Team,
If a client is using external load-balancers (F5) or intermediate Web Servers, there may be a need to update the default self-sign server cert for the Wildfly/JBoss services.
The scenario covered is for CA Identity Suite (IM, IG, IP), but may reference for other J2EE instances.
Below are the steps to update, if you receive a complete PFX file.
- Note: If possible, request SANS addresses for all FQDN and IP addresses to be used for the Identity Suite environment to lower TCO and allow the client to rotate this file as often as they like, instead of having three (3) or more unique certs.
Step01: View the J2EE / Wildfly JKS used for path and current password for the keystore.
grep -C 2 keystore /opt/CA/wildfly-idm/standalone/configuration/ca-standalone-full-ha.xml
<server-identities>
<ssl>
<keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" keystore-password="changeit"/>
</ssl>
</server-identities>
Step02: View current Self-Sign Cert and then delete it from the caim-srv JKS keystore [backup the JKS keystore first]
- Under this path: /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates
keytool -printcert -v -file caim-srv.cer [May identify the current alias from this file]
keytool -list -v -keystore caim-srv -store-pass changeit -alias caim-srv-01
keytool -delete -keystore caim-srv -store-pass changeit -alias caim-srv-01
keytool -list -v -keystore caim-srv -store-pass changeit -alias caim-srv-01
Step03: Change pfx password to match the IM default JKS password (this is currently hardcoded in ca-standalone-full-ha.xml as changeit]
- Avoid error message: JBAS015229: Unable to start service Cannot recover key
keytool -importkeystore -srckeystore idm.test.companyABC.dom.pfx -srcstorepass company123 -srcstoretype pkcs12 -destkeystore caim-srv.pkcs12 -deststoretype pkcs12 -deststorepass changeit -destkeypass changeit
Step04: Import the intermediate pfx (with new password of changeit) into the Wildfly JKS file caim-srv.
keytool -importkeystore -srckeystore caim-srv.pkcs12 -srcstorepass changeit -srcstoretype pkcs12 -destkeystore caim-srv -deststoretype JKS -deststorepass changeit
Step05: Restart IM and monitor the wildfly-console.log; ensure that TCP 8443 does start and listen
grep -C 2 -i https /opt/CA/wildfly-idm/standalone/log/wildfly-console.log
10:28:24,853 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015973: Starting subdeployment (runtime-name: "castylesr5.1.1.war")
10:28:24,880 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]
10:28:25,033 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017519: Undertow HTTPS listener https listening on /192.168.242.146:8443
10:28:26,545 INFO [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBoss Web Services - Stack CXF Server 4.3.2.Final
10:28:29,031 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017534: Registered web context: /castylesr5.1.1
Step06: View certs from on 8443 (use browser or openssl)
openssl s_client -connect caim-srv-01:8443 -showcerts
Step07: Need to add the public root CA cert to "TRUSTED" CA section of JKS, to avoid "self-signed cert" message. [use browser or openssl to capture this final root cert]
keytool -import -trustcacerts -file idm-test.companyABC.com.publicCA.cer -alias Clients_public_CA_root_cert -keystore caim-srv -store-pass changeit
Step08: Retest with openssl to ensure correct server cert and the CA public root cert are properly deployed. [Should see error return code 0 (zero)]
openssl s_client -connect caim-srv-01:8443 -showcerts -CAfile idm-test.companyABC.com.publicCA.cer
Step09: To test with FQDN from client; add in the FQDN to the custom vApp Alias file: /opt/CA/VirtualAppliance/custom/hosts & execute alias: configureCustomHostRecords
Example:
vi /opt/CA/VirtualAppliance/custom/hosts
192.168.242.146 idm.test.companyABC.dom
configureCustomHostRecords
Step10: Retest with FQDN and openssl
openssl s_client -connect idm.test.companyABC.dom:8443 -showcerts -CAfile idm-test.companyABC.com.publicCA.cer
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5BEEFA84E70684E48ABF1177DA77AF389A1F783A7499C35CBF5407A4BE0E2B62
Session-ID-ctx:
Master-Key: 10E66BFE580454ADE9E1775C3F77ECDCBDE36C9599CAED3F017284CC4755C06548115E599BBABD42BF73D6B99745CB9C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1542388356
Timeout : 300 (sec)
Verify return code: 0 (ok)