[[Simple_SSL_Migration]]
= Simple SSL Migration
[[simple-ssl-migration]]
== Simple SSL Migration
This section describe securing HTTP connections to the server using SSL
using Elytron. +
It suppose you have already configured SSL using legacy
`security-realm`, for example by
link:Admin_Guide.html#src-557075_AdminGuide-EnableSSL[Admin Guide#Enable
SSL], and your configuration looks like:
[source, xml]
----
----
To switch to Elytron you need to:
1. Create Elytron `key-store` - specifying where is the keystore file
stored and password by which it is encrypted. Default type of keystore
generated using keytool is JKS:
+
[source, ruby]
----
/subsystem=elytron/key-store=LocalhostKeyStore:add(path=server.keystore,relative-to=jboss.server.config.dir,credential-reference={clear-text="keystore_password"},type=JKS)
----
2. Create Elytron `key-manager` - specifying keystore, alias (using
`alias-filter`) and password of key:
+
[source, ruby]
----
/subsystem=elytron/key-manager=LocalhostKeyManager:add(key-store=LocalhostKeyStore,alias-filter=server,credential-reference={clear-text="key_password"})
----
3. Create Elytron `server-ssl-context` - specifying only reference to
`key-manager` defined above:
+
[source, ruby]
----
/subsystem=elytron/server-ssl-context=LocalhostSslContext:add(key-manager=LocalhostKeyManager)
----
4. Switch `https-listener` from legacy `security-realm` to newly
created Elytron `ssl-context`:
+
[source, ruby]
----
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=LocalhostSslContext)
----
5. And reload the server:
+
[source, ruby]
----
reload
----
Output XML configuration of Elytron subsystem should look like:
[source, xml]
----
...
----
Output `https-listener` in Undertow subsystem should be:
[source,xml]
----
----
[[client-cert-ssl-authentication-migration]]
== Client-Cert SSL Authentication Migration
This suppose you have already configured Client-Cert SSL authentication
using `truststore` in legacy `security-realm`, for example by
link:Admin_Guide.html#src-557075_AdminGuide-AddClient-CerttoSSL[Admin
Guide#Add Client-Cert to SSL], and your configuration looks like:
[source, xml]
----
----
[IMPORTANT]
Following configuration is sufficient to prevent users without valid
certificate and private key to access the server, but it does not
provide user identity to the application. That require to define
`CLIENT_CERT` HTTP mechanism / `EXTERNAL` SASL mechanism, which will be
described later.)
At first use steps above to migrate basic part of the configuration.
Then continue by following:
1. Create `key-store` of truststore - like for keystore above:
+
[source, ruby]
----
/subsystem=elytron/key-store=TrustStore:add(path=server.truststore,relative-to=jboss.server.config.dir,credential-reference={clear-text="truststore_password"},type=JKS)
----
2. Create `trust-manager` - specifying `key-store` of trustore, created
above:
+
[source, ruby]
----
/subsystem=elytron/trust-manager=TrustManager:add(key-store=TrustStore)
----
3. Modify `server-ssl-context` to use newly created trustmanager:
+
[source, ruby]
----
/subsystem=elytron/server-ssl-context=LocalhostSslContext:write-attribute(name=trust-manager,value=TrustManager)
----
4. Enable client authentication for `server-ssl-context`:
+
[source, ruby]
----
/subsystem=elytron/server-ssl-context=LocalhostSslContext:write-attribute(name=need-client-auth,value=true)
----
5. And reload the server:
+
[source, ruby]
----
reload
----
Output XML configuration of Elytron subsystem should look like:
[source, xml]
----
...
----