Versions Compared

Old Version 7

changes.mady.by.user Mr. Schmittberger

Saved on

compared with

New Version Current

changes.mady.by.user Mr. Schmittberger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The core-service uses HTTP per default to communicate with other services (dms-sidecar microservice of the service-manager, REST-WS API). To change this communication to HTTPS the following steps need to be done.

...

<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-post-size="107374182400" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" max-post-size="107374182400" ssl-context="applicationSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="hsts-header"/>
<filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<filters>
<rewrite name="http-to-https" target="https://localhost:8443%U" redirect="true"/>
</filters>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>

...

  1. If the used certificate is self-signed, it needs to be imported to the CA certificate store in the service-managers JDK (<service-manager>\jdk\lib\security\cacerts) as well as your external components if it applies.

    1. Open the CA certificate store with Keystore Explorer (https://keystore-explorer.org/downloads.html), the password is “changeit”.

    2. Klick on the “import key pair” button and import your certificate

    3. Save the file and close Keystore Explorer

  2. Edit the file <service-manager>\config\application-red.yml and set the port within the property “enaio.dms.server” to the above set https port (8443, 443, custom) and set the protocol within the property “enaio.dms.endpoint” from http to https. Also, use the exact hostname used in the certificate instead of an IP, ‘localhost’ or, in case of a DNS-alias, the local hostname.
    This change also needs to be applied to all external components communicating with the REST-WS API directly as well.

  3. Open the file <service-manager>\config\gateway-prod.yml and change the address in the ‘url’ property from http to https and from port 8080 to your configured https port (8443, 443, custom).
    If you want to use HTTP and HTTPS at the same time, put this new configuration in a separate gateway profile file and only assign it to the HTTPS gateways.

...