WildFly 9 and JBoss EAP 7.0
Application Server specific information for WildFly 9 and JBoss EAP 7.0.
This section provides information on configuring your application server.
Configure Web Server Keystores
To configure the Web Server TLS keystore, copy the keystore and truststore files to your application server keystore folder. The following displays the WildFly keystore folder location:
WILDFLY_HOME/standalone/configuration/keystore/keystore.jks
WILDFLY_HOME/standalone/configuration/keystore/truststore.jks
For testing purposes, you can use the provided test keystore (dss10_demo-tls.jks) and truststore (dss10_truststore.jks) provided in the res/test/dss10/ folder in the SignServer release.
Configure TLS and HTTP
The following steps cover how to configure TLS and HTTP.
-
Start JBoss CLI:
APPSRV_HOME
/bin/jboss-cli
.sh -c
-
Configure interfaces using the appropriate bind address. This example uses 0.0.0.0 to make it available for anyone:
/
interface
=http:add(inet-address=
"0.0.0.0"
)
/
interface
=httpspub:add(inet-address=
"0.0.0.0"
)
/
interface
=httpspriv:add(inet-address=
"0.0.0.0"
)
Note that WildFly defaults to an HTTP post size limit of 10 MB. To allow signing larger files, increase the limits on the HTTP/HTTPS listeners using the max-post-size attribute in the following code examples.
If a larger limit than the default 10 MB is specified for HTTPS listeners, check that the max-post-size value is updated in the standalone.xml file after running the CLI command. If the value was not updated in the XML file, stop the application server and manually update the max-post-size value in the standalone.xml file before starting the application server again.
-
Secure the CLI by removing the http-remoting-connector from using the HTTP port and instead use a separate port 4447:
/subsystem=remoting/http-connector=http-remoting-connector:remove
/subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref=
"remoting"
,security-realm=
"ApplicationRealm"
)
/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=
"4447"
)
/subsystem=undertow/server=
default
-server/http-listener=remoting:add(socket-binding=remoting, max-post-size=
"10485760"
)
:reload
-
Set the limit on the HTTP (8080) listener:
/subsystem=undertow/server=
default
-server/http-listener=
default
:write-attribute(name=
"max-post-size"
, value=
"10485760"
)
-
Set up the private port which requires client certificate. Use appropriate values for key-alias (hostname), password (keystore password), ca-certificate-password (truststore password), and supported protocols:
/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port=
"8443"
,
interface
=
"httpspriv"
)
/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path=
"keystore/keystore.jks"
, keystore-relative-to=
"jboss.server.config.dir"
, keystore-password=
"serverpwd"
, alias=
"localhost"
)
/core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path=
"keystore/truststore.jks"
, keystore-relative-to=
"jboss.server.config.dir"
, keystore-password=
"changeit"
)
/subsystem=undertow/server=
default
-server/https-listener=httpspriv:add(socket-binding=
"httpspriv"
, security-realm=
"SSLRealm"
, verify-client=REQUIRED, max-post-size=
"10485760"
)
-
Set up the public SSL port which does not require the client certificate:
/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port=
"8442"
,
interface
=
"httpspub"
)
/subsystem=undertow/server=
default
-server/https-listener=httpspub:add(socket-binding=
"httpspub"
, security-realm=
"SSLRealm"
, max-post-size=
"10485760"
)
reload
WSDL Location
In order for the web services to work correctly when requiring client certificate, you need to configure the Web Services Description Language (WSDL) web-host rewriting to use the request host.
To configure the WSDL location, run:
/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=
true
)
If the server is slow, wait before reloading:
:reload
URI Encoding
To configure the URI encoding, run the following:
/system-property=org.apache.catalina.connector.URI_ENCODING:remove()
/system-property=org.apache.catalina.connector.URI_ENCODING:add(value=UTF-
8
)
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:remove()
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=
true
)
:reload
(Failure messages for the two remove commands above are expected if this command is executed for the first time)
JBoss Troubleshooting
Make sure to apply the relevant security patches from Red Hat and pay special attention to the XML Security and Commons Collections libraries.
XML Security Library Issue in JBoss EAP
The Xalan library bundled with SignServer is not properly overriding the JBoss-bundled version. You must therefore copy the JAR files from SignServer into JBoss' modules directory and modify the descriptor to use the new version.
Linux/Unix
To copy the files, run the following:
cp lib/ext/xalan-
2.7
.
2
.jar lib/ext/serializer-
2.7
.
2
.jar ${APPSRV_HOME}/modules/system/layers/base/org/apache/xalan/main/
To set the correct driver jar versions, edit ${APPSRV_HOME}/modules/system/layers/base/org/apache/xalan/main/module.xml file:
<resource-root path=
"serializer-2.7.2.jar"
/>
<resource-root path=
"xalan-2.7.2.jar"
/>
Windows
To copy the files, run the following:
copy lib\ext\xalan-
2.7
.
2
.jar %APPSRV_HOME%\modules\system\layers\base\org\apache\xalan\main\
copy lib\ext\serializer-
2.7
.
2
.jar %APPSRV_HOME%\modules\system\layers\base\org\apache\xalan\main\
Database Configuration
Skip this step and instead see SignServer without Database if you want to run SignServer without a database management system.
Configure Database Driver
Add the MariaDB database driver by hot-deploying it into the deployment directory. The driver will be picked up by WildFly and deployed, allowing creating the data source in the next step. You can use a generic name, without version number, to get a generic driver-name for the data source command.
cp
mariadb-java-client-2.1.0.jar APPSRV_HOME
/standalone/deployments/mariadb-java-client
.jar
If you are using a database other than MariaDB, copy the JDBC driver to the deployments directory and make note of the driver class and driver-name shown in the server log for later use when adding the data source in the next step. Example of server log:
... INFO [org.jboss.as.connector.deployers.jdbc] (...) WFLYJCA0005: Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 9.2)
... INFO [org.jboss.as.connector.deployers.jdbc] (...) WFLYJCA0018: Started Driver service with driver-name = postgresql-jdbc3.jar
Configure Data Source
To add a data source for SignServer to use, run the command below using JBoss CLI (using APPSRV_HOME/bin/jboss-cli.sh).
The MariaDB data source example configuration uses the driver deployed in the previous step Configure Database Driver. The -jindi-name below is the default database.properties value. Also note that the --enabled=true option should be set for JBoss EAP 7.x.
If you are using a database other than MariaDB, update the driver-name, connection-url, driver-class and check-valid-connection-sql values accordingly.
data-source add --name=signserverds --driver-name=
"mariadb-java-client.jar"
--connection-url=
"jdbc:mysql://127.0.0.1:3306/signserver"
--jndi-name=
"java:/SignServerDS"
--use-ccm=
true
--driver-
class
=
"org.mariadb.jdbc.Driver"
--user-name=
"signserver"
--password=
"signserver"
--validate-on-match=
true
--background-validation=
false
--prepared-statements-cache-size=
50
--share-prepared-statements=
true
--min-pool-size=
5
--max-pool-size=
150
--pool-prefill=
true
--transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql=
"select 1;"
--enabled=
true
:reload