We Keep Coding

JBoss 1-way and 2-way SSL symultaneously

I have a JBoss application with multiple endpoints. All these endpoints should be available to any user over one way SSL (HTTPS), except for a specific endpoint (let's call it /app/sensitive) which should only be accessed by a specific machine (ie. 2-way SSL).
Is there a way to configure JBoss for 1/2-way SSL at the same time, differentiated by what endpoint has been requested?

I'm not sure, because did not test it, but it seems like you can have
one-way SSL on one port and two-way SSL on another port.
from standalone.xml (or domain.xml):
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
...
<connector name="one-way-https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="one-way-https" enable-lookups="false" secure="true">
</connector>
<connector name="two-way-https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="two-way-https" enable-lookups="false" secure="true">
<ssl name="two-way-ssl" key-alias="my-identity" password="${VAULT::Jboss_config::store_password::1}" certificate-key-file="../standalone/configuration/cert/JBoss_Identity.jks"/>
</connector>
...
</subsystem>
<socket-binding-group name="standard-sockets" ...>
...
<socket-binding name="one-way-https" port="8443"/>
<socket-binding name="two-way-https" port="8453"/>
...
</socket-binding-group>
If you will test it, please let me know is it solution or not, because in near future I have to do the same, just do not have a time right now to check it... Thanks.
BTW in <ssl> element you can define other than default Trust store and Key Store to use on that port.
I hope it will work.

While accessing http in wildfly9, a blank download file is getting downloaded

I've blocked the http protocol(enabled https only) in wildfly 9.0 by changing below configuration
Changed connector-ref="default" to connector-ref="default-ssl"
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint worker="default"/>
<http-connector name="http-remoting-connector" connector-ref="default-ssl" security-realm="ApplicationRealm"/>
</subsystem>
Commented the http-listener
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<!-- <http-listener name="default" socket-binding="http" redirect-socket="https"/> -->
<https-listener name="def.....
it worked..i am able to block the http and enabled https protocol access only. Ideally it should reject the http request. But, now problem is, whenever i am accessing the http://localhost:8080/MyWebApp/ , its rejecting the http request, but at the same time, web page is downloading a blank download file. why ???
Thanks.

You should redirect your http requests to https instead of disabling the http:
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" />
Add a redirect handler in the handlers part, something along the way of:
<host name="other-host" alias="www.mysite.com, ${prop.value:default-alias}" default-web-module="something.war" disable-console-redirect="true">
<location name="/" handler="welcome-content">
<filter-ref name="redirects" predicate="!secure" />
</location>
<filter-ref name="headers"/>
</host>
</server>
...
https://myserver/'" redirect="true" />

How many connection can be created in jboss by default config?

For http this config in standalone.xml
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Its the default config.
I would like to know how many connections this server can handle both incoming and out going.
Like 3000 users(clients) and this server is communicating with other web services, so overall how many http/https connections can this handle at a time, also is there a way to find out the current number of connections

Enable https in jboss as 7.1.1 and import ssl certificate?

I have a web application in deployed on jboss as 7.1.1 and its working fine. Now i want to enable ssl to my jboss server. i want to access my portal using this
https://myapplication.com
For this i went through https://docs.jboss.org/jbossweb/7.0.x/config/ssl.html documentation.
I did some modification in standalone.xml file also.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<configuration>
<static-resources listings="true"/>
</configuration>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https">
<ssl name="https" password="pro#123" certificate-key-file="${jboss.server.config.dir}/pro.com.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
I can access http://myapplication.com but cant access https://myapplication.com
I bought certificate also but dont know where to configure now to access my portal in http secure mode.
when i see console this comes
08:10:46,202 INFO [org.jboss.as.controller] (Controller Boot Thread) JBAS014774: Service status report
JBAS014775: New missing/unsatisfied dependencies:
service jboss.binding.connect (missing) dependents: [service jboss.web.connector.https]
Can anyone help me?

How to configure external vendor SSL certs into JBoss 7.1

I am converting from Websphere 8.x to JBoss 7.1 but I am having trouble getting SSL certificates into JBoss 7.1. We utilize external vendor web services via SSL.
In Websphere I would do this:
Add Vendor to the local WAS trust store:
Use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem.
Complete the following steps:
Log into the administrative console.
Expand Security and click SSL certificate and key management.
Under Configuration settings, click Manage endpoint security configurations.
Select the appropriate outbound configuration to get to the (cell):E4GT82WNode03Cell:(node):E4GT82WNode03 management scope.
Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
Under Additional Properties, click Signer certificates and Retrieve From Port.
In the Host field, enter services.vendor.com in the host name field, enter 443 in the Port field, and services.vendor.com_cert in the Alias field.
Click Retrieve Signer Information.
Verify that the certificate information is for a certificate that you can trust.
Click Apply and Save.
But in JBoss it doesn't look like there is this kind of capability. I have been playing with openssl, keytool for creating, adding certs to a keystore and tried making changes to the standalone.xml file. I've tried so many different things that have been suggested on different search results I've tried and spent countless hours trying to figure this out.
I'm getting this error:
13:08:50,801 ERROR [org.jboss.as.controller.management-operation]
Operation ("add") failed - address: ([
("subsystem" => "web"),
("connector" => "https"),
("ssl" => "configuration") ]) - failure description: "JBAS014803: Duplicate resource [
(\"subsystem\" => \"web\"),
(\"connector\" => \"https\"),
(\"ssl\" => \"configuration\") ]"
Throws error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor1.com_cert" password="secret" certificate-key-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor2.com_cert" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Doesn't throw error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
My question is this:
How can I configure multiple SSL certs in JBoss like Websphere does?

You will need to add system-properties for this. So basically add the following piece of code to your standalone.xml just after <extensions>....</extensions> tag:
<system-properties>
<property name="javax.net.ssl.trustStore" value="<location of cert>"/>
</system-properties>
<location of cert> is the location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). Note that on Windows, the specified pathname must use forward slashes, /, in place of \.