Configure Web Server Keystores

To configure the Web Server TLS keystore, copy the keystore and truststore files to your application server keystore folder. The following displays the WildFly keystore folder location:

WILDFLY_HOME/standalone/configuration/keystore/keystore.jks

WILDFLY_HOME/standalone/configuration/keystore/truststore.jks

For testing purposes, you can use the provided test keystore (dss10_demo-tls.jks) and truststore (dss10_truststore.jks) provided in the res/test/dss10/ folder in the SignServer release.

Configure TLS and HTTP

The following steps cover how to configure TLS and HTTP with a three-port separation. Port 8080 will be used for regular HTTP traffic, port 8442 for HTTPS with server authentication, and port 8443 for HTTPS with both client and server authentication.

1. Start JBoss CLI:

   APPSRV_HOME/bin/jboss-cli.sh -c

2. To remove any existing TLS and HTTP configuration and allow configuring port 8443, run the following:

   /subsystem=undertow/server=default-server/http-listener=default:remove

   /subsystem=undertow/server=default-server/https-listener=https:remove

   /socket-binding-group=standard-sockets/socket-binding=http:remove

   /socket-binding-group=standard-sockets/socket-binding=https:remove

   :reload

3. Configure interfaces using the appropriate bind address. This example uses 0.0.0.0 to make it available for anyone:

   /interface=http:add(inet-address="0.0.0.0")

   /interface=httpspub:add(inet-address="0.0.0.0")

   /interface=httpspriv:add(inet-address="0.0.0.0")

   Note that WildFly defaults to an HTTP post size limit of 10 MB. To allow signing larger files, increase the limits on the HTTP/HTTPS listeners using the max-post-size attribute in the following code examples.

   For Wildfly 10: If a larger limit than the default 10 MB is specified for HTTPS listeners, check that the max-post-size value is updated in the standalone.xml file after running the CLI command. If the value was not updated in the XML file, stop the application server and manually update the max-post-size value in the standalone.xml file before starting the application server again.

4. Configure the HTTPS httpspriv listener and set up the private port requiring the client certificate. Use appropriate values for key-alias (hostname), password (keystore password), ca-certificate-password (truststore password), and supported protocols.
   For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.

   /core-service=management/security-realm=SSLRealm:add()

   /core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="keystore/keystore.jks", keystore-relative-to="jboss.server.config.dir", keystore-password="serverpwd", alias="localhost")

   :reload

   /core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="keystore/truststore.jks", keystore-relative-to="jboss.server.config.dir", keystore-password="changeit")

   :reload

   /socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")

   /subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", security-realm="SSLRealm", verify-client=REQUIRED, max-post-size="10485760", enable-http2="true")

5. Configure the default HTTP listener.
   For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.

   /socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")

   /subsystem=undertow/server=default-server/http-listener=default:add(socket-binding=http, max-post-size="10485760", enable-http2="true")

   /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value="httpspriv")

   :reload

6. Configure the HTTPS httpspub listener and set up the public SSL port not requiring the client certificate.
   For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.

   /socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")

   /subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", security-realm="SSLRealm", max-post-size="10485760", enable-http2="true")

7. Configure the remoting (HTTP) listener and secure the CLI by removing the http-remoting-connector from using the HTTP port and instead use a separate port 4447.
   For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.

   /subsystem=remoting/http-connector=http-remoting-connector:remove

   /subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")

   /socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")

   /subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting, max-post-size="10485760", enable-http2="true")

WSDL Location

In order for the web services to work correctly when requiring client certificate, you need to configure the Web Services Description Language (WSDL) web-host rewriting to use the request host.

To configure the WSDL location, run:

If the server is slow, wait before reloading:

URI Encoding

To configure the URI encoding, run the following:

(Failure messages for the two remove commands above are expected if this command is executed for the first time)

JBoss Troubleshooting

Make sure to apply the relevant security patches from Red Hat and pay special attention to the XML Security and Commons Collections libraries.

Database Configuration

Skip this step and instead see SignServer without Database if you want to run SignServer without a database management system.