In this tutorial we will demonstrate how to secure access to the Administration console of WildFly / JBoss AS using Secure Sockets Layer (SSL)

By default, the communication between the browser and the Management console happens in clear text. The only security applied is an authentication which is required before accessing the console. If you have strict security requirements, however you might need to encrypt the communication with the management console. For this purpose we will use a self-signed certificate. If you need to expose the Management console to other entities (for example outside your network) you might consider creating a Certificate Request which has to be signed by a CA.

So start by creating a keystore with the following keytool command:

keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword -dname "cn=Server Administrator,o=Acme,c=GB"

Now copy the server.keystore under your server's configuration folder (e.g. C:\wildfly-8.0.0.Final\standalone\configuration ).

Next, include in your ManagementRealm configuration a server-identities definition which references our keystore as follows:

<security-realm name="ManagementRealm">
        <local default-user="$local"/>
        <properties path="" relative-to="jboss.server.config.dir"/>
    <authorization map-groups-to-roles="false">
        <properties path="" relative-to="jboss.server.config.dir"/>
            <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey"/>

Last tweak is needed in the management-interfaces section, where you have to replace the http socket binding with an https socket binding:

    <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
       <!-- <socket-binding http="management-http"/> -->
              <socket-binding https="management-https"/>

Please note that the management-https in turn references a socket binding in your configuration which is by default included:

<socket-binding name="management-https" interface="management" port="${}"/>

So, as you can see, the management console, when using https will be bound on port 9993.

Restart your server and check that the management console is available on https://localhost:9993

wildfly ssl security

As you can see from the above definition, WildFly is using https as communication protocol, although it is marked as unsecure site because the certificate is not signed by a CA.


Related articles available on

JBoss security framework

Security is a fundamental part of any enterprise application .The

Configure JBoss with LDAP

In this tutorial we will show how to connect JBoss AS 7 (and earl

Configuring Single Signon on JBoss AS 7

This tutorial describes how to configure Single Signon for a JBos

Securing AS 7 applications using the ApplicationRealm

JBoss AS 7 and the EAP 6 provide out of the box a Security Domain

Configuring a MongoDB Login Module

Creating a Login Module with JBoss AS 7 or WildFly can be done by

Creating a Custom JBoss Login Module

This tutorial is a simple walk through the creation of a custom L