Wildfly/JBoss Application Server
Configure your Wildfly/JBoss Application Server to use a Luna Cloud HSM Service to generate and secure the application SSL encryption keys, providing full key life-cycle management with FIPS-certified hardware and reducing the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM service for this integration.
The Luna Cloud HSM Service integrates with the Wildfly/JBoss AS to provide significant performance improvements by off-loading cryptographic operations from the Wildfly/JBoss AS to the Luna Cloud HSM Service and protecting the server's high value SSL private key and certificate within a hardware security module.
We recommend familiarizing yourself with the JBoss Application Server concepts and configuration. Refer to the JBoss Administrator Getting Started Guide for more information about configuring a JBoss Application Server.
This integration guides uses the following third party applications:
- JBoss
- WildFly
This integration is supported with the following operating systems:
- RHEL
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Configure the Luna Cloud HSM service for your application integration. See the section Luna Cloud HSM Service for detailed instructions on deploying and initializing a Luna Cloud HSM service partition and Luna Cloud HSM service client for your application integration.
Please take the following limitations into consideration when integrating your application with a Luna Cloud HSM service partition:
Non-FIPS algorithms: Luna Cloud HSM services operate in a FIPS and non-FIPS mode, which affects which algorithms are available on the partition. If your organization requires non-FIPS algorithms for your operations, ensure you enable the Remove FIPS restrictions check box when configuring your Luna Cloud HSM service. The FIPS mode is enabled by default.
Refer to the Supported Mechanisms in the SDK Reference Guide for more information about available FIPS and non-FIPS algorithms.
Verify Luna Cloud HSM <slot> value: LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are completing an integration using Luna Cloud HSM services, you need to verify which slot on the Luna Cloud HSM service you send commands to.
If there is more than one slot, then use the slot set command to direct a command to a specified slot. You can use slot list to determine which slot numbers are in use by which Luna Cloud HSM service.
Set up Java Variables
Set the following Java variables:
export JAVA_HOME=<Path to Java installation Directory>
export PATH=$JAVA_HOME/bin:$PATH
Set up WildFly/JBoss
Install WildFly/JBoss on the target machine to carry on with the integration process. For more information about installing WildFly/JBoss server refer the WildFly/JBoss documentation.
-
Set the JBOSS_HOME variable and provide the path of WildFly/JBoss installation directory.
export JBOSS_HOME=<Path to JBoss/Wildfly installation directory>
-
Run the following command to start the JBoss/WildFly Server.
sh $JBOSS_HOME/bin/standalone.sh
When the WildFly/JBoss is installed and running, browse
http://localhost:8080/
to verify the server has started properly.
Integration
Integrate a Luna Cloud HSM Service with the Wildfly/JBoss application server to securely store the Wildfly/JBoss SSL private key using the HSMs PKCS#11 API.
Configuring WildFly/JBoss AS for SSL acceleration
Configuring Wildfly/JBoss Application Server (AS) for SSL acceleration offloads processor-intensive public-key encryption operations to the HSM.
Before you begin, verify that libLunaAPI.so
and LunaProvider.jar
are available at $JAVA_HOME/jre/lib/ext/
. If the files are not available, copy libLunaAPI.so
and LunaProvider.jar
from <service_client_installation_directory>/jsp/lib
to $JAVA_HOME/jre/lib/ext/
.
Navigate to the \$JBOSS_HOME configuration directory.
cd $JBOSS_HOME/standalone/configuration
Create a keystore file manually. Enter the tokenlabel:<Partition_Name>
entry in it.
Where <PartitionName> is the Luna Cloud HSM Service label.
Generate a new key using the java keytool utility. Use the luna provider to generate the key and certificate on the Luna Cloud HSM Service.
keytool -genkey -keystore <keystore_name> -storepass <CO_password> -alias <key_label> -keypass <CO_password> -keyalg <key_algorithm> -keysize <size_of_key> -sigalg <signing_algorithm> -validity <no_of_days> -storetype <type_of_keystore>
Example:
RSA Keys:
keytool -genkey -keystore <keystore_name> -storepass <CO_password> -alias <key_label> -keypass <CO_password> -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -validity 365 -storetype luna
ECDSA Keys:
keytool -genkey -keystore <keystore_name> -storepass <CO_password> -alias <key_label> -keypass <CO_password> -keyalg EC -keysize 256 -sigalg SHA1withECDSA -validity 365 -storetype luna
ECDSA keys require the JDK 7.
The system will prompt the user to enter any missing key details. Enter the details to generate the key and certificate on the Luna Cloud HSM Service and in the current working directory keystore.
If operating an HSM in FIPS mode, substitute SHA256withRSA for SHA1withRSA and SHA256withECDSA for SHA1withECDSA.
Create a Certificate Signing Request (CSR) using the generated key.
keytool -certreq -alias <key_label> -file <request_file> -keypass <CO_password> -keystore <keystore_name> -storepass <CO_password> -sigalg <signing_algorithm> -storetype <type_of_keystore>
Example:
RSA Keys:
keytool -certreq -alias <key_label> -file cert.csr -keypass <CO_password> -keystore <keystore_name> -storepass <CO_password> -sigalg SHA1withRSA -storetype luna
ECDSA Keys:
keytool -certreq -alias <key_label> -file cert.csr -keypass <CO_password> -keystore <keystore_name> -storepass <CO_password> -sigalg SHA1withECDSA -storetype luna
ECDSA keys require the JDK 7.
If operating an HSM in FIPS mode, substitute SHA256withRSA for SHA1withRSA and SHA256withECDSA for SHA1withECDSA.
Copy the contents of the generated CSR and submit it to the CA to sign the certificate request.
Obtain the signed certificate and root certificate from the Certificate Authority and save it in the current directory. Save the root certificate as RootCA.cer
and the signed certificate as jboss.cer
.
Import the root CA certificate RootCA.cer
into the key store.
keytool -import -trustcacerts -alias rootCA -file RootCA.cer -keystore <keystore_name> -storepass <CO_password> -storetype luna
Import the signed certificate jboss.cer into the key store.
keytool -import -trustcacerts -alias jboss -keypass <CO_password> -file jboss.cer -keystore <keystore_name> -storepass <CO_password> -storetype luna
You must import the Root CA certificate and any intermediary certificates before importing the signed certificate.
Open $JBOSS_HOME/standalone/configuration/standalone.xml
in a text editor.
Edit the <ssl> configuration section under <management> <security realms>.
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="mykeystore" relative-to="jboss.server.config.dir" provider="luna"keystore-password="<CO_password>" alias="jboss" key-password="<CO_password>"/>
Start the Wildfly/JBoss Application Server.
sh $JBOSS_HOME/bin/standalone.sh
Open the browser and enter the URL that points the SSL enabled server:
https://<hostname or ip address>:8443
Accept the certificate and the web console will open.
This completes the integration with a Luna Cloud HSM Service. The Wildfly/JBoss application server private key and SSL certificates are securely stored on the Luna Cloud HSM Service.
Troubleshooting
Problem
"SSL ERROR" received on accessing JBoss on HTTPS as Sun JDK used with JBoss and generated the ECDSA keys on the Luna Cloud HSM Service.
Solution
Sun PKCS11 provider must be present in the java.security file (\$JAVA_HOME/jre/lib/security) and Luna Provider must be above SunEC provider in the security provider list.
security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.safenetinc.luna.provider.LunaProvider
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=com.sun.crypto.provider.SunJCE
security.provider.8=sun.security.jgss.SunProvider
security.provider.9=com.sun.security.sasl.Provider
security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC
Save the java.security
file. Ensure that the nss.cfg
file is present and if not present, create it manually in the $JAVA_HOME/jre/lib/security
directory. The nss.cfg
file must have the following entries for the hardware token to support SSL/TLS encryption:
name = NSS
nssLibraryDirectory = /usr/lib64
nssDbMode = noDb
attributes = compatibility
Development libraries for PKCS #11 (Cryptoki) using NSS must be installed on the system. Use the following command to install the binaries:
sudo yum install nss-pkcs11-devel
Restart the JBoss Application Server after making all the above changes and then access the page using HTTPS.