[WFLY-11003] Add documentation describing how to define an SSLContext…

… for SNI in the WildFly Elytron subsystem.
wildfly · Sep 12, 2018 · 2c9c763 · 2c9c763
1 parent 263fdfe
commit 2c9c763
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/docs/src/main/asciidoc/_elytron/Using_the_Elytron_Subsystem.adoc b/docs/src/main/asciidoc/_elytron/Using_the_Elytron_Subsystem.adoc
@@ -1999,6 +1999,41 @@ use custom implementations of the following components:
 When creating custom implementations of Elytron components, they must
 present the appropriate capabilities and requirements.
 
+=== Configuring SNI
+
+Using the WildFly Elytron subsystem it is possible to configure an SSL context which supports SNI.  By supporting SNI if an SNI host name is available whilst the SSLSession is being negotiation a host specific SSLcontext will be selected.  If no host specific SSLContext is identified either because no host name was received or because there is no match a default SSLContext will be used instead.  By identifying a host specific SSLContext it means that a certificate appropriate for that host can be used.
+
+The following command demonstrates how an SNI aware SSLContext can be added: - 
+
+[source, ruby]
+----
+[standalone@localhost:9990 /] ./subsystem=elytron/server-ssl-sni-context=test-sni:add(default-ssl-context=jboss,host-context-map={localhost=localhost, wildfly.org=wildfly})
+{"outcome" => "success"}
+----
+
+This example assumes that three SSLContexts have been previously defined following the steps available previously in this document, those contexts are `jboss`, `localhost`, and `wildfly`.
+
+During negotiation of the SSLSession if the SNI host name received is `localhost` then the `localhost` SSLContext will be used, if the SNI host name is `wildfly.org` then the `wildfly` SSLContext will be used.  If no SNI host name is received or if we receive a name that does not match this will fallback and use the `jboss` SSLContext.
+
+The resulting resource looks like: -
+
+[source, ruby]
+----
+[standalone@localhost:9990 /] ./subsystem=elytron/server-ssl-sni-context=test-sni:read-resource
+{
+    "outcome" => "success",
+    "result" => {
+        "default-ssl-context" => "jboss",
+        "host-context-map" => {
+            "localhost" => "localhost",
+            "wildfly.org" => "wildfly"
+        }
+    }
+}
+----
+
+Within the `host-context-map` it is also possible to define wildcard mappings such as `&#42;` and `&#42;.wildfly.org`.
+
 [[configuring-the-elytron-and-security-subsystems]]
 == Configuring the Elytron and Security Subsystems