HTTPS setup : Configuring HTTPS for JBoss
 
Configuring HTTPS for JBoss
Tools used for configuration:
jboss-cli - found in <installation directory>\app\jboss-eap-6.3\bin
Your signed certificate keystore
Prerequisite:
Orchestra installed with JBoss or Orchestra 5.4 upgraded with JBoss.
jboss-cli is used for making changes, but the values can also be tweaked by editing the file <installation directory>\app\jboss-eap-6.3\standalone\configuration\standalone-full.xml.
With this instruction you will configure a HTTPS connector with TLS protocol using recommended (by nist.gov) ciphers for TLSv1.
Before you start, make sure that JBoss is started.
IMPORTANT! Make sure that when you copy and paste the commands below do not lose hyphens, or letters, at the end of rows!
1. We need to create a HTTPS connector through JBoss EAP management console. You can use jboss-cli to run this from a command prompt:
jboss-cli -c "/subsystem=web/connector=https/:add(socket-binding=https,scheme=https,protocol=HTTP/1.1,secure=true)"
 
2. Now we need to configure the SSL certificate by running the following command. Notice that you need your key alias and password here. Replace KEY_ALIAS with your own value. KEY_ALIAS needs to match what you replaced <hostname> with in the Preparation section, as well as key password, <KEY_PASSWORD> in the command below:
jboss-cli -c "/subsystem=web/connector=https/ssl=configuration:add(name=https,certificate-key-file=\"${javax.net.ssl.keyStore}\",password=\"${javaxnrt.ssl.keystorePassword}\", key-alias=KEY_ALIAS,key-password=\"<KEY_PASSWORD>\")"
 
3. The next step is to set secure cipher-suites for the TLS protocol. This needs to be on one single line:
jboss-cli -c "/subsystem=web/connector=https/ssl=configuration/:write-attribute(name=cipher-suite,value=\"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\")"
 
The cipher values specified here are recommended values and can be found in the JDK compatibility table. The JDK compatibility table can be found here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html. If you can, also make sure to add TLSv1.1 and TLSv1.2 along with recommended cipher suites (that are also in the JDK compatibility table).
Important
In order to use for example Vision with Orchestra over HTTPS, add protocol “SSLv3” to the enabled-protocols part of the configuration. If these units will not be using HTTPS, leave that protocol out from the configuration as it is less secure than TLS. Always set at least TLSv1 as that is required by internal Orchestra HTTPS communication.
For TLS protocols only (i.e. not supporting Vision 17 in https mode), run the following command:
jboss-cli -c "/subsystem=web/connector=https/ssl=configuration/:write-attribute(name=protocol,value=\"TLSv1,TLSv1.1,TLSv1.2\")"
 
Restart JBoss, to apply changes.
Troubleshoot
If you can not access the server on port 8443 outside localhost, check to make sure that your firewall is not blocking that port.