Configuring HTTPS for Wildfly
Before you start, make sure that Wildfly is started.
IMPORTANT! Make sure that when you copy and paste the commands below do not lose the hyphens, or letters, at the end of rows!
Tools used for configuration:
• jboss-cli - found in <installation directory>\app\wildfly-8.2.0.Final\bin
Prerequisistes:
• Orchestra installed with Wildfly, or Orchestra 5.4 upgraded with Wildfly.
• Keystore and truststore has been updated with desired certificate and are located in <installation directory>\conf\security as files named keystore.jks and truststore.jks.
Follow these steps to configure HTTPS for Wildfly:
1. We will add a security realm which will be used by the https listener. Run the following commands from the application server's
bin directory with
jboss-cli (i.e.
<orchestra-install-dir>\app\wildfly-8.2.0.Final\bin). Replace <hostname> and KEY_PASSWORD with what you used in the
Preparation section:
jboss-cli -c "/core-service=management/security-realm=\"orchestraSSL\":add"
jboss-cli -c "/core-service=management/security-realm=\"orchestraSSL\"/server-identity=\"ssl\":add(keystore-path=\"${javax.net.ssl.keyStore}\",keystore-password=\"${javax.net.ssl.keyStorePassword}\",alias=\"<hostname>\",key-password=\"KEY_PASSWORD\")"
2. Next, we will add a https listener, which uses our newly created security realm. Run the following command:
jboss-cli -c "/subsystem=undertow/server=default-server/https-listener=orchestra-https/:add(socket-binding=\"https\", security-realm=\"orchestraSSL\",verify-client=\"REQUESTED\",enabled-protocols=\"SSLv3,TLSv1,TLSv1.1,TLSv1.2\",enabled-cipher-suites=\"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\")"
TLSv1 is mandatory, as internal https calls require this. If you leave this protocol out, you will get errors.
Important
This configuration contains SSLv3 only because units such as Vision require the older protocol, to accept certificates. If you do not need to run these units in HTTPS, remove the SSLv3 protocol from the configuration, as it has been found to be insecure. Also note that TP3115, TP Touch and Intro 8 do not support encrypted communication at all. Those units need to go through HTTP.
Never remove/disable the default HTTP listener. Orchestra requires http for internal communication.
3. Make sure that the following keystore/truststore JVM parameters are set in <orchestra-install-dir>\app\wildfly-8.2.0.Final\bin\standalone.conf.bat:
-Djavax.net.ssl.trustStore=%QP_HOME%/conf/security/truststore.jks
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.keyStore=%QP_HOME%/conf/security/keystore.jks
-Djavax.net.ssl.keyStorePassword=changeit
These affect Orchestra Central. Make sure to change passwords for the parameters so they match your own keystore and truststore passwords.
4. Restart Orchestra. Browse to https://localhost:8443.
Enabling the Cookie for single sign on attribute
The purpose of the cookie for single sign on attribute is to prevent security holes and stop Orchestra from being vulnerable to XSS attacks.
You enable it by updating the file conf/shiro.ini and adding ‘cookie.secure = true’, as in the following example:
# Cookie for single sign on
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie
cookie.path = /
cookie.secure = true