use this code (with path to private key pem as a constant):
public static void initialiseDefaultClient() throws IOException {
// Set base path to EJBCA REST API
ApiClient defaultClient = Configuration.getDefaultApiClient();
defaultClient.setBasePath(URL);
defaultClient.setSslCaCert(null);
// Retrieve client certificate and key
Path cert = Paths.get(CERT);
Path key = Paths.get(KEY);
defaultClient.setClientCert(cert, key);
Path caCert = Paths.get(CA);
byte[] caCertBytes;
caCertBytes = Files.readAllBytes(caCert);
defaultClient.setSslCaCert(new ByteArrayInputStream(caCertBytes));
OkHttpClient okClient = defaultClient.getHttpClient();
HostnameVerifier hv = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
HostnameVerifier hv = okClient.hostnameVerifier();
return hv.verify("localhost", session);
}
};
defaultClient.setHttpClient(okClient.newBuilder().hostnameVerifier(hv).cache(new Cache(new File("/usr/lib/ok-http/cache"), 10 * 1024 * 1024)).build());
Configuration.setDefaultApiClient(defaultClient);
}
But I would like to make this cleaner by using a configuration file (I've seen wildfly-config.xml is the thing to use).
Here are the relevant lines from standalone.xml:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="httpsKS">
<credential-reference store="defaultCS" alias="httpsKeystorePassword"/>
<implementation type="JKS"/>
<file path="keystore/keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="httpsTS">
<credential-reference store="defaultCS" alias="httpsTruststorePassword"/>
<implementation type="JKS"/>
<file path="keystore/truststore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
<key-manager name="httpsKM" algorithm="SunX509" key-store="httpsKS">
<credential-reference store="defaultCS" alias="ServerKeyPass"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="httpsTM" key-store="httpsTS">
<ocsp responder="http://192.168.1.20:8080/publicweb/status/ocsp"/>
</trust-manager>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
<server-ssl-context name="https" cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256" protocols="TLSv1.3 TLSv1.2" want-client-auth="true" authentication-optional="true" use-cipher-suites-order="false" key-manager="httpsKM" trust-manager="httpsTM"/>
</server-ssl-contexts>
</tls>
<credential-stores>
<credential-store name="defaultCS" relative-to="jboss.server.config.dir" path="keystore/credentials" create="true">
<credential-reference type="COMMAND" clear-text="{EXT}/usr/bin/wildfly_pass"/>
</credential-store>
</credential-stores>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="httpsKS">
<credential-reference store="defaultCS" alias="httpsKeystorePassword"/>
<implementation type="JKS"/>
<file path="keystore/keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="httpsTS">
<credential-reference store="defaultCS" alias="httpsTruststorePassword"/>
<implementation type="JKS"/>
<file path="keystore/truststore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
<key-manager name="httpsKM" algorithm="SunX509" key-store="httpsKS">
<credential-reference store="defaultCS" alias="ServerKeyPass"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="httpsTM" key-store="httpsTS">
<ocsp responder="http://192.168.1.20:8080/publicweb/status/ocsp"/>
</trust-manager>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
<server-ssl-context name="https" cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256" protocols="TLSv1.3 TLSv1.2" want-client-auth="true" authentication-optional="true" use-cipher-suites-order="false" key-manager="httpsKM" trust-manager="httpsTM"/>
</server-ssl-contexts>
</tls>
<credential-stores>
<credential-store name="defaultCS" relative-to="jboss.server.config.dir" path="keystore/credentials" create="true">
<credential-reference type="COMMAND" clear-text="{EXT}/usr/bin/wildfly_pass"/>
</credential-store>
</credential-stores>
In the wildfly-config.xml I tried to do something like this:
<configuration>
<credential-stores>
<credential-store name="defaultCS" type="PropertiesCredentialStore">
<attributes>
<attribute name="location" value="{jboss.server.config.dir}/keystore/credentials"/>
</attributes>
<protection-parameter-credentials>
<clear-password password="$(/usr/bin/wildfly_pass)"/>
</protection-parameter-credentials>
</credential-store>
</credential-stores>
<key-stores>
<key-store name="clientKS" type="JKS">
<credential-reference store="defaultCS" alias="httpsKeystorePassword"/>
<file name="{jboss.server.config.dir}/keystore/keystore.jks"/>
</key-store>
<key-store name="clientTS" type="JKS">
<credential-reference store="defaultCS" alias="httpsTruststorePassword"/>
<file name="{jboss.server.config.dir}/keystore/truststore.jks"/>
</key-store>
</key-stores>
<authentication-client xmlns="urn:elytron:client:1.7">
<rule use-ssl-context="ssl-context-client-ejbca" />
</authentication-client>
<ssl-contexts>
<ssl-context name="ssl-context-client-ejbca">
<cipher-suite selector="DEFAULT" name="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256"/>
<protocol names="TLSv1.3 TLSv1.2"/>
<trust-store key-store-name="clientTS" />
<key-store-ssl-certificate key-store-name="clientKS" alias="API_SERVER">
<credential-reference store="defaultCS" alias="ServerKeyPass"/>
</key-store-ssl-certificate>
</ssl-context>
</ssl-contexts>
</configuration>
<credential-stores>
<credential-store name="defaultCS" type="PropertiesCredentialStore">
<attributes>
<attribute name="location" value="{jboss.server.config.dir}/keystore/credentials"/>
</attributes>
<protection-parameter-credentials>
<clear-password password="$(/usr/bin/wildfly_pass)"/>
</protection-parameter-credentials>
</credential-store>
</credential-stores>
<key-stores>
<key-store name="clientKS" type="JKS">
<credential-reference store="defaultCS" alias="httpsKeystorePassword"/>
<file name="{jboss.server.config.dir}/keystore/keystore.jks"/>
</key-store>
<key-store name="clientTS" type="JKS">
<credential-reference store="defaultCS" alias="httpsTruststorePassword"/>
<file name="{jboss.server.config.dir}/keystore/truststore.jks"/>
</key-store>
</key-stores>
<authentication-client xmlns="urn:elytron:client:1.7">
<rule use-ssl-context="ssl-context-client-ejbca" />
</authentication-client>
<ssl-contexts>
<ssl-context name="ssl-context-client-ejbca">
<cipher-suite selector="DEFAULT" name="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256"/>
<protocol names="TLSv1.3 TLSv1.2"/>
<trust-store key-store-name="clientTS" />
<key-store-ssl-certificate key-store-name="clientKS" alias="API_SERVER">
<credential-reference store="defaultCS" alias="ServerKeyPass"/>
</key-store-ssl-certificate>
</ssl-context>
</ssl-contexts>
</configuration>
This doesn't do anything (I get the same errors if this file is there or not).
Is there any way to make this configuration correct ? How should I do if it's not possible ?
Reply all
Reply to author
Forward
0 new messages