Wildfly jboss ssl configuration with windows-my or windows-root - jboss

How to configure wildfly jboss with a DNS named cert like myapp.mydomain.com installed in windows-my keystore.
I have added sunMSCAPI module as well.

I believe that should work as any other keystore type. Make sure proper security providet is installed in java. And use proper keystore type.
I recommend to use Elytron for that.

Related

What is the correct way to add JBoss EAP 7.4.3 cipher-suite configuration? please explain in detail

I want to add this cipher in jboss EAP 7.4.3 how could i with SSL=true for "TLSv1.2"
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
we tried to add ciphers in ManagementRelam but i think the way i put the ciphers are not correct as well as
location where i put it is also not correct.

Wildfly and OIDC

We are a Java shop and use maven. Our app is on wildfly 18. Does anyone have any experiences on migrating a wildfly app to OIDC? We were given a security library that we can use to make OIDC calls to, but it requires a config file co-located with this library. Do we need to use a module for this? If so, do we need a particular section filled out in our standalone.xml?
You asked about Wildfly 18. This one for sure needs add-on modules, such as those provided by the keycloak project (https://www.keycloak.org/downloads).
Since Wildfly 25 the OpenID Connect functionality was added to the Wildfly releases, and since then the addon modules are no longer required. In fact, they should no longer get installed as they seem to break Wildfly.
See also
Secure WebApp in Wildfly 25 using OpenID Connect (OIDC) without installing a Keycloak client adapter
https://docs.wildfly.org/25/WildFly_Elytron_Security.html#validating-jwt-tokens
https://www.youtube.com/watch?v=2gQO4_7Z5CI

MongoDB installer with SSL and without SSL

To install Mongo DB I can see two versions of installer one with SSL & other as without SSL.
https://www.mongodb.com/download-center?jmp=nav#community
My question is if I download with SSL installer & do not configure SSL then doesn't it same as without SSL installer. What is the need of without SSL installer at first place? Is there anything specific feature which comes in Without SSL installer?
I use Monggo DB in my application but not sure which one I should recommend to my customers as I have mix set of customers who want with/without SSL.
Atul
The difference between the SSL-included version running without SSL enabled, and the SSL-excluded version, is that the version without SSL does not have the SSL libraries even present. If you are concerned about security flaws in OpenSSL, for example, then maybe you should use the version compiled without SSL.

Passing truststore to javaws as command line argument

We have a java webstart application which is hosted a web server. The signer of the SSL certificate in the web server is not in the cacerts of the JRE, by default. Thus when we run
javaws https://blablah/our.jnlp
we get a Security Warning dialog saying the connection the website is untrusted. Is it possible to pass a custom truststore that contains the singer certificate to the javaws process? to avoid the warning?
I was hoping following would work
javaws -J-Djavax.net.ssl.trustStore=<path_to_custom_trusstore> https://blablah/our.jnlp
where custom_trusstore contains the signer certificate.
This does not seem to work. Warning still shows.
I know alternatively we can add the signer certificate from the Java Control Panel, but is there any other way?
have you tried to add the password?
-Djavax.net.ssl.trustStorePassword=storePassword

Deploying with cargo and an invalid SSL certificate

My test Tomcat 6 server has a self signed certificate. The manager webapp is accessible only via SSL, with this self signe certificate. When I try to deploy with the cargo-maven2-plugin, I get the error :
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I could probably add the certificate to the default Java keystore, but I would like to keep deployment as portable as possible and not require that everybody who needs to deploy the app to install the certificate. I would like to deploy the app by just having a checkout of the project, configuring the password to the app server and running Maven.
I could not find in the cargo documentation a way to ignore invalid certificates.
Can you point me in the right direction ?
I'm fairly ignorant on cargo specifically, but I've used this code to allow bad certs without errors in Java before, and it should work for you. Note that it's super insecure, but then again if you want to ignore invalid certs then pretty much any implementation is going to be super insecure.
http://ctasada.blogspot.com/2010/11/httpclient-use-self-signed-certificates.html