set up a security realm and bind the management interface to it
<security-realm name="LdapConnection">
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>
<ldap connection="remoteLdap" base-dn="ou=People,dc=company,dc=com" recursive="true">
<username-filter attribute="uid"/>
</ldap>
</authentication>
<authorization>
...........
</authorization>
</security-realm>
<outbound-connections>
<ldap name="remoteLdap" url="ldaps://ldapserver.company.com:636"/>
</outbound-connections>
<management-interfaces>
<http-interface security-realm="LdapConnection" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
Try and access the management console and enter a valid username and password.
If debugging is enabled then you get a certificate validation exception.
12:24:36,119 DEBUG [org.jboss.as.domain.http.api.undertow] (management task-5) Failure handling Callback(s) for BASIC authentication.: java.io.IOException: WFLYDM0009: Unable to perform verification
at org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:253)
at org.jboss.as.domain.management.security.SecurityRealmService$1.handle(SecurityRealmService.java:178)
at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:162)
at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:141)
at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118)
at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; remaining name 'ou=People,dc=company,dc=com'
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
at org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:125)
at org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:66)
at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225)
at org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:205)
... 18 more
If I then add the certificates to the java default cacerts store or pass in a manual truststore location through -Djavax.net.ssl.trustStore=truststore.jks then the connection works ok.
The wildfly security realm documents specifically state "that is if a trust store is defined - on negotiating an outbound SSL connection the trust store will be used to verify the remote server."