SSL support

inkatze · Feb 8, 2016 · c071902 · c071902
1 parent c03c4d1
commit c071902
Show file tree

Hide file tree

Showing 9 changed files with 161 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -42,3 +42,8 @@ Thumbs.db
 # Tools and Framework files #
 #############################
 .vagrant
+
+# Specific #
+############
+
+files
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+v3.0.0
+
+  - Feature: SSL support.
+  - Feature: Management and Undertow ports are now configurable.
+  - Removed management user override logic.
+
 v2.1.0
 
   - Updated default version to 10.0.0.Final.

diff --git a/README.md b/README.md
@@ -44,12 +44,35 @@ Defaults:
 
     wildfly_bind_address: 0.0.0.0
     wildfly_management_bind_address: 0.0.0.0
-    wildfly_manage_port: 9990
+    wildfly_manage_http_port: 9990
+    wildfly_manage_https_port: 9993
     wildfly_http_port: 8080
-
-    wildfly_management_user: admin
-    wildfly_management_password: admin
-    wildfly_management_user_overwrite: yes
+    wildfly_https_port: 8443
+
+    wildfly_enable_ssl: no
+    wildfly_keystore_name: my.jks
+    wildfly_keystore_path: "{{ wildfly_dir }}/standalone/configuration/\
+                            {{ wildfly_keystore_name }}"
+    wildfly_keystore_alias: my
+    wildfly_keystore_password: "secret"
+    wildfly_key_password: "secret"
+    wildfly_application_ssl_identity: '
+        <server-identities>
+            <ssl>
+                <keystore path="{{ wildfly_keystore_name }}"
+                relative-to="jboss.server.config.dir"
+                alias="{{ wildfly_keystore_alias }}"
+                keystore-password="{{ wildfly_keystore_password }}"
+                key-password="{{ wildfly_key_password }}"/>
+            </ssl>
+        </server-identities>'
+    wildfly_https_listener: '
+        <https-listener name="https-server" socket-binding="https"
+        security-realm="ManagementRealm"/>'
+
+    # Manually defined variables
+    # wildfly_management_user: admin
+    # wildfly_management_password: admin
 
 Example Playbook
 ----------------
@@ -58,6 +81,28 @@ Example Playbook
       roles:
          - { role: inkatze.wildfly }
 
+Admin User
+----------
+
+It's recommended that you create Wildfly's admin user separately as follows:
+
+    $ ansible-playbook main.yml --extra-vars "wildfly_management_user=admin wildfly_management_password=admin"
+
+SSL Support
+-----------
+
+In order to enable SSL for applications and the management interface you have
+to set the `wildfly_enable_ssl` variable to `yes` and put the keystore file
+into this role files folder.
+
+You can create a self signed keystore file with the following command:
+
+    $ keytool -genkey -alias mycert -keyalg RSA -sigalg MD5withRSA -keystore my.jks -storepass secret  -keypass secret -validity 9999
+
+It's recommended that the first and last name is your hostname. After this file
+is created, you have to set the keystore related variable in order to work
+correctly.
+
 Troubleshooting
 ---------------
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -30,9 +30,28 @@ wildfly_init_dir: /etc/init.d
 
 wildfly_bind_address: 0.0.0.0
 wildfly_management_bind_address: 0.0.0.0
-wildfly_manage_port: 9990
+wildfly_manage_http_port: 9990
+wildfly_manage_https_port: 9993
 wildfly_http_port: 8080
-
-wildfly_management_user: admin
-wildfly_management_password: admin
-wildfly_management_user_overwrite: yes
+wildfly_https_port: 8443
+
+wildfly_enable_ssl: no
+wildfly_keystore_name: my.jks
+wildfly_keystore_path: "{{ wildfly_dir }}/standalone/configuration/\
+                        {{ wildfly_keystore_name }}"
+wildfly_keystore_alias: my
+wildfly_keystore_password: "secret"
+wildfly_key_password: "secret"
+wildfly_application_ssl_identity: '
+    <server-identities>
+        <ssl>
+            <keystore path="{{ wildfly_keystore_name }}"
+             relative-to="jboss.server.config.dir"
+             alias="{{ wildfly_keystore_alias }}"
+             keystore-password="{{ wildfly_keystore_password }}"
+             key-password="{{ wildfly_key_password }}"/>
+        </ssl>
+    </server-identities>'
+wildfly_https_listener: '
+    <https-listener name="https-server" socket-binding="https"
+     security-realm="ManagementRealm"/>'
diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -27,12 +27,20 @@
     - restart wildfly
     - change standalone data mode
 
-- name: Open wildfly management tcp port
-  firewalld: port={{ wildfly_manage_port }}/tcp permanent=true immediate=true
+- name: Open wildfly management http tcp port
+  firewalld: port={{ wildfly_manage_http_port }}/tcp permanent=true immediate=true
              state=enabled
 
-- name: Open wildfly management udp port
-  firewalld: port={{ wildfly_manage_port }}/udp permanent=true immediate=true
+- name: Open wildfly management http udp port
+  firewalld: port={{ wildfly_manage_http_port }}/udp permanent=true immediate=true
+             state=enabled
+
+- name: Open wildfly management https tcp port
+  firewalld: port={{ wildfly_manage_https_port }}/tcp permanent=true immediate=true
+             state=enabled
+
+- name: Open wildfly management https udp port
+  firewalld: port={{ wildfly_manage_https_port }}/udp permanent=true immediate=true
              state=enabled
 
 - name: Open wildfly http tcp port
@@ -43,6 +51,14 @@
   firewalld: port={{ wildfly_http_port }}/udp permanent=true immediate=true
              state=enabled
 
+- name: Open wildfly https tcp port
+  firewalld: port={{ wildfly_https_port }}/tcp permanent=true immediate=true
+             state=enabled
+
+- name: Open wildfly https udp port
+  firewalld: port={{ wildfly_https_port }}/udp permanent=true immediate=true
+             state=enabled
+
 - name: Enable and start the service
   service: name=wildfly enabled=yes state=started
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,3 +4,6 @@
 - include: install.yml
 - include: configure.yml
 - include: users.yml
+
+- include: ssl.yml
+  when: wildfly_enable_ssl
diff --git a/tasks/ssl.yml b/tasks/ssl.yml
@@ -0,0 +1,47 @@
+---
+# task file for wildfly
+
+# See the README file on how to generate this file.
+- name: Copy keystore file to the configuration folder
+  copy: src={{ wildfly_keystore_name }}
+        dest={{ wildfly_keystore_path }}
+        owner={{ wildfly_user }} group={{ wildfly_group }} mode=0750
+  notify:
+    - restart wildfly
+    - change standalone data mode
+
+- name: Add SSL identity to the management realm
+  lineinfile:
+    dest: "{{ wildfly_standalone_config_path }}"
+    insertafter: <security-realm name="ManagementRealm">
+    line: "{{ wildfly_application_ssl_identity }}"
+    owner: "{{ wildfly_user }}"
+    group: "{{ wildfly_group }}"
+    mode: 0750
+  notify:
+    - restart wildfly
+    - change standalone data mode
+
+- name: Add https listener for applications
+  lineinfile:
+    dest: "{{ wildfly_standalone_config_path }}"
+    insertafter: <http-listener name=*
+    line: "{{ wildfly_https_listener }}"
+    owner: "{{ wildfly_user }}"
+    group: "{{ wildfly_group }}"
+    mode: 0750
+  notify:
+    - restart wildfly
+    - change standalone data mode
+
+- name: Add https socket binding to management interfaces
+  lineinfile:
+    dest: "{{ wildfly_standalone_config_path }}"
+    insertafter: <http-interface security-realm="ManagementRealm"*
+    line: <socket-binding https="management-https"/>
+    owner: "{{ wildfly_user }}"
+    group: "{{ wildfly_group }}"
+    mode: 0750
+  notify:
+    - restart wildfly
+    - change standalone data mode
diff --git a/tasks/users.yml b/tasks/users.yml
@@ -1,13 +1,11 @@
 ---
 # tasks file for wildfly
 
-# This status will always be "changed" unless skipped because it will update
-# if exists even with the same credentials.
+# The user will always be overwritten every time a user and password is given.
 - name: Create management user
   command: >
     {{ wildfly_dir }}/bin/add-user.sh
     {{ wildfly_management_user }} {{ wildfly_management_password }}
   become_user: "{{ wildfly_user }}"
   when: wildfly_management_user is defined and
-        wildfly_management_password is defined and
-        wildfly_management_user_overwrite
+        wildfly_management_password is defined
diff --git a/templates/wildfly.properties.j2 b/templates/wildfly.properties.j2
@@ -1,4 +1,8 @@
 # System properties for wildfly
 jboss.bind.address={{ wildfly_bind_address }}
+jboss.management.http.port={{ wildfly_manage_http_port }}
+jboss.management.https.port={{ wildfly_manage_https_port }}
+jboss.http.port={{ wildfly_http_port }}
+jboss.https.port={{ wildfly_https_port }}
 jboss.bind.address.management={{ wildfly_management_bind_address }}
 jboss.server.temp.dir=/tmp/wildfly