配置 WildFly 以使用 SSL

我正在使用 WildFly25，并让它以默认设置运行。

服务器控制台

WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3938ms - Started 308 of 547 services (338 services are lazy, passive or on-demand)
Http management interface listening on http://127.0.0.1:9990/management
Admin console listening on http://127.0.0.1:9990

我想更新配置，因此它在 https 上使用 SSL/TLS 运行。

因此，我按照 WildFly 文档 使用 WildFly CLI 对其进行配置（建议使用 CLI，而不是手动编辑 XML，因为出错的可能性较小）。

配置

通过 CLI 连接：

/home/jboss/wildfly/wildfly-25.0.0.Final/bin ./jboss-cli.sh
connect

我有一个密钥库（

mykeystore.jks

）。然后我将密钥库添加到 WildFly 配置中：

/subsystem=elytron/key-store=httpsKS:add(path=/home/jboss/wildfly/wildfly-25.0.0.Final/standalone/configuration/mykeystore.jks,credential-reference={clear-text=password},type=JKS)

/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=password})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])

当我检查

security-realm

时：

/subsystem=undertow/server=default-server/https-listener=https:read-attribute(name=security-realm)
{
    "outcome" => "success",
    "result" => undefined
}

这在 standalone.xml 中可见：

        <tls>
            <key-stores>
                <key-store name="applicationKS">
                    <credential-reference clear-text="password"/>
                    <implementation type="JKS"/>
                    <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                </key-store>
                <key-store name="httpsKS">
                    <credential-reference clear-text="password"/>
                    <implementation type="JKS"/>
                    <file path="/home/jboss/wildfly/wildfly-25.0.0.Final/standalone/configuration/mykeystore.jks"/>
                </key-store>
            </key-stores>
            <key-managers>
                <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                    <credential-reference clear-text="password"/>
                </key-manager>
                <key-manager name="httpsKM" key-store="httpsKS">
                    <credential-reference clear-text="password"/>
                </key-manager>
            </key-managers>
            <server-ssl-contexts>
                <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                <server-ssl-context name="httpsSSC" protocols="TLSv1.2" key-manager="httpsKM"/>
            </server-ssl-contexts>
        </tls>

但我在 xml 中没有看到任何

<security-realm>

:

        <security-realms>
            <identity-realm name="local" identity="$local"/>
            <properties-realm name="ApplicationRealm">
                <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
                <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
            </properties-realm>
            <properties-realm name="ManagementRealm">
                <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
                <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
            </properties-realm>
        </security-realms>

由于

security-realm

是

undefined

（任何更改之前和之后），我运行以下命令（来自 WildFly 文档），但没有任何影响。 （这看起来像是将

security-realm

设置为

undefined

，因此它不应该对已经的

undefined

security-realm

有任何影响）。

batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
run-batch

reload

问题

我错过了什么？遵循 WildFly 文档后，我希望得到以下内容（即服务器在

https

和端口

9993

上侦听管理控制台）：

服务器控制台

WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3938ms - Started 308 of 547 services (338 services are lazy, passive or on-demand)
Http management interface listening on https://127.0.0.1:9993/management
Admin console listening on https://127.0.0.1:9993

更多信息

[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
{
    "outcome" => "failed",
    "failure-description" => "WFLYSRV0259: If attribute secure-socket-binding is defined ssl-context must also be defined",
    "rolled-back" => true
}

/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,value=httpsSSC)
reload
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
reload

09:25:59,234 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0062: Http management interface listening on http://127.0.0.1:9990/management and https://127.0.0.1:9993/management
09:25:59,234 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0053: Admin console listening on http://127.0.0.1:9990 and https://127.0.0.1:9993