HTTPS for communication between the application server and the web server

Technical references : Administration : Server Hardening : Configure SSL connections : HTTPS communication : HTTPS for communication between the application server and the web server

First configure the SSL connector for the application server.

1. Stop the application server.

2. Start the CLI (offline/online).

3. Update the parameters and run the following command.

By default we expect the keystore in the WildFly configuration directory (...\Server\wildfly-*\standalone\configuration), so you only need to provide the keystore name in the keystore-path parameter. If you want to use another location, provide the full path in the keystore-path parameter and remove the keystore-relative-to parameter from the command.

/subsystem=elytron/key-store=httpsKS:add(path="mykeystore.jks", relative-to=jboss.server.config.dir, credential-reference={clear-text="mypassword"}, type=JKS)

4. Run the following command to update the password to your password:

/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS, credential-reference={clear-text="mypassword"})

5. Next, run the following command:

/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM)

6. Run the following command:

/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, ssl-context=httpsSSC, tcp-keep-alive=true, disallowed-methods=[PUT,DELETE,OPTIONS,HEAD,TRACE,CONNECT,PATCH], max-post-size=1024000000, socket-binding=https, enable-http2=true)

7. Run the following command:

/subsystem=messaging-activemq/server=default/http-acceptor=http-acceptor:write-attribute(name=http-listener, value=https)

8. Run the following command:

/subsystem=messaging-activemq/server=default/http-acceptor=http-acceptor-throughput:write-attribute(name=http-listener, value=https)

9. (Re)start the application server.

Client side changes

Update the web server.

Procedure

1. You must change the remoting.xml located in ...\Server\tomcat-*\conf". Change the URL property to reflect the changes in protocol and port number. Make sure you fill in the correct hostname and port number.

<url>https://hostname:port/rest</url>

2. Add your certificate to the client cacerts keystore if needed (for example self-signed certificate). To do so use the following command:

The keytool can be found in the following location ...\Server\jdk-*\bin

keytool -cacerts -import -trustcacerts -noprompt -file path\to\your\certificate.crt -alias yourAlias -storepass changeit