Wildfly 8
EJBCA 6.x compiles, deploys and runs with WildFly 8 and WildFly 9 (release following 6.3.1.1).
For WildFly, deploy and install do not automatically configure the application server for you. Configure the application server according to the following instructions:
Add Database Driver
Add MariaDB database driver by hot-deploying it into the Ddeployment directory. This will be picked up by WildFly and deployed so we can create a datasource straight away. You can use a generic name, without version number, in order to get a generic 'driver-name' for the data source command.
>cp mariadb-java-client-1.2.0.jar wildfly_home/standalone/deployments/mariadb-java-client.jarIncrease allowed Memory Usage
By default, only 512MiB of heap and 256MiB perm gen space is allowed. Edit wildfly_home/bin/standalone.conf to increase this to a more suitable value, for example:
JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MaxPermSize=384m -Djava.net.preferIPv4Stack=true"Add Datasource
Add data source for EJBCA to use. Start JBoss and run the following commands in JBoss CLI:
> wildfly_home/bin/jboss-cli.sh -c> data-source add --name=ejbcads --driver-name="mariadb-java-client.jar" --connection-url="jdbc:mysql://127.0.0.1:3306/ejbca" --jndi-name="java:/EjbcaDS" --use-ccm=true --driver-class="org.mariadb.jdbc.Driver" --user-name="ejbca" --password="ejbca" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"Configure JBoss Remoting
EJBCA needs to use JBoss Remoting for the EJBCA CLI to work. We configure it to use a separate port (if any old configuration exists, start by removing it):
/socket-binding-group=standard-sockets/socket-binding=remoting:remove/subsystem=undertow/server=default-server/http-listener=remoting:remove/subsystem=remoting/http-connector=http-remoting-connector:remove/subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")/socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting):reloadConfigure Logging
To be able to dynamically change logging, configure logging in JBoss. In the following example, DEBUG is enabled:
/subsystem=logging/logger=org.ejbca:add/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)/subsystem=logging/logger=org.cesecore:add/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)Remove existing TLS and HTTP Configuration
To remove existing TLS and HTTP configuration (just to be safe), run the following commands in JBoss CLI:
/core-service=management/security-realm=SSLRealm/authentication=truststore:remove/core-service=management/security-realm=SSLRealm/server-identity=ssl:remove/core-service=management/security-realm=SSLRealm:remove/socket-binding-group=standard-sockets/socket-binding=httpspub:remove/subsystem=undertow/server=default-server/https-listener=httpspub:remove/socket-binding-group=standard-sockets/socket-binding=httpspriv:remove/subsystem=undertow/server=default-server/https-listener=httpspriv:remove/socket-binding-group=standard-sockets/socket-binding=http:remove/subsystem=undertow/server=default-server/http-listener=http:remove/subsystem=undertow/server=default-server/http-listener=default:remove/system-property=org.apache.catalina.connector.URI_ENCODING:remove/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:remove/interfaces=/interface=http:remove/interfaces=/interface=httpspub:remove/interfaces=/interface=httpspriv:remove:reloadWait for the reload to complete by checking the server log or the result of :read-attribute(name=server-state)
Deploy EJBCA
Finally build and deploy the EJBCA (application ear file) to WildFly, without touching any WildFly configuration, by running the following EJBCA command:
ant clean deployearRun Install
Run the installation part of EJBCA creating the initial Management CA (for TLS and Super administrator), as well as TLS and Superadmin keystores.
If you are moving an existing installation that already have TLS keystores available, this step is not needed.
ant runinstallConfigure TLS
Copy keystores to WildFly:
ant deploy-keystoreRun the following commands in JBoss CLI to configure TLS (again removing any old configuration first just to be safe):
/interfaces=/interface=http:add(inet-address="0.0.0.0")/interfaces=/interface=httpspub:add(inet-address="0.0.0.0")/interfaces=/interface=httpspriv:add(inet-address="0.0.0.0")/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)/subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value="httpspriv"):reloadWait for the reload to complete by checking the server log or the result of :read-attribute(name=server-state):
/core-service=management/security-realm=SSLRealm:add()/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore/keystore.jks", keystore-password="serverpwd", alias="localhost")/core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="${jboss.server.config.dir}/keystore/truststore.jks", keystore-password="changeit")/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm="SSLRealm", verify-client=REQUIRED)/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442", interface="httpspub")/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm="SSLRealm"):reloadWait for the reload to complete by checking the server log or the result of :read-attribute(name=server-state):
/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true):reloadIf you are using OCSP GET requests, setting URI encoding and allowing encoding for Query and backslash above are needed.
At this point, WildFly will most likely need to be restarted with :shutdown(restart=true)
Optional: Enable AJP Connector
Only needed if you run an Apache front-end in front of WildFly.
/subsystem=undertow/server=default-server/ajp-listener=ajp-listener:add(socket-binding=ajp, scheme=https, enabled=true)Optional: Add Support for PKCS#11 (HSMs)
WildFly by default isolates most sun classes. EJBCA configures JBoss/WildFly to expose these classes (sun/security/pkcs11/wrapper) by using a jboss-deployment-structure.xml. This makes configuration in modules/system/layers/base/sun/jdk/main/module.xml not needed.