WildFly Elytron - SSL Configuration

commands.cli

Client Cert authentication with fallback to username / password authentication.

# Paths

./path=elytron.project:add(path=/home/darranl/src/wildfly10/wildfly-elytron)
./path=elytron.project.jks:add(path=src/test/resources/ca/jks, relative-to=elytron.project)
./path=elytron.project.properties:add(path=src/test/resources/org/wildfly/security/auth/realm, relative-to=elytron.project)

# KeyStores

./subsystem=elytron/key-store=localhost:add(type=jks, relative-to=elytron.project.jks, path=localhost.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=beetles:add(type=jks, relative-to=elytron.project.jks, path=beetles.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=ca:add(type=jks, relative-to=elytron.project.jks, path=ca.truststore, credential-reference={clear-text=Elytron})

# Key and Trust Managers

./subsystem=elytron/key-managers=localhost-manager:add(algorithm=SunX509, key-store=localhost, credential-reference={clear-text=Elytron})
./subsystem=elytron/trust-managers=ca-manager:add(algorithm=SunX509, key-store=ca)

# Realms

./subsystem=elytron/properties-realm=test-users:add(users-properties={relative-to=elytron.project.properties, path=clear.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=elytron.project.properties, path=groups.properties}) 
./subsystem=elytron/key-store-realm=key-store-realm:add(key-store=beetles)

# Mappers

./subsystem=elytron/constant-role-mapper=users:add(roles=[Users])
./subsystem=elytron/constant-realm-mapper=key-store-realm:add(realm-name=key-store-realm)
./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)

# Domain

./subsystem=elytron/security-domain=client-cert-domain:add(realms=[{realm=test-users},{realm=key-store-realm}], default-realm=test-users, principal-decoder=x500-decoder,permission-mapper=default-permission-mapper, role-mapper=users)

# HTTP Authentication Factory

./subsystem=elytron/http-authentication-factory=client-cert:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=FORM}])

./subsystem=elytron/http-authentication-factory=client-cert-basic:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=BASIC}])

# SASL Authentication

./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=configured, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=EXTERNAL, realm-mapper=key-store-realm},{mechanism-name=DIGEST-MD5, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
./subsystem=elytron/configurable-sasl-server-factory=configured:write-attribute(name=filters,value=[{pattern-filter=JBOSS-LOCAL-USER}, {pattern-filter=DIGEST-MD5}, {pattern-filter=EXTERNAL}])

# SSLContext

./subsystem=elytron/server-ssl-context=localhost:add(key-managers=localhost-manager, trust-managers=ca-manager, security-domain=client-cert-domain, authentication-optional=true, want-client-auth=true, need-client-auth=false)

# Undertow Subsystem

batch
./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=localhost)
./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
run-batch
./subsystem=undertow/application-security-domain=other:add(http-authentication-factory=client-cert, override-deployment-config=true)

# Management

./core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=localhost)
./core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
./core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=client-cert-basic)
./core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=client-cert-digest)

jboss-cli.xml

<?xml version='1.0' encoding='UTF-8'?>

<!--
   WildFly Command-line Interface configuration.
-->
<jboss-cli xmlns="urn:jboss:cli:3.1">

    <default-protocol use-legacy-override="true">remote+http</default-protocol>

    <!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
    <default-controller>
        <protocol>remote+http</protocol>
        <host>localhost</host>
        <port>9990</port>
    </default-controller>
    
    <!-- Example controller alias named 'Test'  
    <controllers>
        <controller name="Test">
            <protocol>remote+http</protocol>
            <host>localhost</host>
            <port>9990</port>
        </controller>
    </controllers>
    -->    

    <validate-operation-requests>true</validate-operation-requests>

    <!-- Command and operation history log configuration -->
    <history>
        <enabled>true</enabled>
        <file-name>.jboss-cli-history</file-name>
        <file-dir>${user.home}</file-dir>
        <max-size>500</max-size>
    </history>

    <ssl>
        <key-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore</key-store>
        <key-store-password>Elytron</key-store-password>
        <trust-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ca.truststore</trust-store>
        <trust-store-password>Elytron</trust-store-password>
        <modify-trust-store>false</modify-trust-store>
    </ssl>

    <!-- whether to resolve system properties specified as command argument or operation parameter values
                  in the CLI VM before sending the operation requests to the controller -->
    <resolve-parameter-values>false</resolve-parameter-values>


    <!-- Whether to write info and error messages to the terminal output -->
    <silent>false</silent>

    <!-- Whether to filter out commands and attributes based on user's permissions -->
    <access-control>false</access-control>

    <!-- Include the prompt with the command into the output for each command executed in non-interactive mode -->
    <echo-command>false</echo-command>
    
    <!-- Uncomment to set the command timeout. Element value is in seconds -->
    <!-- <command-timeout>30</command-timeout> -->
    
</jboss-cli>

wildfly-confix.xml

<?xml version="1.0" encoding="UTF-8"?>

<!--
      Set with -Dwildfly.config.url=file:///home/darranl/src/wildfly10/cli-scripts/wildfly-config.xml
-->

<configuration>
    <authentication-client xmlns="urn:elytron:1.0">
        <key-stores>
            <key-store name="ladybird" type="jks" >
                <file name="/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore"/>
                <key-store-clear-password password="Elytron" />
            </key-store>
        </key-stores>
        <authentication-rules>
            <rule use-configuration="default" />
        </authentication-rules>
        <authentication-configurations>
            <configuration name="default">
                <allow-sasl-mechanisms names="JBOSS-LOCAL-USER EXTERNAL DIGEST-MD5 PLAIN ANONYMOUS" />
                <set-mechanism-properties>
                    <property key="wildfly.sasl.local-user.quiet-auth" value="true" />
                 </set-mechanism-properties>
                 <use-service-loader-providers />
             </configuration>
        </authentication-configurations>
        <ssl-context-rules>
            <rule use-ssl-context="default" />
        </ssl-context-rules>
        <ssl-contexts>
            <ssl-context name="default">
                <key-store-ssl-certificate key-store-name="ladybird" alias="ladybird">
                    <key-store-clear-password password="Elytron" />
                </key-store-ssl-certificate>
            </ssl-context>
        </ssl-contexts>
    </authentication-client>
</configuration>