Configuring Two-Way SSL

In two-way SSL, the JBoss EAP server additionally tries to establish trust with the connecting client by requesting a certificate from the client, and either accepting or rejecting it based on its own trust settings.

Follow the applicable instructions listed in the procedure, to enable two way SSL in your Silver Fabric component.

Procedure

  1. If a VirtualRouter instance is forwarding requests to this enabler, ensure it has SSL enabled configuration which is required for VirtualRouter to communicate with the server.
  2. In the Silver Fabric Administration Tool, go to Stacks > Components.
  3. Select Edit Component from the Actions list adjacent to your component.
  4. Select Add/Edit Component Features.
  5. Select the HTTP Support feature and click Edit.
  6. Select the HTTPS Enabled option.
  7. Click OK, then click Menu.
  8. Select Add/override/edit Enabler and Component-Specific Runtime Context Variables.
  9. Select the Environment variable from the Add From Enabler list.
  10. Configure the following Environment variables as necessary:
    Variable Description
    TWO_WAY_SSL_ENABLED Whether verify-client is enabled in the SSL Connector. Following are the values of the variable:

    REQUESTED: HTTPS undertow listener requires or does not require a certificate chain. This depends on whether the client requests or does not request a resource, protected by a security constraint that uses CLIENT-CERT authentication.

    REQUIRED: HTTPS undertow listener requires a certificate chain from the client side.

    SERVER_KEY_STORE_FILE Server key store file location for incoming SSL connections
    SSL_PASSWORD Password for the keystore
    SERVER_TRUST_STORE_FILE Server trust store file location for outgoing SSL connections
    SERVER_KEY_ALIAS Private key entry’s alias in the server key store. Change this if you changed the location of the server key store file with SERVER_KEY_STORE_FILE.
    TRUST_SSL_PASSWORD Password for the trust store
  11. Click OK when finished. You must now upload your keystore and, trust store for the server.
  12. Select Add/override/customize Enabler and Component-specific Content Files .
  13. Click Upload to upload the keystore and trust store files.
  14. Complete the screen as follows:
    Property Description
    Name A name for your file
    Relative Path The value you used for SERVER_KEY_STORE_FILE
    File The keystore file containing your server certificate
  15. Click Finish.
  16. To deploy the component, from the Actions list, select Publish Component.