Configuring HTTPS for the Core-Service

The core-service uses HTTP per default to communicate with other services (dms-sidecar microservice of the service-manager, REST-WS API). To change this communication to HTTPS the following steps need to be done.

Enable the HTTPS Listener in the JBoss Wildfly configuration.

  1. Open the file <core-service>\standalone\configuration\jas-app.xml for editing

  2. Find the undertow section (starting with <subsystem xmlns="urn:jboss:domain:undertow:12.0")

  3. Adapt the following line adding 'redirect-sockert=”https”'
    <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" max-post-size="107374182400" proxy-address-forwarding="true"/>

  4. Add the following line below it
    <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true" max-post-size="107374182400"/>

  5. Restart the core-service

  6. Connect to https://<core-service-ip>:8443

  7. The JBoss Wildfly AS will automatically generate a self-signed certificate for “localhost” and secure communication can be established.


Changing the default hostname “localhost”

  • If you desire a different hostname for the self-signed certificate, search for the below line in the jas-app.xml file and edit the generate-self-signed-certificate-host setting accordingly
    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
    If there was already a certificate for “localhost” generated, delete the file <core-service>\standalone\configuration\application.keystore and restart the core-service. The certificate will then be newly generated using the updated hostname.

Using own (CA-signed) certificates

If you have an officially signed certificate or want to use your own (externally generated) certificate, proceed as follows:

  • Open the JBoss Wildfly keystore <core-service>\standalone\configuration\application.keystore - the password for it is “password”

  • Delete the existing certificate

  • Import your desired certificate

    • assign it the alias “server”

    • set the password “password” for it

  • Save the keystore

  • Restart the core-service

Changing default values

  • The default password for the certificate and the keystore is “password”

  • The default keystore-type is “JKS”

  • The default hostname used for certificate generation is “localhost”

  • To change any of these defaults open the file <core-service>\standalone\configuration\jas-app.xml and adapt the values in the below shown section:

    <tls>
    <key-stores>
    <key-store name="applicationKS">
    <credential-reference clear-text="password"/>
    <implementation type="JKS"/>
    <file path="application.keystore" relative-to="jboss.server.config.dir"/>
    </key-store>
    </key-stores>
    <key-managers>
    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
    <credential-reference clear-text="password"/>
    </key-manager>
    </key-managers>
    <server-ssl-contexts>
    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
    </server-ssl-contexts>
    </tls>

  • The default port for HTTPS communication is 8443. If you want to change this (e.g. to the standard HTTPS port 443), find the following line in the file <core-service>\standalone\configuration\jas-app.xml and adapt the port accordingly
    <socket-binding name="https" port="${jboss.https.port:8443}"/>

  • For the changes to take effect, save the file, delete the file <core-service>\standalone\configuration\application.keystore (only if you want JBoss to generate a new certifcate) and restart the core-service.

 

HTTP to HTTPS redirection

taken from How to redirect HTTP to HTTPS in WildFly - Mastertheboss and https://undertow.io/undertow-docs/undertow-docs-2.0.0/predicates-attributes-handlers.html

In order to redirect HTTP traffic to HTTPS you need to:

  • Create a Rewrite filter which contains the target destination (for example https://localhost:8443).

  • Specify with a predicate expression which is the criteria to redirect request to the target destination (for example, port = 8080)

To do this, you need to adapt the configuration-file <core-service>\standalone\configuration\jas-app.xml as follows

<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-post-size="107374182400" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" max-post-size="107374182400" ssl-context="applicationSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="hsts-header"/>
<filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<filters>
<rewrite name="http-to-https" target="https://localhost:8443%U" redirect="true"/>
</filters>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>

Replace https://localhost:8443 with the desired hostname / dns-alias and the actual https socket port (8443 is JBoss default, 443 is default HTTPS port).

Here is an explanation for the possible Exchange attributes in this command:

Attribute

Short Form

Long Form

Attribute

Short Form

Long Form

Remote IP address

%a

%{REMOTE_IP}

Local IP address

%A

%{LOCAL_IP}

Bytes sent, excluding HTTP headers, or '-' if no bytes were sent

%b

 

Bytes sent, excluding HTTP headers

%B

%{BYTES_SENT}

Remote host name

%h

%{REMOTE_HOST}

Request protocol

%H

%{PROTOCOL}

Remote logical username from identd (always returns '-')

%l

 

Request method

%m

%{METHOD}

Local port

%p

%{LOCAL_PORT}

Query string (prepended with a '?' if it exists, otherwise an empty string)

%q

%{QUERY_STRING}

First line of the request

%r

%{REQUEST_LINE}

HTTP status code of the response

%s

%{RESPONSE_CODE}

Date and time, in Common Log Format format

%t

%{DATE_TIME}

Remote user that was authenticated

%u

%{REMOTE_USER}

Requested URL path

%U

%{REQUEST_URL}

Request relative path

%R

%{RELATIVE_PATH}

The full list of attributes is available here: https://undertow.io/undertow-docs/undertow-docs-2.0.0/predicates-attributes-handlers.html

 

Disable HTTP completely

To completely disable HTTP, i.e. also not forwarding from HTTP to HTTPS proceed as follows:

  • Open the file <core-service>\standalone\configuration\jas-app.xml

  • Find the following line and comment it out
    <http-listener name="default" socket-binding="http" max-post-size="107374182400" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>

  • Save the file

  • Restart the core-service.

 

Configure the service-manager for HTTPS communication with the core-service

If you have enabled HTTPS and / or disabled HTTP, make sure you configure the service-manager to communicate with the HTTPS interface of the core-service!

This is done by the following steps:

  1. If the used certificate is self-signed, it needs to be imported to the CA certificate store in the service-managers JDK (<service-manager>\jdk\lib\security\cacerts) as well as your external components if it applies.

    1. Open the CA certificate store with Keystore Explorer (https://keystore-explorer.org/downloads.html), the password is “changeit”.

    2. Klick on the “import key pair” button and import your certificate

    3. Save the file and close Keystore Explorer

  2. Edit the file <service-manager>\config\application-red.yml and set the port within the property “enaio.dms.server” to the above set https port (8443, 443, custom) and set the protocol within the property “enaio.dms.endpoint” from http to https. Also, use the exact hostname used in the certificate instead of an IP, ‘localhost’ or, in case of a DNS-alias, the local hostname.
    This change also needs to be applied to all external components communicating with the REST-WS API directly as well.

  3. Open the file <service-manager>\config\gateway-prod.yml and change the address in the ‘url’ property from http to https and from port 8080 to your configured https port (8443, 443, custom).
    If you want to use HTTP and HTTPS at the same time, put this new configuration in a separate gateway profile file and only assign it to the HTTPS gateways.