Today's entry is a short post about using Wildfly and OpenSSL in a Windows system. I needed to work on the wildfly-openssl library, which provides to Wildfly the ability of using OpenSSL in order to implement the TLS/SSL protocols instead of the default java JSSE infrastructure. The OpenSSL library is ubiquitous inside the linux world but rarely used in Windows. In the Microsoft OS some custom steps are needed to integrate it in the Wildfly server and, although they are not very complicated, better if I summarize the procedure here. So the entry is just that, how to configure Wildfly to use the OpenSSL provider in a Windows 2016 box.
The first step is installing the OpenSSL software in the box. For that I used this package which I reached from the OpenSSL site itself. I really do not know if this specific bundle is used or not, I just needed some quick binaries to play with them. The chosen version 1.1.0L needs the windows C++ runtime 2013. So first the re-distributable package should be installed.
Once the C++ libraries are in the system just continue with the OpenSSL. The software was installed into the directory C:\Program Files\OpenSSL-Win64. The DDL library files were copied to the bin folder instead of the system32 system location. At this point we can check if the OpenSSL works (just the version option is needed to see if everything is installed OK).
openssl.exe version
OpenSSL 1.1.0l 10 Sep 2019
A sample self-signed certificate is created to be used inside the server.
cd %JBOSS_HOME%\bin
keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ..\standalone\configuration\keystore.jks -dname "CN=localhost" -storepass XXXX
Now the Wildfly standalone server should be started passing the path to the OpenSSL librariles (as the DDL files were installed in an unusual directory, both libraries are directly passed as java startup options).
standalone.bat -b 0.0.0.0 -Dorg.wildfly.openssl.path.ssl="C:\\Program Files\\OpenSSL-Win64\\bin\\libssl-1_1-x64.dll" -Dorg.wildfly.openssl.path.crypto="C:\\Program Files\\OpenSSL-Win64\\bin\\libcrypto-1_1-x64.dll"
Finally the standalone server is configured to use the openssl and that certificate with the following CLI commands.
/subsystem=elytron/key-store=sslKS:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference={clear-text=XXXX}, type=JKS)
/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS, algorithm="SunX509", credential-reference={clear-text=XXXX})
/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl, key-manager=sslKM, protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=sslSSC:write-attribute(name=providers, value=openssl)
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=sslSSC)
run-batch
reload
And that is all. Now the Wildfly can be accessed at secure port 8443 using the OpenSSL library inside the windows 2016 machine. Time to start what I really wanted to do.
Regards.
Comments