Wildfly 9

Using WildFly 9 instead of WildFly 8 you only have to replace the sections Remove existing TLS and HTTP configuration and Configure TLS with the below section.

Remove existing TLS and HTTP configuration

To remove existing TLS and HTTP configuration (just to be safe), run the following commands in JBoss CLI:

/core-service=management/security-realm=SSLRealm/authentication=truststore:remove
/core-service=management/security-realm=SSLRealm/server-identity=ssl:remove
/core-service=management/security-realm=SSLRealm:remove
/socket-binding-group=standard-sockets/socket-binding=httpspub:remove
/subsystem=undertow/server=default-server/https-listener=httpspub:remove
/socket-binding-group=standard-sockets/socket-binding=httpspriv:remove
/subsystem=undertow/server=default-server/https-listener=httpspriv:remove
/socket-binding-group=standard-sockets/socket-binding=http:remove
/subsystem=undertow/server=default-server/http-listener=http:remove
/subsystem=undertow/server=default-server/http-listener=default:remove
/system-property=org.apache.catalina.connector.URI_ENCODING:remove
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:remove
/interface=http:remove
/interface=httpspub:remove
/interface=httpspriv:remove
:reload

Configure TLS

Copy keystores to WildFly:

ant deploy-keystore

Run the following commands in JBoss CLI to configure TLS (again removing any old configuration first just to be safe):

/interface=http:add(inet-address="0.0.0.0")
/interface=httpspub:add(inet-address="0.0.0.0")
/interface=httpspriv:add(inet-address="0.0.0.0")
/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")
/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)
/subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value="httpspriv")
:reload

Wait for reload to complete by checking the server log or the result of :read-attribute(name=server-state).

/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore/keystore.jks", keystore-password="serverpwd", alias="localhost")
/core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="${jboss.server.config.dir}/keystore/truststore.jks", keystore-password="changeit")
/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")
/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm="SSLRealm", verify-client=REQUIRED)
/subsystem=undertow/server=default-server/https-listener=httpspriv:write-attribute(name=max-parameters, value="2048")
/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442", interface="httpspub")
/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm="SSLRealm")
/subsystem=undertow/server=default-server/https-listener=httpspub:write-attribute(name=max-parameters, value="2048")
:reload

Wait for reload to complete by checking the server log or the result of :read-attribute(name=server-state).

/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)
/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)
/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)
:reload

If you are using OCSP GET requests, setting URI encoding and allowing encoding for Query and backslash above is needed.

WildFly will most likely get confused at this step, and will need a restart with :shutdown(restart=true)

Optional: Add support for sending email

If you need support for sending email (smtp) you can configure EjbcaMail with:

/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ejbca-mail-smtp:add(port="993", host="my.mail.server")
/subsystem=mail/mail-session="java:/EjbcaMail":add(jndi-name=java:/EjbcaMail, from=noreply@mymail)
/subsystem=mail/mail-session="java:/EjbcaMail"/server=smtp:add(outbound-socket-binding-ref=ejbca-mail-smtp, tls=true, username=smtpuser, password=smtppassword)