Wildfly Multiple IP and Multiple SSL Certificate

Wildfly can manage different ip in the same standalone server.
The final target is two manage different ssl certificate for each ip.

Due to ssl handshake limitation each hostname needs to be associate with different ip


For example


https://localhost:8181 send certificate1
https://192.168.1.3:8181 send certificate 2

But first start to setup the new ip interface


<interfaces>
       <interface name="management">
           <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
       </interface>
       <interface name="public">
           <inet-address value="${jboss.bind.address:127.0.0.1}"/>
       </interface>
       <interface name="public_secondary">
           <inet-address value="${jboss.bind.address:192.168.1.3}"/>
       </interface>
       <interface name="unsecure">
           <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
       </interface>
   </interfaces>


Adding the public_secondary


Next add to socket bindings section a new socketbinding using the new interface

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
       <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
       <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
       <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
       <socket-binding name="http" port="${jboss.http.port:8080}"/>
       <socket-binding name="https" port="${jboss.https.port:8181}"/>
       <socket-binding name="http_secondary" interface="public_secondary" port="${jboss.http.port:8080}"/>
       <socket-binding name="https_secondary" interface="public_secondary" port="${jboss.https.port:8181}"/>
       <socket-binding name="jacorb" interface="unsecure" port="3528"/>
       <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
       <socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
       <socket-binding name="txn-recovery-environment" port="4712"/>
       <socket-binding name="txn-status-manager" port="4713"/>
       <outbound-socket-binding name="mail-smtp">
           <remote-destination host="localhost" port="25"/>
       </outbound-socket-binding>
   </socket-binding-group>

the new socket bindings will be used in undertow configuration in <server> section


<subsystem xmlns="urn:jboss:domain:undertow:1.1">
           <buffer-cache name="default"/>
           <server name="default-server">
               <http-listener name="default" socket-binding="http"/>
               <https-listener name="https-listener" socket-binding="https" security-realm="MySecurityRealm"/>
               <host name="default-host" alias="localhost">
                   <location name="/" handler="welcome-content"/>
                   <access-log pattern="common" directory="${jboss.server.log.dir}" prefix="access"/>
                   <filter-ref name="server-header"/>
                   <filter-ref name="x-powered-by-header"/>
               </host>
           </server>
           <server name="secondary-server">
               <http-listener name="default_secondary" socket-binding="http_secondary"/>
               <https-listener name="https-listener_secondary" socket-binding="https_secondary" security-realm="MySecurityRealm_secondary"/>
               <host name="default-host_secondary" alias="localhost">
                   <location name="/" handler="welcome-content"/>
                   <access-log pattern="common" directory="${jboss.server.log.dir}" prefix="access"/>
                   <filter-ref name="server-header"/>
                   <filter-ref name="x-powered-by-header"/>
               </host>
           </server>
           <servlet-container name="default" default-encoding="utf-8">
               <jsp-config/>
           </servlet-container>
           <handlers>
               <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
           </handlers>
           <filters>
               <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
               <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
           </filters>
       </subsystem>


We maked the secondary-server that references the new socket binding.


In order to send a different ssl certificate for https-listener_secondary we assign it a new security realm: MySecurityRealm_secondary


We have to setup 2 security realm one for https-listener and other one for https-listener_secondary

Each realm references same keystore but different certificate alias

<security-realm name="MySecurityRealm">
               <server-identities>
                   <ssl protocol="TLSv1">
                       <keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="localhost" key-password="secret"/>
                   </ssl>
               </server-identities>
           </security-realm>
            <security-realm name="MySecurityRealm_secondary">
               <server-identities>
                   <ssl protocol="TLSv1">
                       <keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="testfoo" key-password="secret"/>
                   </ssl>
               </server-identities>
           </security-realm>
       </security-realms>

1 comment:

Mehmet Özçelik said...

Hi thanks for the information, I have go through the steps and added a new server configured with the second ip address. However I could not deploy the application to the second virtual server. How do you configured that? jboss-web.xml virtual host parameter is not enough as it just looks hosts in the default-server.