Steps
| Table of Contents | ||
|---|---|---|
|
...
In a cluster like this example below:
| FQDN | Internal IP | External IP | |
|---|---|---|---|
| Front-End | account.mydomain.com | 10.0.0.1 | 90.100.110.120 |
| Back-End Node 1 | back-end-1.mydomain.com | 10.1.0.1 | <none> |
| Back-End Node 2 | back-end-2.mydomain.com | 10.1.0.2 | <none> |
In the different configuration modes, SSL Certificates would be configured as shown in the following table
| Front-End Terminated SSL | SSL Pass-Through | Front-End Terminated SSL With Back-End SSL | |
|---|---|---|---|
| Front-End Certificate DN | cn=account.mydomain.com | <no SSL certificate> | cn=account.mydomain.com |
| Back-End Node 1 Certificate DN | <no SSL certificate> | cn=account.mydomain.com | cn=back-end-1.mydomain.com |
| Back-End Node 2 Certificate DN | <no SSL certificate> | cn=account.mydomain.com | cn=back-end-2.mydomain.com |
Unencrypted back-end
A) Terminate SSL to the Reverse Proxy
...
C) Encrypt traffic separately between Front-End and Back-End servers.
These scripts will generate self-signed SSL certificates that uses each host's IP address in the cn-field.
On the Master Node, run config-wildfly-domain-cert-master.sh
...
If you plan to use back channel connections from Ubisecure CustomerID over SSL encrypted connections, you will have to add each server's public key to the Server JRE's cacerts file. You can find the cacerts file under ${JREJAVA_HOME}/lib/security/cacerts. Once you have downloaded the server's public key, you can add it to the key store with the following commands:
| Code Block | ||
|---|---|---|
| ||
cd ${JREJAVA_HOME}/lib/security
${JAVA_HOME}/bin/keytool -importcert -trustcacerts -alias "<descriptive alias here>" -keystore cacerts -storepass changeit -file /path/to/certificate.cer |
...