There are three ways to configure SSL.
- Front-End Terminated SSL
- Drawbacks:
- If an untrusted party penetrates the internal network/DMZ the traffic is susceptible to eavesdropping
- Drawbacks:
- SSL Pass-Through
- Drawbacks:
- Setting the sticky-bit on the reverse proxy may prove impossible and this may preclude additional reverse proxy functionality .
- You will not be able to set headers, such as X-Forwarded-For, so you will lose the clients' IP address information.
- Drawbacks:
- Front-End Terminated SSL With Back-End SSL
- This is the recommended method
In a cluster like this example below:
FQDN | Internal IP | External IP | |
---|---|---|---|
Front-End | account.mydomain.com | 10.0.0.1 | 90.100.110.120 |
Back-End Node 1 | back-end-1.mydomain.com | 10.1.0.1 | <none> |
Back-End Node 2 | back-end-2.mydomain.com | 10.1.0.2 | <none> |
In the different configuration modes, SSL Certificates would be configured as shown in the following table
Front-End Terminated SSL | SSL Pass-Through | Front-End Terminated SSL With Back-End SSL | |
---|---|---|---|
Front-End Certificate DN | cn=account.mydomain.com | <no SSL certificate> | cn=account.mydomain.com |
Back-End Node 1 Certificate DN | <no SSL certificate> | cn=account.mydomain.com | cn=back-end-1.mydomain.com |
Back-End Node 2 Certificate DN | <no SSL certificate> | cn=account.mydomain.com | cn=back-end-2.mydomain.com |
Terminate SSL to the Reverse Proxy
If you decide to leave the Back-End traffic unsecured, there's nothing to do in respect to WildFly configuration, just configure your Reverse Proxy accordingly.
Generally about SSL on Back-End Servers
The process of configuring SSL on the Back-End server nodes is two phased:
- Put a server certificate in a keystore
- Register keystore to WildFly
For the first phase we have provided scripts that will generate self-signed certificates, which can be used for only testing purposes but should be avoided in production.
Pass-Through SSL
Run the config-wildfly-domain-cert-backend.cmd script on the master node, then copy the generated keystore.pfx file over to the slave node to the same path. The keystore.pfx file will be generated in the path ${WILDFLY_HOME}\domain\configuration\keystore.pfx.
cd /usr/local/ubisecure/customerid/tools ./config-wildfly-domain-cert-backend.sh scp /usr/local/wildfly-10.1.0.Final/domain/configuration/keystore.pfx {user}@{host}:/usr/local/wildfly-10.1.0.Final/domain/configuration/keystore.pfx
Encrypt traffic separately between Front-End and Back-End servers.
These scripts will generate self-signed SSL certificates that uses each host's IP address in the cn-field.
On the Master Node, run config-wildfly-domain-cert-master.sh
cd /usr/local/ubisecure/customerid/tools ./config-wildfly-domain-cert-master.sh
On the Slave Node, run config-wldfly-domain-cert-slave.sh
cd /usr/local/ubisecure/customerid/tools ./config-wildfly-domain-cert-slave.sh
In this configuration - and depending on your Front-End Server - you may have to separately configure your Front-End Server(s) to trust the Back-End servers' certificates.
Register keystore file to WildFly
In the second phase, when you have produced the key store file, you can configure the HTTPS sockets on WildFly by using the following script on the master node. The script expects to find a keystore.pfx file in the path "${WILDFLY_HOME}\domain\configuration\keystore.pfx". The script will configure key store access using the password that was defined in win32.config before setup.cmd was run
cd /usr/local/ubisecure/customerid/tools ./config-wildfly-domain-https.sh