WildFly 10+ and JBoss EAP 7.1+

Application Server specific information for WildFly 10, 11, and 14, and JBoss EAP 7.1-7.2.

This section provides the following information on configuring your application server:

Configure Web Server Keystores

To configure the Web Server TLS keystore, copy the keystore and truststore files to your application server keystore folder. The following displays the WildFly keystore folder location:

WILDFLY_HOME/standalone/configuration/keystore/keystore.jks
WILDFLY_HOME/standalone/configuration/keystore/truststore.jks

For testing purposes, you can use the provided test keystore (dss10_demo-tls.jks) and truststore (dss10_truststore.jks) provided in the res/test/dss10/ folder in the SignServer release.

Configure TLS and HTTP

The following steps cover how to configure TLS and HTTP with a three-port separation. Port 8080 will be used for regular HTTP traffic, port 8442 for HTTPS with server authentication, and port 8443 for HTTPS with both client and server authentication.

  1. Start JBoss CLI:

    APPSRV_HOME/bin/jboss-cli.sh -c


  2. To remove any existing TLS and HTTP configuration and allow configuring port 8443, run the following:

    /subsystem=undertow/server=default-server/http-listener=default:remove
    /subsystem=undertow/server=default-server/https-listener=https:remove
    /socket-binding-group=standard-sockets/socket-binding=http:remove
    /socket-binding-group=standard-sockets/socket-binding=https:remove
    :reload


  3. Configure interfaces using the appropriate bind address. This example uses 0.0.0.0 to make it available for anyone:

    /interface=http:add(inet-address="0.0.0.0")
    /interface=httpspub:add(inet-address="0.0.0.0")
    /interface=httpspriv:add(inet-address="0.0.0.0")

    Note that WildFly defaults to an HTTP post size limit of 10 MB. To allow signing larger files, increase the limits on the HTTP/HTTPS listeners using the max-post-size attribute in the following code examples.

    For Wildfly 10: If a larger limit than the default 10 MB is specified for HTTPS listeners, check that the max-post-size value is updated in the standalone.xml file after running the CLI command. If the value was not updated in the XML file, stop the application server and manually update the max-post-size value in the standalone.xml file before starting the application server again.

  4. Configure the HTTPS httpspriv listener and set up the private port requiring the client certificate. Use appropriate values for key-alias (hostname), password (keystore password), ca-certificate-password (truststore password), and supported protocols.
    For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.

    /core-service=management/security-realm=SSLRealm:add()
    /core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="keystore/keystore.jks", keystore-relative-to="jboss.server.config.dir", keystore-password="serverpwd", alias="localhost")
    :reload
    /core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="keystore/truststore.jks", keystore-relative-to="jboss.server.config.dir", keystore-password="changeit")
    :reload
    /socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")
    /subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", security-realm="SSLRealm", verify-client=REQUIRED, max-post-size="10485760", enable-http2="true") 
  5. Configure the default HTTP listener.
    For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.
    /socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")
    /subsystem=undertow/server=default-server/http-listener=default:add(socket-binding=http, max-post-size="10485760", enable-http2="true")
    /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value="httpspriv")
    :reload


  6. Configure the HTTPS httpspub listener and set up the public SSL port not requiring the client certificate.
    For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.
    /socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")
    /subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", security-realm="SSLRealm", max-post-size="10485760", enable-http2="true")


  7. Configure the remoting (HTTP) listener and secure the CLI by removing the http-remoting-connector from using the HTTP port and instead use a separate port 4447.
    For WildFly 14, instead use enable-http2="false" to avoid error messages in the log.
    /subsystem=remoting/http-connector=http-remoting-connector:remove
    /subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")
    /socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")
    /subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting, max-post-size="10485760", enable-http2="true")

WSDL Location

In order for the web services to work correctly when requiring client certificate, you need to configure the Web Services Description Language (WSDL) web-host rewriting to use the request host.

To configure the WSDL location, run:

/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)

If the server is slow, wait before reloading:

:reload

URI Encoding

To configure the URI encoding, run the following:

/system-property=org.apache.catalina.connector.URI_ENCODING:remove()
/system-property=org.apache.catalina.connector.URI_ENCODING:add(value=UTF-8)
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:remove()
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
:reload

(Failure messages for the two remove commands above are expected if this command is executed for the first time)

JBoss Troubleshooting

Make sure to apply the relevant security patches from Red Hat and pay special attention to the XML Security and Commons Collections libraries.

XML Security Library Issue in JBoss EAP

The Xalan library bundled with SignServer is not properly overriding the JBoss-bundled version. You must therefore copy the JAR files from SignServer into JBoss' modules directory and modify the descriptor to use the new version.

Linux/Unix

To copy the files, run the following:

cp lib/ext/xalan-2.7.2.jar lib/ext/serializer-2.7.2.jar ${APPSRV_HOME}/modules/system/layers/base/org/apache/xalan/main/

To set the correct driver jar versions, edit ${APPSRV_HOME}/modules/system/layers/base/org/apache/xalan/main/module.xml file:

<resource-root path="serializer-2.7.2.jar"/>
<resource-root path="xalan-2.7.2.jar"/>

Windows

To copy the files, run the following:

copy lib\ext\xalan-2.7.2.jar %APPSRV_HOME%\modules\system\layers\base\org\apache\xalan\main\
copy lib\ext\serializer-2.7.2.jar %APPSRV_HOME%\modules\system\layers\base\org\apache\xalan\main\

Database Configuration

Skip this step and instead see SignServer without Database if you want to run SignServer without a database management system.

Configure Database Driver

Add the MariaDB database driver by hot-deploying it into the deployment directory. The driver will be picked up by WildFly and deployed, allowing creating the data source in the next step. You can use a generic name, without version number, to get a generic driver-name for the data source command.

cp mariadb-java-client-2.1.0.jar APPSRV_HOME/standalone/deployments/mariadb-java-client.jar

If you are using a database other than MariaDB, copy the JDBC driver to the deployments directory and make note of the driver class and driver-name shown in the server log for later use when adding the data source in the next step. Example of server log:

... INFO  [org.jboss.as.connector.deployers.jdbc] (...) WFLYJCA0005: Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 9.2)
... INFO  [org.jboss.as.connector.deployers.jdbc] (...) WFLYJCA0018: Started Driver service with driver-name = postgresql-jdbc3.jar

Configure Data Source

To add a data source for SignServer to use, run the command below using JBoss CLI (using APPSRV_HOME/bin/jboss-cli.sh).

The MariaDB data source example configuration uses the driver deployed in the previous step Configure Database Driver. The -jindi-name below is the default database.properties value. Also note that the --enabled=true option should be set for JBoss EAP 7.x.

If you are using a database other than MariaDB, update the driver-name, connection-url, driver-class and check-valid-connection-sql values accordingly.

data-source add --name=signserverds --driver-name="mariadb-java-client.jar" --connection-url="jdbc:mysql://127.0.0.1:3306/signserver" --jndi-name="java:/SignServerDS" --use-ccm=true --driver-class="org.mariadb.jdbc.Driver" --user-name="signserver" --password="signserver" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;" --enabled=true
:reload