WildFly Elytron

WildFly Elytron

Introduction to a GUI wizard to configure TLS in WildFly

By Ashwin Mehendale | April 17, 2025
#tls

This blog post introduces a stand-alone GUI wizard called "TLS wizard". By using the wizard, you can enable one-way TLS for applications deployed to WildFly as well as the WildFly management interfaces. The wizard guides you through creating a self-signed certificate, which the wizard uses to configure one-way TLS.

Prerequisites

To follow along with this guide, you will need:

  • Roughly 5 minutes.

  • JDK 21 installed.

  • WildFly application server installed.

  • Maven installed.

The TLS wizard

The wizard is available at this link tlswizard.

To obtain the wizard, clone the tlswizard repository:

$ git clone git@github.com:wildfly-security-incubator/tlswizard.git

Alternatively, you can download the ZIP archive of the application as follows:

  1. Navigate to https://github.com/wildfly-security-incubator/tlswizard

  2. Click the <> Code button.

  3. Click Download ZIP.

  4. Extract the application from the downloaded archive.

Using the application

You can enable one-way TLS for applications deployed to WildFly or the WildFly management interface by following these steps:

  1. Start the WildFly server.

  2. Navigate to the application directory tlswizard.

  3. Launch the application:

    $ mvn clean javafx:run

  4. Enter the IP for the server. The default is 127.0.0.1 (localhost). For local WildFly deployments, you don’t need to update this.

  5. Select applications or management interfaces to secure applications or management interfaces.

  6. Click Next.

  7. Enter a name for the key store to create with the .pkcs12 extension.

  8. Enter details for the certificate to be generated. If you don’t, all the values are set to unknown.

  9. Click Configure TLS.

  10. To verify TLS, do this:

    • If you secure applications: Navigate to https://localhost:8443. Inspect the certificate. The Common Name (CN) should match the first and last name you entered.

    • If you secured the management interface: Navigate to http://localhost:9990. You will be redirected to localhost:9993 Inspect the certificate. The Common Name (CN) should match the first and last name you entered.

Resources