From ff90ab3b969127d37f8fd19eb4e25a38f89b49b7 Mon Sep 17 00:00:00 2001
From: Prarthona Paul <prpaul@redhat.com>
Date: Wed, 3 Jul 2024 11:51:27 -0400
Subject: [PATCH] WFCORE-6802 [Preview] OCSP stapling support

---
 elytron/pom.xml                               |   1 +
 .../elytron/ElytronDescriptionConstants.java  |   9 +
 .../extension/elytron/SSLDefinitions.java     | 193 +++++++--
 .../wildfly/extension/elytron/TlsParser.java  |  60 +++
 .../extension/elytron/TrivialService.java     |   8 +-
 .../_private/ElytronSubsystemMessages.java    |   2 +
 .../elytron/LocalDescriptions.properties      |   9 +
 .../schema/wildfly-elytron_preview_18_0.xsd   |  74 +++-
 .../extension/elytron/TlsTestCase.java        |  55 ++-
 .../elytron-subsystem-preview-18.0.xml        | 404 ++++++++++++++++++
 10 files changed, 781 insertions(+), 34 deletions(-)
 create mode 100644 elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml

diff --git a/elytron/pom.xml b/elytron/pom.xml
index e506f39254d..e1858af4213 100644
--- a/elytron/pom.xml
+++ b/elytron/pom.xml
@@ -414,6 +414,7 @@
                                 <exclude>jacc-with-providers.xml</exclude>
                                 <exclude>legacy*.xml</exclude>
                                 <exclude>elytron-subsystem-community*.xml</exclude>
+                                <exclude>elytron-subsystem-preview*.xml</exclude>
                             </excludes>
                             <systemId>src/main/resources/schema/wildfly-elytron_18_0.xsd</systemId>
                         </validationSet>
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java
index 87fd07f4ae6..d1d8d47f1be 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java
@@ -12,6 +12,7 @@
  */
 interface ElytronDescriptionConstants {
 
+    String ACCEPT_OCSP_STAPLING = "accept-ocsp-stapling";
     String ACCOUNT_KEY = "account-key";
     String ACTION = "action";
     String ACTIVE_SESSION_COUNT = "active-session-count";
@@ -73,6 +74,8 @@ interface ElytronDescriptionConstants {
     String BCRYPT_MAPPER = "bcrypt-mapper";
 
     String CAA_IDENTITIES = "caa-identities";
+    String CACHE_SIZE = "cache-size";
+    String CACHE_LIFETIME = "cache-lifetime";
     String CACHING_REALM = "caching-realm";
     String CASE_PRINCIPAL_TRANSFORMER = "case-principal-transformer";
     String CALLBACK_HANDLER = "callback-handler";
@@ -246,6 +249,7 @@ interface ElytronDescriptionConstants {
     String IDENTITY_MAPPING = "identity-mapping";
     String IDENTITY_REALM = "identity-realm";
     String IGNORE_UNAVAILABLE_REALMS = "ignore-unavailable-realms";
+    String IGNORE_EXTENSIONS = "ignore-extensions";
     String IMPLEMENTATION = "implementation";
     String IMPLEMENTATION_PROPERTIES = "implementation-properties";
     String IMPORT_CERTIFICATE = "import-certificate";
@@ -366,6 +370,8 @@ interface ElytronDescriptionConstants {
     String OBTAIN_CERTIFICATE = "obtain-certificate";
     String OBTAIN_KERBEROS_TICKET = "obtain-kerberos-ticket";
     String OCSP = "ocsp";
+    String OCSP_STAPLING = "ocsp-stapling";
+    String OCSP_STAPLING_SOFT_FAIL = "ocsp-stapling-soft-fail";
     String OID = "oid";
     String ONLY_LEAF_CERT = "only-leaf-cert";
     String OPERATIONS = "operations";
@@ -467,6 +473,9 @@ interface ElytronDescriptionConstants {
     String RESPONDER = "responder";
     String RESPONDER_CERTIFICATE = "responder-certificate";
     String RESPONDER_KEYSTORE = "responder-keystore";
+    String RESPONDER_OVERRIDE = "responder-override";
+    String RESPONDER_URI = "responder-uri";
+    String RESPONSE_TIMEOUT = "response-timeout";
     String REVERSE = "reverse";
     String REVOKE_CERTIFICATE = "revoke-certificate";
     String RIGHT = "right";
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java b/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java
index e46fbfc91da..f9cab71fb10 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java
@@ -232,6 +232,18 @@ class SSLDefinitions {
             //.setDefaultValue(new ModelNode(CipherSuiteSelector.OPENSSL_DEFAULT_CIPHER_SUITE_NAMES))
             .build();
 
+    static final SimpleAttributeDefinition ACCEPT_OCSP_STAPLING = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.ACCEPT_OCSP_STAPLING, ModelType.BOOLEAN, true)
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setDefaultValue(ModelNode.FALSE)
+            .build();
+
+    static final SimpleAttributeDefinition OCSP_STAPLING_SOFT_FAIL = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.OCSP_STAPLING_SOFT_FAIL, ModelType.BOOLEAN, true)
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setDefaultValue(ModelNode.TRUE)
+            .build();
+
     private static final String[] ALLOWED_PROTOCOLS = { "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" };
 
     static final StringListAttributeDefinition PROTOCOLS = new StringListAttributeDefinition.Builder(ElytronDescriptionConstants.PROTOCOLS)
@@ -398,6 +410,55 @@ class SSLDefinitions {
             .setRestartAllServices()
             .build();
 
+    static final SimpleAttributeDefinition RESPONSE_TIMEOUT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONSE_TIMEOUT, ModelType.INT, true)
+            .setValidator(new IntRangeValidator(1))
+            .setDefaultValue(new ModelNode(5000))
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
+    static final SimpleAttributeDefinition CACHE_SIZE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CACHE_SIZE, ModelType.INT, true)
+            .setDefaultValue(new ModelNode(256))
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
+    static final SimpleAttributeDefinition CACHE_LIFETIME = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CACHE_LIFETIME, ModelType.INT, true)
+            .setDefaultValue(new ModelNode(3600))
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
+    static final SimpleAttributeDefinition RESPONDER_URI = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONDER_URI, ModelType.STRING, true)
+            .setRequires(ElytronDescriptionConstants.RESPONDER_OVERRIDE)
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
+    static final SimpleAttributeDefinition RESPONDER_OVERRIDE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONDER_OVERRIDE, ModelType.BOOLEAN, true)
+            .setDefaultValue(ModelNode.FALSE)
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
+    static final SimpleAttributeDefinition IGNORE_EXTENSIONS = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.IGNORE_EXTENSIONS, ModelType.BOOLEAN, true)
+            .setDefaultValue(ModelNode.FALSE)
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
+    static final ObjectTypeAttributeDefinition OCSP_STAPLING = new ObjectTypeAttributeDefinition.Builder(ElytronDescriptionConstants.OCSP_STAPLING, RESPONSE_TIMEOUT, CACHE_SIZE, CACHE_LIFETIME, RESPONDER_URI, RESPONDER_OVERRIDE, IGNORE_EXTENSIONS)
+            .setRequired(false)
+            .setRestartAllServices()
+            .setStability(Stability.PREVIEW)
+            .build();
+
     /*
      * Runtime Attributes
      */
@@ -941,31 +1002,6 @@ private File resolveFileLocation(String path, String relativeTo, InjectedValue<P
                 }
                 return resolvedPath;
             }
-
-            private TrustManagerFactory createTrustManagerFactory(Provider[] providers, String providerName, String algorithm) throws StartException {
-                TrustManagerFactory trustManagerFactory = null;
-
-                if (providers != null) {
-                    for (Provider current : providers) {
-                        if (providerName == null || providerName.equals(current.getName())) {
-                            try {
-                                // TODO - We could check the Services within each Provider to check there is one of the required type/algorithm
-                                // However the same loop would need to remain as it is still possible a specific provider can't create it.
-                                return TrustManagerFactory.getInstance(algorithm, current);
-                            } catch (NoSuchAlgorithmException ignored) {
-                            }
-                        }
-                    }
-                    if (trustManagerFactory == null)
-                        throw ROOT_LOGGER.unableToCreateManagerFactory(TrustManagerFactory.class.getSimpleName(), algorithm);
-                }
-
-                try {
-                    return TrustManagerFactory.getInstance(algorithm);
-                } catch (NoSuchAlgorithmException e) {
-                    throw new StartException(e);
-                }
-            }
         };
 
         ResourceDescriptionResolver resolver = ElytronExtension.getResourceDescriptionResolver(ElytronDescriptionConstants.TRUST_MANAGER);
@@ -1288,7 +1324,7 @@ static ResourceDefinition getServerSSLContextDefinition(boolean serverOrHostCont
                 SECURITY_DOMAIN, WANT_CLIENT_AUTH, NEED_CLIENT_AUTH, AUTHENTICATION_OPTIONAL,
                 USE_CIPHER_SUITES_ORDER, MAXIMUM_SESSION_CACHE_SIZE, SESSION_TIMEOUT, WRAP, keyManagerDefinition, TRUST_MANAGER,
                 PRE_REALM_PRINCIPAL_TRANSFORMER, POST_REALM_PRINCIPAL_TRANSFORMER, FINAL_PRINCIPAL_TRANSFORMER, REALM_MAPPER,
-                providersDefinition, PROVIDER_NAME};
+                providersDefinition, PROVIDER_NAME, OCSP_STAPLING};
 
         AbstractAddStepHandler add = new TrivialAddHandler<SSLContext>(SSLContext.class, ServiceController.Mode.ACTIVE, ServiceController.Mode.PASSIVE, attributes, SSL_CONTEXT_RUNTIME_CAPABILITY) {
 
@@ -1316,7 +1352,29 @@ protected ValueSupplier<SSLContext> getValueSupplier(ServiceBuilder<SSLContext>
                 final int maximumSessionCacheSize = MAXIMUM_SESSION_CACHE_SIZE.resolveModelAttribute(context, model).asInt();
                 final int sessionTimeout = SESSION_TIMEOUT.resolveModelAttribute(context, model).asInt();
                 final boolean wrap = WRAP.resolveModelAttribute(context, model).asBoolean();
-
+                final String ocspStapling = OCSP_STAPLING.resolveModelAttribute(context, model).asStringOrNull();
+                final int responseTimeout;
+                final int cacheSize;
+                final int cacheLifetime;
+                final String responderURI;
+                final boolean responderOverride;
+                final boolean ignoreExtensions;
+
+                if (ocspStapling != null) {
+                    responseTimeout = RESPONSE_TIMEOUT.resolveModelAttribute(context, model).asInt();
+                    cacheSize = CACHE_SIZE.resolveModelAttribute(context, model).asInt();
+                    cacheLifetime = CACHE_LIFETIME.resolveModelAttribute(context, model).asInt();
+                    responderURI = RESPONDER_URI.resolveModelAttribute(context, model).asString();
+                    responderOverride = RESPONDER_OVERRIDE.resolveModelAttribute(context, model).asBoolean();
+                    ignoreExtensions = IGNORE_EXTENSIONS.resolveModelAttribute(context, model).asBoolean();
+                } else {
+                    responseTimeout = 0;
+                    cacheSize = 0;
+                    cacheLifetime = 0;
+                    responderURI = null;
+                    responderOverride = false;
+                    ignoreExtensions = false;
+                }
                 return () -> {
                     SecurityDomain securityDomain = securityDomainInjector.getOptionalValue();
                     X509ExtendedKeyManager keyManager = getX509KeyManager(keyManagerInjector.getOptionalValue());
@@ -1366,6 +1424,15 @@ protected ValueSupplier<SSLContext> getValueSupplier(ServiceBuilder<SSLContext>
                             .setSessionTimeout(sessionTimeout)
                             .setWrap(wrap);
 
+                    if (ocspStapling != null) {
+                        builder.setResponseTimeout(responseTimeout)
+                                .setCacheSize(cacheSize)
+                                .setCacheLifetime(cacheLifetime)
+                                .setResponderURI(responderURI)
+                                .setResponderOverride(responderOverride)
+                                .setIgnoreExtensions(ignoreExtensions);
+                    }
+
                     if (ROOT_LOGGER.isTraceEnabled()) {
                         ROOT_LOGGER.tracef(
                                 "ServerSSLContext supplying:  securityDomain = %s  keyManager = %s  trustManager = %s  "
@@ -1461,7 +1528,7 @@ static ResourceDefinition getClientSSLContextDefinition(boolean serverOrHostCont
                 .build();
 
         AttributeDefinition[] attributes = new AttributeDefinition[]{CIPHER_SUITE_FILTER, CIPHER_SUITE_NAMES, PROTOCOLS,
-                KEY_MANAGER, TRUST_MANAGER, providersDefinition, PROVIDER_NAME};
+                KEY_MANAGER, TRUST_MANAGER, providersDefinition, PROVIDER_NAME, ACCEPT_OCSP_STAPLING, OCSP_STAPLING_SOFT_FAIL};
 
         AbstractAddStepHandler add = new TrivialAddHandler<SSLContext>(SSLContext.class, attributes, SSL_CONTEXT_RUNTIME_CAPABILITY) {
             @Override
@@ -1475,6 +1542,10 @@ protected ValueSupplier<SSLContext> getValueSupplier(ServiceBuilder<SSLContext>
                 final List<String> protocols = PROTOCOLS.unwrap(context, model);
                 final String cipherSuiteFilter = CIPHER_SUITE_FILTER.resolveModelAttribute(context, model).asString(); // has default value, can't be null
                 final String cipherSuiteNames = CIPHER_SUITE_NAMES.resolveModelAttribute(context, model).asStringOrNull(); // doesn't have a default value yet since we are disabling TLS 1.3 by default
+                final boolean acceptOCSPStapling = ACCEPT_OCSP_STAPLING.resolveModelAttribute(context, model).asBoolean();
+                final boolean softFail = OCSP_STAPLING_SOFT_FAIL.resolveModelAttribute(context, model).asBoolean();
+                final String trustManagerName = TRUST_MANAGER.resolveModelAttribute(context,model).asString();
+
                 return () -> {
                     X509ExtendedKeyManager keyManager = getX509KeyManager(keyManagerInjector.getOptionalValue());
                     X509ExtendedTrustManager trustManager = getX509TrustManager(trustManagerInjector.getOptionalValue());
@@ -1482,8 +1553,20 @@ protected ValueSupplier<SSLContext> getValueSupplier(ServiceBuilder<SSLContext>
 
                     SSLContextBuilder builder = new SSLContextBuilder();
                     if (keyManager != null) builder.setKeyManager(keyManager);
+                    if (acceptOCSPStapling) {
+                        TrustManagerFactory trustManagerFactory = createTrustManagerFactory(providersInjector.getOptionalValue(), providerName, TrustManagerFactory.getDefaultAlgorithm());
+                        X509RevocationTrustManager.Builder revocationBuilder = X509RevocationTrustManager.builder();
+                        revocationBuilder.setTrustManagerFactory(trustManagerFactory);
+                        revocationBuilder.setTrustStore(getModifiableTrustManagerService(context, trustManagerName).getModifiableValue());
+
+                        revocationBuilder.setCheckRevocation(true);
+                        revocationBuilder.setSoftFail(softFail);
+                        trustManager = revocationBuilder.build();
+                    }
+
                     if (trustManager != null) builder.setTrustManager(trustManager);
                     if (providers != null) builder.setProviderSupplier(() -> providers);
+
                     builder.setCipherSuiteSelector(CipherSuiteSelector.aggregate(cipherSuiteNames != null ? CipherSuiteSelector.fromNamesString(cipherSuiteNames) : null, CipherSuiteSelector.fromString(cipherSuiteFilter)));
                     if (!protocols.isEmpty()) {
                         List<Protocol> list = new ArrayList<>();
@@ -1496,7 +1579,8 @@ protected ValueSupplier<SSLContext> getValueSupplier(ServiceBuilder<SSLContext>
                         ));
                     }
                     builder.setClientMode(true)
-                            .setWrap(false);
+                            .setWrap(false)
+                            .setAcceptOCSPStapling(acceptOCSPStapling);
 
                     if (ROOT_LOGGER.isTraceEnabled()) {
                         ROOT_LOGGER.tracef(
@@ -1689,4 +1773,55 @@ public InjectedValue<PathManager> getPathManagerInjector() {
         }
     }
 
+    private static TrustManagerFactory createTrustManagerFactory(Provider[] providers, String providerName, String algorithm) throws StartException {
+        TrustManagerFactory trustManagerFactory = null;
+
+        if (providers != null) {
+            for (Provider current : providers) {
+                if (providerName == null || providerName.equals(current.getName())) {
+                    try {
+                        // TODO - We could check the Services within each Provider to check there is one of the required type/algorithm
+                        // However the same loop would need to remain as it is still possible a specific provider can't create it.
+                        return TrustManagerFactory.getInstance(algorithm, current);
+                    } catch (NoSuchAlgorithmException ignored) {
+                    }
+                }
+            }
+            if (trustManagerFactory == null)
+                throw ROOT_LOGGER.unableToCreateManagerFactory(TrustManagerFactory.class.getSimpleName(), algorithm);
+        }
+
+        try {
+            return TrustManagerFactory.getInstance(algorithm);
+        } catch (NoSuchAlgorithmException e) {
+            throw new StartException(e);
+        }
+    }
+
+    public static ModifiableKeyStoreService getModifiableTrustManagerService(OperationContext context, String trustManagerName) throws OperationFailedException {
+        ServiceRegistry serviceRegistry = context.getServiceRegistry(false);
+        RuntimeCapability<Void> runtimeCapability = TRUST_MANAGER_RUNTIME_CAPABILITY.fromBaseCapability(trustManagerName);
+        ServiceName serviceName = runtimeCapability.getCapabilityServiceName();
+
+        ServiceController<TrustManager> serviceContainer = getRequiredService(serviceRegistry, serviceName, TrustManager.class);
+        ServiceController.State serviceState = serviceContainer.getState();
+        if (serviceState != ServiceController.State.UP) {
+            throw ROOT_LOGGER.requiredServiceNotUp(serviceName, serviceState);
+        }
+
+        String keyStoreName = null;
+        Set<ServiceName> serviceNames = serviceContainer.requires();
+        for(ServiceName name : serviceNames) {
+            if (name.getCanonicalName().contains(KEY_STORE_CAPABILITY)) {
+                keyStoreName = (name).getCanonicalName().substring(KEY_STORE_CAPABILITY.length() + 1);
+            }
+        }
+
+        if (keyStoreName == null) {
+            throw ROOT_LOGGER.unableToLoadKeystoreCapabilityService();
+        } else {
+            return getModifiableKeyStoreService(context, keyStoreName);
+        }
+    }
+
 }
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java b/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java
index cd8592d815e..51f13aef109 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java
@@ -180,6 +180,30 @@ class TlsParser {
             .addAttribute(SSLDefinitions.FINAL_PRINCIPAL_TRANSFORMER)
             .addAttribute(SSLDefinitions.REALM_MAPPER);
 
+    private PersistentResourceXMLBuilder serverSslContextPreviewParser_18_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(SERVER_SSL_CONTEXT))
+            .setXmlWrapperElement(SERVER_SSL_CONTEXTS)
+            .setMarshallDefaultValues(true)
+            .addAttribute(SSLDefinitions.SECURITY_DOMAIN)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_FILTER)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_NAMES)
+            .addAttribute(SSLDefinitions.PROTOCOLS)
+            .addAttribute(SSLDefinitions.WANT_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.NEED_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.AUTHENTICATION_OPTIONAL)
+            .addAttribute(SSLDefinitions.USE_CIPHER_SUITES_ORDER)
+            .addAttribute(SSLDefinitions.MAXIMUM_SESSION_CACHE_SIZE)
+            .addAttribute(SSLDefinitions.SESSION_TIMEOUT)
+            .addAttribute(SSLDefinitions.WRAP)
+            .addAttribute(SSLDefinitions.KEY_MANAGER)
+            .addAttribute(SSLDefinitions.TRUST_MANAGER)
+            .addAttribute(SSLDefinitions.PROVIDERS)
+            .addAttribute(SSLDefinitions.PROVIDER_NAME)
+            .addAttribute(SSLDefinitions.PRE_REALM_PRINCIPAL_TRANSFORMER)
+            .addAttribute(SSLDefinitions.POST_REALM_PRINCIPAL_TRANSFORMER)
+            .addAttribute(SSLDefinitions.FINAL_PRINCIPAL_TRANSFORMER)
+            .addAttribute(SSLDefinitions.REALM_MAPPER)
+            .addAttribute(SSLDefinitions.OCSP_STAPLING);    // new OCSP_STAPLING element
+
     private PersistentResourceXMLBuilder clientSslContextParser = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT))
             .setXmlWrapperElement(CLIENT_SSL_CONTEXTS)
             .addAttribute(SSLDefinitions.SECURITY_DOMAIN)
@@ -224,6 +248,26 @@ class TlsParser {
             .addAttribute(SSLDefinitions.PROVIDERS)
             .addAttribute(SSLDefinitions.PROVIDER_NAME);
 
+    private PersistentResourceXMLBuilder clientSslContextParserPreview_18_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT))
+            .setXmlWrapperElement(CLIENT_SSL_CONTEXTS)
+            .addAttribute(SSLDefinitions.SECURITY_DOMAIN)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_FILTER)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_NAMES)
+            .addAttribute(SSLDefinitions.PROTOCOLS)
+            .addAttribute(SSLDefinitions.WANT_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.NEED_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.AUTHENTICATION_OPTIONAL)
+            .addAttribute(SSLDefinitions.USE_CIPHER_SUITES_ORDER)
+            .addAttribute(SSLDefinitions.MAXIMUM_SESSION_CACHE_SIZE)
+            .addAttribute(SSLDefinitions.SESSION_TIMEOUT)
+            .addAttribute(SSLDefinitions.WRAP)
+            .addAttribute(SSLDefinitions.KEY_MANAGER)
+            .addAttribute(SSLDefinitions.TRUST_MANAGER)
+            .addAttribute(SSLDefinitions.PROVIDERS)
+            .addAttribute(SSLDefinitions.PROVIDER_NAME)
+            .addAttribute(SSLDefinitions.ACCEPT_OCSP_STAPLING)      //new
+            .addAttribute(SSLDefinitions.OCSP_STAPLING_SOFT_FAIL); //new
+
     private PersistentResourceXMLBuilder certificateAuthorityAccountParser = PersistentResourceXMLDescription.builder(PathElement.pathElement(CERTIFICATE_AUTHORITY_ACCOUNT))
             .setXmlWrapperElement(CERTIFICATE_AUTHORITY_ACCOUNTS)
             .addAttribute(CertificateAuthorityAccountDefinition.CERTIFICATE_AUTHORITY)
@@ -371,4 +415,20 @@ public void marshallSingleElement(AttributeDefinition attribute, ModelNode mappi
             .addChild(serverSslSniContextParser)
             .addChild(dynamicClientSslContextParser) // new
             .build();
+
+    final PersistentResourceXMLDescription tlsParserPreview_18_0 = decorator(TLS)
+            .addChild(decorator(KEY_STORES)
+                    .addChild(keyStoreParser)
+                    .addChild(ldapKeyStoreParser)
+                    .addChild(filteringKeyStoreParser)
+            )
+            .addChild(keyManagerParser_12_0)
+            .addChild(trustManagerParser_14_0)
+            .addChild(serverSslContextPreviewParser_18_0)   // new parser with ocsp_stapling
+            .addChild(clientSslContextParserPreview_18_0) // new parser with ocsp_stapling
+            .addChild(certificateAuthorityParser)
+            .addChild(certificateAuthorityAccountParser)
+            .addChild(serverSslSniContextParser)
+            .addChild(dynamicClientSslContextParser)
+            .build();
 }
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java b/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java
index 63dd86dfe36..e62e44c18f6 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java
@@ -45,7 +45,11 @@ void setValueSupplier(ValueSupplier<T> valueSupplier) {
 
     @Override
     public void start(StartContext context) throws StartException {
-        value = checkNotNullParam("valueSupplier", valueSupplier).get();
+        try {
+            value = checkNotNullParam("valueSupplier", valueSupplier).get();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
         if (valueConsumer != null) {
             valueConsumer.accept(value);
         }
@@ -69,7 +73,7 @@ public T getValue() throws IllegalStateException, IllegalArgumentException {
     @FunctionalInterface
     interface ValueSupplier<T> {
 
-        T get() throws StartException;
+        T get() throws Exception;
 
         default void dispose() {}
 
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
index 5a1390105c3..84b39549042 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
@@ -732,5 +732,7 @@ public interface ElytronSubsystemMessages extends BasicLogger {
      *
      * If no suitable section is available add a new section.
      */
+    @Message(id = 1221, value = "Unable to load keystore capability service from trustManager")
+    OperationFailedException unableToLoadKeystoreCapabilityService();
 
 }
diff --git a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
index 36d6297c7e5..234221ca2a2 100644
--- a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
+++ b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
@@ -1386,6 +1386,8 @@ elytron.client-ssl-context.key-refresh=Refresh KeyManager used by SSLContext.
 elytron.client-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext.
 elytron.client-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext.
 elytron.client-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext.
+elytron.client-ssl-context.accept-ocsp-stapling=Indicates whether the client would accept OCSP stapled responses fom the model or not.
+elytron.client-ssl-context.ocsp-stapling-soft-fail=Determines client behaviour upon receiving an unknown OCSP-stapled response from the server.
 # Runtime Attributes
 elytron.client-ssl-context.active-session-count=The count of current active sessions.
 
@@ -1521,6 +1523,13 @@ elytron.server-ssl-context.ssl-session.peer-certificates.signature-algorithm=The
 elytron.server-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate.
 elytron.server-ssl-context.ssl-session.peer-certificates.version=The certificate version.
 
+elytron.server-ssl-context.ocsp-stapling=Support for OCSP Stapling for server ssl context.
+elytron.server-ssl-context.ocsp-stapling.response-timeout=Enables online certificate status protocol Stapling for the server SSL context.
+elytron.server-ssl-context.ocsp-stapling.cache-size=Controls the maximum cache size in entries.
+elytron.server-ssl-context.ocsp-stapling.cache-lifetime=Controls the maximum life of a cached response in seconds.
+elytron.server-ssl-context.ocsp-stapling.responder-uri=The responder to contact in case the certificate used by the server does not have the Authority Info Access (AIA) extension. This does not override the AIA extension value unless "responder-override" is set to true.
+elytron.server-ssl-context.ocsp-stapling.responder-override=Determines whether the Authority information from the AIA extension value would be overridden by the value of the `responderURI`.
+elytron.server-ssl-context.ocsp-stapling.ignore-extensions=determines whether the forwarding of OCSP extensions specified in the "status_request" or "status_request_v2" TLS extensions is disabled or not.
 # Operations
 elytron.server-ssl-context.ssl-session.invalidate=Invalidate the SSLSession (Note: This does not terminate current connections, only prevents future connections from joining or resuming this session).
 
diff --git a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd
index 10545bd6ff8..85406a0589f 100644
--- a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd
+++ b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd
@@ -5145,6 +5145,9 @@
                 Definitions of a single server side SSLContext.
             </xs:documentation>
         </xs:annotation>
+        <xs:all>
+            <xs:element name="ocsp-stapling" type="ocspStaplingType" minOccurs="0" maxOccurs="1"/>
+        </xs:all>
         <xs:attribute name="name" type="xs:string" use="required">
             <xs:annotation>
                 <xs:documentation>
@@ -5298,6 +5301,61 @@
         </xs:attribute>
     </xs:complexType>
 
+    <xs:complexType name="ocspStaplingType">
+        <xs:annotation>
+            <xs:documentation>
+                Enables online certificate status protocol Stapling for the server SSL context.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:attribute name="response-timeout" type="xs:int" use="optional" default="5000">
+            <xs:annotation>
+                <xs:documentation>
+                    Controls the maximum amount of time in millisecond the server will use to obtain OCSP responses,
+                    whether from the cache or by contacting an OCSP responder.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="cache-size" type="xs:int" use="optional" default="256">
+            <xs:annotation>
+                <xs:documentation>
+                    Controls the maximum cache size in entries.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="cache-lifetime" type="xs:int" use="optional" default="3600">
+            <xs:annotation>
+                <xs:documentation>
+                    Controls the maximum life of a cached response in seconds.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responder-uri" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The responder to contact in case the certificate used by the server does
+                    not have the Authority Info Access (AIA) extension. This does not override
+                    the AIA extension value unless "responder-override" is set to true.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responder-override" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    Determines whether the Authority information from the AIA extension
+                    value would be overridden by the value of the `responderURI`.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="ignore-extentions" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    determines whether the forwarding of OCSP extensions specified in the
+                    "status_request" or "status_request_v2" TLS extensions is disabled or not.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
     <xs:complexType name="clientSSLContextsType">
         <xs:annotation>
             <xs:documentation>
@@ -5372,6 +5430,20 @@
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="accept-ocsp-stapling" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    Indicates whether the client would accept OCSP stapled responses fom the model or not.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="ocsp-stapling-soft-fail" type="xs:boolean" use="optional" default="true">
+            <xs:annotation>
+                <xs:documentation>
+                    Indicates the behaviour of the client when the stapled status of the server's certificate is unknown.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:complexType name="keyStoresType">
@@ -6438,4 +6510,4 @@
         </xs:attribute>
     </xs:complexType>
 
-</xs:schema>
+</xs:schema>
\ No newline at end of file
diff --git a/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java b/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java
index f84d56bd908..5c4a26b7780 100644
--- a/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java
+++ b/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java
@@ -27,6 +27,7 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Calendar;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -59,6 +60,7 @@
 import org.jboss.as.controller.security.CredentialReference;
 import org.jboss.as.subsystem.test.AbstractSubsystemTest;
 import org.jboss.as.subsystem.test.KernelServices;
+import org.jboss.as.version.Stability;
 import org.jboss.dmr.ModelNode;
 import org.jboss.msc.service.ServiceController;
 import org.jboss.msc.service.ServiceName;
@@ -109,13 +111,15 @@ public class TlsTestCase extends AbstractSubsystemTest {
     private static final String NEGOTIATED_PROTOCOL = "negotiatedProtocol";
 
     private static final String INIT_TEST_FILE = "/trust-manager-reload-test.truststore";
+    private static final String INIT_TEST_SERVER_SSL_CONTEXT = "serverContext";
+    private static final String INIT_TEST_CLIENT_SSL_CONTEXT = "clientContext";
     private static final String INIT_TEST_TRUSTSTORE = "myTS";
     private static final String INIT_TEST_TRUSTMANAGER = "myTM";
     public static String disabledAlgorithms;
 
 
     public TlsTestCase() {
-        super(ElytronExtension.SUBSYSTEM_NAME, new ElytronExtension());
+        super(ElytronExtension.SUBSYSTEM_NAME, new ElytronExtension(), Stability.PREVIEW);
     }
 
     private KernelServices services = null;
@@ -328,7 +332,7 @@ public void prepare() throws Throwable {
         if (services != null) return;
         String subsystemXml;
         subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
-        services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
+        services = super.createKernelServicesBuilder(new TestEnvironment(Stability.PREVIEW)).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             if (services.getBootError() != null) {
                 Assert.fail(services.getBootError().toString());
@@ -644,6 +648,53 @@ public void testOcspSimple() {
         MatcherAssert.assertThat(trustManager, CoreMatchers.instanceOf(X509RevocationTrustManager.class));
     }
 
+    @Test
+    public void testOcspStaplingServerSimple() {
+        ModelNode operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(ElytronDescriptionConstants.SERVER_SSL_CONTEXT, INIT_TEST_SERVER_SSL_CONTEXT);
+        operation.get(ClientConstants.OP).set(ClientConstants.ADD);
+        operation.get(ElytronDescriptionConstants.KEY_MANAGER).set("ServerKeyManager");
+        operation.get(ElytronDescriptionConstants.PROVIDERS).set("ManagerProviderLoader");
+        Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString());
+
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING);
+        operation.get(ClientConstants.VALUE).set(Collections.emptySet());
+        Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString());
+
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.RESPONSE_TIMEOUT);
+        operation.get(ClientConstants.VALUE).set(2500);
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.CACHE_SIZE);
+        operation.get(ClientConstants.VALUE).set(512);
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.CACHE_LIFETIME);
+        operation.get(ClientConstants.VALUE).set(7200);
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.RESPONDER_URI);
+        operation.get(ClientConstants.VALUE).set("http://localhost:8080/ocsp");
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.RESPONDER_OVERRIDE);
+        operation.get(ClientConstants.VALUE).set(true);
+        operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION);
+        operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.IGNORE_EXTENSIONS);
+        operation.get(ClientConstants.VALUE).set(true);
+        Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString());
+    }
+
+//    @Test
+    public void testOcspStaplingClientSimple() {
+        ModelNode operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(ElytronDescriptionConstants.CLIENT_SSL_CONTEXT, INIT_TEST_CLIENT_SSL_CONTEXT);
+        operation.get(ClientConstants.OP).set(ClientConstants.ADD);
+        operation.get(ElytronDescriptionConstants.TRUST_MANAGER).set("CaTrustManager");
+        operation.get(ElytronDescriptionConstants.PROVIDERS).set("ManagerProviderLoader");
+        operation.get(ElytronDescriptionConstants.ACCEPT_OCSP_STAPLING).set(true);
+        operation.get(ElytronDescriptionConstants.OCSP_STAPLING_SOFT_FAIL).set(true);
+        Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString());
+    }
+
     private SSLContext getSslContext(String contextName) {
         return getSslContext(contextName, true);
     }
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml
new file mode 100644
index 00000000000..37eab49a1e5
--- /dev/null
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml
@@ -0,0 +1,404 @@
+<!--
+  ~ Copyright The WildFly Authors
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+
+<!-- for needs of DomainTestCase -->
+<subsystem xmlns="urn:wildfly:elytron:preview:18.0" register-jaspi-factory="false" default-ssl-context="client">
+    <authentication-client>
+        <authentication-context name="myAC" />
+    </authentication-client>
+    <security-domains>
+        <security-domain name="MyDomain" default-realm="FileRealm" realm-mapper="MyRealmMapper" permission-mapper="MyPermissionMapper"
+                         pre-realm-principal-transformer="NameRewriterXY" post-realm-principal-transformer="NameRewriterYU" trusted-security-domains="AnotherDomain">
+            <realm name="FileRealm" role-decoder="MyRoleDecoder" role-mapper="MyRoleMapper"/>
+            <realm name="PropRealm" principal-transformer="NameRewriterRealmRemover"/>
+        </security-domain>
+        <security-domain name="X500Domain" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoder">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="X500DomainTwo" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoderTwo">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="X500DomainThree" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoderThree">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="X500DomainFour" default-realm="FileRealm" principal-decoder="MyX500PrincipalDecoderThree" evidence-decoder="aggregateEvidenceDecoder">
+            <realm name="FileRealm"/>
+        </security-domain>
+        <security-domain name="AnotherDomain" default-realm="PropRealm" permission-mapper="LoginPermissionMapper" trusted-security-domains="MyDomain">
+            <realm name="PropRealm"/>
+        </security-domain>
+        <security-domain name="AggregateRealm" default-realm="PropRealm" role-decoder="aggregateRoleDecoder">
+            <realm name="PropRealm"/>
+        </security-domain>
+        <security-domain name="TestDomain" default-realm="PropRealm" permission-mapper="LoginPermissionMapper" trusted-virtual-security-domains="VirtualDomain">
+            <realm name="PropRealm"/>
+        </security-domain>
+        <virtual-security-domain name="VirtualDomain" outflow-security-domains="MyDomain" outflow-anonymous="true" />
+        <virtual-security-domain name="AnotherVirtualDomain" outflow-security-domains="MyDomain" outflow-anonymous="true" auth-method="OIDC"/>
+    </security-domains>
+    <security-realms>
+        <aggregate-realm name="AggregateOne" authentication-realm="PropRealm" authorization-realm="FileRealm" />
+        <aggregate-realm name="AggregateTwo" authentication-realm="JdbcRealm" authorization-realms="AggregateOne FileRealm" />
+        <jdbc-realm name="NewJdbcScramSha384">
+            <principal-query sql="SELECT" data-source="ExampleDS">
+                <scram-mapper algorithm="scram-sha-384" password-index="1" salt-index="2" iteration-count-index="10000"/>
+            </principal-query>
+        </jdbc-realm>
+        <jdbc-realm name="NewJdbcScramSha512">
+            <principal-query sql="SELECT" data-source="ExampleDS">
+                <scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
+            </principal-query>
+        </jdbc-realm>
+        <jdbc-realm name="JdbcRealm">
+            <principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
+                <attribute-mapping>
+                    <attribute index="1" to="role"/>
+                </attribute-mapping>
+                <clear-password-mapper password-index="2"/>
+                <bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
+                <salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
+                <simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
+                <scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
+                <modular-crypt-mapper password-index="2"/>
+            </principal-query>
+        </jdbc-realm>
+        <properties-realm name="PropRealm">
+            <users-properties path="users-hashed.properties" relative-to="jboss.server.config.dir"/>
+        </properties-realm>
+        <properties-realm name="NonDomainRealm">
+            <users-properties path="users-hashed.properties" relative-to="jboss.server.config.dir"/>
+        </properties-realm>
+        <filesystem-realm name="FileRealm" levels="2" encoded="false">
+            <file path="filesystem-realm" relative-to="jboss.server.config.dir"/>
+        </filesystem-realm>
+        <distributed-realm name="DistributedRealm" realms="FileRealm PropRealm"/>
+        <failover-realm name="FailoverRealm" delegate-realm="JdbcRealm" failover-realm="PropRealm"/>
+    </security-realms>
+    <credential-security-factories>
+        <custom-credential-security-factory name="CustomFactory" module="a.b.c" class-name="org.wildfly.security.ElytronFactory">
+            <configuration>
+                <property name="a" value="b"/>
+                <property name="c" value="d"/>
+            </configuration>
+        </custom-credential-security-factory>
+
+        <kerberos-security-factory name="KerberosFactory"
+                                   principal="bob@Elytron.org"
+                                   path="bob.keytab"
+                                   relative-to="server.config.dir"
+                                   minimum-remaining-lifetime="10"
+                                   request-lifetime="120"
+                                   server="false"
+                                   obtain-kerberos-ticket="true"
+                                   debug="true"
+                                   wrap-gss-credential="true"
+                                   required="true"
+                                   mechanism-names="KRB5 KRB5LEGACY"
+                                   mechanism-oids="1.2.840.113554.1.2.2 1.3.6.1.5.5.2">
+            <option name="a" value="b"/>
+            <option name="c" value="d"/>
+        </kerberos-security-factory>
+        <kerberos-security-factory name="OptionLessKerberosFactory"
+                                   principal="bob@Elytron.org"
+                                   path="bob.keytab"
+                                   relative-to="server.config.dir"
+                                   minimum-remaining-lifetime="10"
+                                   request-lifetime="120"
+                                   server="false"
+                                   obtain-kerberos-ticket="true"
+                                   debug="true"
+                                   wrap-gss-credential="true"
+                                   mechanism-oids="1.2.840.113554.1.2.2 1.3.6.1.5.5.2"/>
+    </credential-security-factories>
+    <mappers>
+        <custom-permission-mapper class-name="org.wildfly.extension.elytron.DomainTestCase$MyPermissionMapper" name="MyPermissionMapper" module="a.b.c"/>
+        <custom-permission-mapper class-name="org.wildfly.extension.elytron.DomainTestCase$LoginPermissionMapper" name="LoginPermissionMapper" module="a.b.c"/>
+        <simple-permission-mapper name="SimplePermissionMapperLegacy" mapping-mode="and">
+            <permission-mapping>
+                <principal name="John"/>
+                <principal name="Joe"/>
+                <role name="User"/>
+                <role name="Administrator"/>
+                <permission class-name="a.b.MyPermission"/>
+                <permission class-name="a.b.MyOtherPermission" target-name="../c" action="delete"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="John Doe"/>
+                <permission class-name="a.b.JohnPermission"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="User"/>
+                <permission class-name="a.b.UserPermission"/>
+            </permission-mapping>
+            <permission-mapping match-all="true"/>
+        </simple-permission-mapper>
+        <simple-permission-mapper name="SimplePermissionMapper" mapping-mode="and">
+            <permission-mapping>
+                <principal name="John"/>
+                <principal name="Joe"/>
+                <role name="User"/>
+                <role name="Administrator"/>
+                <permission class-name="a.b.MyPermission" />
+                <permission-set name="my-permissions"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="John Doe"/>
+                <permission-set name="john-permissions"/>
+            </permission-mapping>
+            <permission-mapping>
+                <principal name="User"/>
+                <permission-set name="user-permissions"/>
+            </permission-mapping>
+            <permission-mapping match-all="true"/>
+        </simple-permission-mapper>
+        <constant-permission-mapper name="ConstantPermissionMapperLegacy">
+            <permission class-name="a.b.UserPermission"/>
+        </constant-permission-mapper>
+        <constant-permission-mapper name="ConstantPermissionMapper">
+            <permission-set name="user-permissions"/>
+        </constant-permission-mapper>
+        <concatenating-principal-decoder joiner="@" name="MyX500PrincipalDecoderThree">
+            <principal-decoder name="MyCnDecoder"/>
+            <principal-decoder name="MyDcDecoder"/>
+        </concatenating-principal-decoder>
+        <x500-attribute-principal-decoder joiner="," maximum-segments="6" name="MyX500PrincipalDecoder" oid="2.5.4.3"/>
+        <x500-attribute-principal-decoder joiner="," maximum-segments="1" name="MyX500PrincipalDecoderTwo" oid="2.5.4.3" required-oids="2.5.4.3 2.5.4.11"
+                                          required-attributes="cN" reverse="true"
+                                          start-segment="2"/>
+        <x500-attribute-principal-decoder maximum-segments="1" name="MyCnDecoder" attribute-name="Cn" start-segment="1"/>
+        <x500-attribute-principal-decoder name="MyDcDecoder" oid="0.9.2342.19200300.100.1.25"/>
+        <regex-principal-transformer name="NameRewriterXY" pattern="x(.*)" replacement="y$1"/>
+        <regex-principal-transformer name="NameRewriterYU" pattern="y(.*)" replacement="u$1"/>
+        <regex-principal-transformer name="NameRewriterRealmRemover" pattern="(.*)@.*" replacement="$1"/>
+        <simple-regex-realm-mapper name="MyRealmMapper" pattern=".*@(.*)"/>
+        <simple-role-decoder attribute="roles" name="MyRoleDecoder"/>
+        <add-prefix-role-mapper name="RolePrefixer" prefix="prefix"/>
+        <add-suffix-role-mapper name="RoleSuffixer" suffix="suffix"/>
+        <aggregate-role-mapper name="MyRoleMapper">
+            <role-mapper name="RolePrefixer"/>
+            <role-mapper name="RoleSuffixer"/>
+        </aggregate-role-mapper>
+        <mapped-role-mapper name="MappedRoleMapper" keep-mapped="false" keep-non-mapped="true">
+            <role-mapping from="Admin" to="Administrator"/>
+            <role-mapping from="foo" to="bar baz"/>
+        </mapped-role-mapper>
+        <x500-subject-evidence-decoder name="subjectDecoder" />
+        <x509-subject-alt-name-evidence-decoder name="rfc822Decoder" alt-name-type="rfc822Name" segment="1" />
+        <custom-evidence-decoder name="customEvidenceDecoder" class-name="org.wildfly.elytron.CustomEvidenceDecoder" module="l.m" />
+        <aggregate-evidence-decoder name="aggregateEvidenceDecoder">
+            <evidence-decoder name="rfc822Decoder"/>
+            <evidence-decoder name="subjectDecoder"/>
+        </aggregate-evidence-decoder>
+        <source-address-role-decoder name="ipRoleDecoder" source-address="10.12.14.16" roles="admin user"/>
+        <source-address-role-decoder name="regexRoleDecoder" pattern="10\.12\.14\.\d+$" roles="employee"/>
+        <aggregate-role-decoder name="aggregateRoleDecoder">
+            <role-decoder name="ipRoleDecoder"/>
+            <role-decoder name="regexRoleDecoder"/>
+        </aggregate-role-decoder>
+    </mappers>
+    <permission-sets>
+        <permission-set name="my-permissions">
+            <permission class-name="a.b.MyPermission" />
+            <permission class-name="a.b.MyOtherPermission" target-name="../c" action="delete" />
+        </permission-set>
+        <permission-set name="john-permissions">
+            <permission class-name="a.b.JohnPermission" />
+        </permission-set>
+        <permission-set name="user-permissions">
+            <permission class-name="a.b.UserPermission" />
+        </permission-set>
+    </permission-sets>
+    <sasl>
+        <sasl-authentication-factory name="SaslAuthenticationDefinition" security-domain="MyDomain" sasl-server-factory="ConfigurableSaslServerFactory">
+            <mechanism-configuration>
+                <mechanism mechanism-name="PLAIN" pre-realm-principal-transformer="PreRealmNameRewriter" post-realm-principal-transformer="PostRealmNameRewriter"
+                           final-principal-transformer="FinalNameRewriter" realm-mapper="RegexMapper">
+                    <mechanism-realm realm-name="Test Realm" pre-realm-principal-transformer="PreRealmNameRewriter_II"
+                                     post-realm-principal-transformer="PostRealmNameRewriter_II" final-principal-transformer="FinalNameRewriter_II"
+                                     realm-mapper="RegexMapper_II"/>
+                </mechanism>
+            </mechanism-configuration>
+        </sasl-authentication-factory>
+        <sasl-authentication-factory name="KerberosHttpMgmtSaslTestCase" sasl-server-factory="KerberosHttpMgmtSaslTestCase"
+                                     security-domain="KerberosHttpMgmtSaslTestCase">
+            <mechanism-configuration>
+                <mechanism mechanism-name="GSSAPI" credential-security-factory="KerberosHttpMgmtSaslTestCase">
+                    <mechanism-realm realm-name="KerberosHttpMgmtSaslTestCase" />
+                </mechanism>
+                <mechanism mechanism-name="GS2-KRB5" credential-security-factory="KerberosHttpMgmtSaslTestCase">
+                    <mechanism-realm realm-name="KerberosHttpMgmtSaslTestCase" />
+                </mechanism>
+                <mechanism mechanism-name="GS2-KRB5-PLUS" credential-security-factory="KerberosHttpMgmtSaslTestCase">
+                    <mechanism-realm realm-name="KerberosHttpMgmtSaslTestCase" />
+                </mechanism>
+            </mechanism-configuration>
+        </sasl-authentication-factory>
+        <aggregate-sasl-server-factory name="AggregateSaslFactory">
+            <sasl-server-factory name="ProviderSaslFactory"/>
+            <sasl-server-factory name="ServiceSaslFactory"/>
+        </aggregate-sasl-server-factory>
+        <configurable-sasl-server-factory name="ConfigurableSaslServerFactory" server-name="server" protocol="test-protocol" sasl-server-factory="MechFiltering">
+            <properties>
+                <property name="a" value="b"/>
+                <property name="c" value="d"/>
+            </properties>
+            <filters>
+                <filter enabling="false" pattern="x"/>
+                <filter enabling="false" predefined="HASH_MD5"/>
+            </filters>
+        </configurable-sasl-server-factory>
+        <mechanism-provider-filtering-sasl-server-factory name="MechFiltering" sasl-server-factory="AggregateSaslFactory" enabling="false">
+            <filters>
+                <filter mechanism-name="Digest" provider-name="Sun" provider-version="1.5" version-comparison="greater-than"/>
+                <filter mechanism-name="Scram" provider-name="Sun" provider-version="1.5" version-comparison="greater-than"/>
+            </filters>
+        </mechanism-provider-filtering-sasl-server-factory>
+        <provider-sasl-server-factory name="ProviderSaslFactory" providers="TestProviderLoader"/>
+        <service-loader-sasl-server-factory name="ServiceSaslFactory" module="a.b.c"/>
+    </sasl>
+    <tls>
+        <key-stores>
+            <key-store name="PKCS_11">
+                <credential-reference clear-text="password"/>
+                <implementation type="PKCS#11" provider-name="SunPKCS#11"/>
+            </key-store>
+            <key-store name="jks_store" alias-filter="one,two,three">
+                <credential-reference clear-text="password"/>
+                <implementation type="jks"/>
+                <file relative-to="jboss.server.config.dir" path="keystore.jks" required="true"/>
+            </key-store>
+            <key-store name="jceks_store">
+                <credential-reference clear-text="password"/>
+                <implementation type="jceks"/>
+                <file relative-to="jboss.server.config.dir" path="keystore.jceks"/>
+            </key-store>
+            <key-store name="Custom_PKCS_11">
+                <credential-reference clear-text="password"/>
+                <implementation type="PKCS#11" provider-name="SunPKCS#11" providers="custom-loader"/>
+            </key-store>
+            <key-store name="accounts.keystore">
+                <credential-reference clear-text="elytron"/>
+                <implementation type="JKS"/>
+                <file path="accounts.keystore.jks" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <key-store name="test.keystore">
+                <credential-reference clear-text="elytron"/>
+                <implementation type="PKCS12"/>
+                <file path="test.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <filtering-key-store name="FilteringKeyStore" key-store="Custom_PKCS_11" alias-filter="NONE:+firefly"/>
+        </key-stores>
+        <key-managers>
+            <key-manager name="serverKey" algorithm="SunX509" key-store="jks_store">
+                <credential-reference clear-text="password"/>
+            </key-manager>
+            <key-manager name="serverKey2" algorithm="SunX509" key-store="jks_store" providers="custom-loader" provider-name="first">
+                <credential-reference store="credstore1" alias="password-alias" type="PasswordCredential"/>
+            </key-manager>
+            <key-manager name="clientKey" algorithm="SunX509" key-store="jks_store">
+                <credential-reference store="credstore1" alias="password-alias" type="PasswordCredential"/>
+            </key-manager>
+            <key-manager name="LazyKeyManager" key-store="test.keystore" generate-self-signed-certificate-host="localhost">
+                <credential-reference clear-text="elytron"/>
+            </key-manager>
+        </key-managers>
+        <trust-managers>
+            <trust-manager name="serverTrust" algorithm="SunX509" key-store="jks_store"/>
+            <trust-manager name="serverTrust2" algorithm="SunX509" key-store="jks_store" providers="custom-loader" provider-name="first"/>
+            <trust-manager name="trust-with-crl" algorithm="SunX509" key-store="jks_store">
+                <certificate-revocation-list path="crl.pem" relative-to="jboss.server.config.dir" maximum-cert-path="2"/>
+            </trust-manager>
+            <trust-manager name="trust-with-crl-dp" algorithm="SunX509" key-store="jks_store">
+                <certificate-revocation-list/>
+            </trust-manager>
+            <trust-manager name="trust-with-ocsp" algorithm="PKIX" key-store="jks_store">
+                <ocsp responder="http://localhost/ocsp" responder-keystore="jceks_store" responder-certificate="responder-alias"/>
+            </trust-manager>
+        </trust-managers>
+        <server-ssl-contexts>
+            <server-ssl-context name="server" protocols="TLSv1.2" want-client-auth="true" need-client-auth="true" authentication-optional="true"
+                                use-cipher-suites-order="false" maximum-session-cache-size="10"
+                                session-timeout="120" wrap="false" key-manager="serverKey" trust-manager="serverTrust" pre-realm-principal-transformer="a"
+                                post-realm-principal-transformer="b" final-principal-transformer="c" realm-mapper="d" providers="custom-loader" provider-name="first"/>
+            <server-ssl-context name="server2" protocols="TLSv1.2" want-client-auth="true" need-client-auth="true" authentication-optional="true"
+                                use-cipher-suites-order="false" maximum-session-cache-size="10"
+                                session-timeout="120" wrap="false" key-manager="serverKey" trust-manager="serverTrust" pre-realm-principal-transformer="a"
+                                post-realm-principal-transformer="b" final-principal-transformer="c" realm-mapper="d" providers="custom-loader" provider-name="first"/>
+        </server-ssl-contexts>
+        <client-ssl-contexts>
+            <client-ssl-context name="client" protocols="TLSv1.3 TLSv1.2" key-manager="clientKey" trust-manager="serverTrust" providers="custom-loader"
+                                provider-name="first"/>
+            <client-ssl-context name="client-with-ocsp-stapling" protocols="TLSv1.3 TLSv1.2" key-manager="clientKey" trust-manager="serverTrust" providers="custom-loader"
+                                provider-name="first" accept-ocsp-stapling="true" ocsp-stapling-soft-fail="true"/>
+        </client-ssl-contexts>
+        <certificate-authorities>
+            <certificate-authority name="testCA" url="https://www.test.com"/>
+        </certificate-authorities>
+        <certificate-authority-accounts>
+            <certificate-authority-account name="MyCA" certificate-authority="LetsEncrypt">
+                <account-key key-store="accounts.keystore" alias="server">
+                    <credential-reference clear-text="elytron"/>
+                </account-key>
+            </certificate-authority-account>
+            <certificate-authority-account name="MyCA2" certificate-authority="testCA">
+                <account-key key-store="accounts.keystore" alias="server">
+                    <credential-reference clear-text="elytron"/>
+                </account-key>
+            </certificate-authority-account>
+        </certificate-authority-accounts>
+        <server-ssl-sni-contexts>
+            <server-ssl-sni-context name="sni" default-ssl-context="server">
+                <sni-mapping host="server" ssl-context="server" />
+                <sni-mapping host=".*\.server" ssl-context="server2" />
+            </server-ssl-sni-context>
+        </server-ssl-sni-contexts>
+        <dynamic-client-ssl-contexts>
+            <dynamic-client-ssl-context name="dynamicClientSSLContext" authentication-context="myAC"/>
+        </dynamic-client-ssl-contexts>
+    </tls>
+    <credential-stores>
+        <credential-store name="test1" relative-to="jboss.server.data.dir" location="test1.store" create="true">
+            <implementation-properties>
+                <property name="keyStoreType" value="JCEKS"/>
+                <property name="keyAlias" value="adminKey"/>
+            </implementation-properties>
+            <credential-reference clear-text="secret2"/>
+        </credential-store>
+        <credential-store name="test2" relative-to="jboss.server.data.dir" modifiable="true">
+            <credential-reference store="test1" alias="to_open_test2"/>
+        </credential-store>
+        <credential-store name="test4" relative-to="jboss.server.data.dir" path="test1.store" create="true">
+            <credential-reference clear-text="secret2"/>
+        </credential-store>
+        <secret-key-credential-store name="test3" relative-to="jboss.server.data.dir" path="test3.cs" create="false" populate="false" key-size="192" default-alias="test3" />
+    </credential-stores>
+    <expression-resolver default-resolver="A" prefix="G">
+        <resolver name="A" credential-store="test1" secret-key="C"/>
+        <resolver name="D" credential-store="test2" secret-key="F"/>
+    </expression-resolver>
+    <jaspi>
+        <jaspi-configuration name="test" layer="HttpServlet" application-context="default /test" description="Test Definition">
+            <server-auth-modules>
+                <server-auth-module class-name="org.wildfly.Test" module="org.test" flag="REQUISITE">
+                    <options>
+                        <property name="a" value="b"/>
+                        <property name="c" value="d"/>
+                    </options>
+                </server-auth-module>
+                <server-auth-module class-name="org.wildfly.Test2" module="org.test2" flag="SUFFICIENT">
+                    <options>
+                        <property name="e" value="f"/>
+                        <property name="g" value="h"/>
+                    </options>
+                </server-auth-module>
+            </server-auth-modules>
+        </jaspi-configuration>
+        <jaspi-configuration name="minimal">
+            <server-auth-modules>
+                <server-auth-module class-name="org.wildfly.Test3" />
+            </server-auth-modules>
+        </jaspi-configuration>
+    </jaspi>
+</subsystem>
\ No newline at end of file