Developer Tools AWS

WildFly on AWS User Guide

| Product: WildFly on AWS

Overview

This image runs WildFly 40, the open source Jakarta EE 11 application server and the upstream community project behind JBoss Enterprise Application Platform, on Ubuntu 26.04 LTS. WildFly is installed under /opt/wildfly on a dedicated, independently resizable EBS data volume and is run by an unprivileged wildfly system account under a systemd service that starts the server on boot and restarts it on failure. The server runs the standalone-full profile, so the web, Enterprise Bean, messaging (JMS), persistence (JPA) and web service subsystems are all available.

The application HTTP listener binds to 0.0.0.0:8080, and nginx is installed as a reverse proxy on port 80 that forwards every request to WildFly. Visitors reach the application on the standard HTTP port without specifying a non-standard port number.

The WildFly Management Console binds to the loopback address on port 9990 by design and is not exposed to the internet. You reach it from your workstation over an SSH tunnel, which arrives at the instance as a loopback connection. The application welcome page on port 80 needs no tunnel.

A ManagementRealm administrator named admin and an ApplicationRealm user named appuser are seeded at image build time with placeholder passwords. On the first boot of every deployed instance a one-shot service rotates both passwords to fresh per-instance secrets and writes them to /root/wildfly-credentials.txt (mode 0600, readable only by root). Two instances launched from the same AMI never share a password.

The default security group for this listing opens port 22 (SSH) and port 80 (HTTP) only.

Prerequisites

  • An AWS account subscribed to this product in AWS Marketplace.
  • An EC2 key pair in your target region for SSH access.
  • A security group allowing inbound TCP 22 (SSH) from your IP and TCP 80 (HTTP) from your users. The management console is reached over SSH and does not need an open port.
  • Recommended instance type: m5.large or larger (WildFly is a Java application server and benefits from at least 8 GB RAM for production workloads).

Step 1 — Launch from the AWS Marketplace console

  1. Open the product page in AWS Marketplace and choose Continue to Subscribe, then Continue to Configuration.
  2. Select the WildFly 40 on Ubuntu 26.04 delivery option and your region, then Continue to Launch.
  3. Choose your instance type, VPC/subnet, key pair and the security group described above, and launch.

Step 2 — Launch from the AWS CLI

Replace the AMI ID with the one shown on the product's launch page for your region, and use your own key pair and security group.

aws ec2 run-instances \
  --image-id ami-xxxxxxxxxxxxxxxxx \
  --instance-type m5.large \
  --key-name your-key-pair \
  --security-group-ids sg-xxxxxxxx \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=wildfly}]'

Step 3 — Connect to your instance

SSH in as the default login user for your AMI variant.

AMI variant SSH login user
WildFly 40 on Ubuntu 26.04 ubuntu 
ssh -i /path/to/your-key.pem ubuntu@<instance-public-ip>

Step 4 — Confirm the services are running

WildFly and nginx are managed by systemd. Confirm both are active:

systemctl is-active wildfly nginx

active
active

Confirm the listeners — nginx on port 80, WildFly's application port on 8080, and the management port bound to loopback only:

sudo ss -tlnp | grep -E ':80 |:8080 |:9990 ' | awk '{print $1, $4}'

LISTEN 0.0.0.0:8080
LISTEN 0.0.0.0:80
LISTEN 127.0.0.1:9990
LISTEN [::]:80

The management port is 127.0.0.1:9990 — reachable only from the instance itself.

Step 5 — Retrieve your per-instance credentials

The first-boot service writes a fresh administrator and application password to a root-only file:

sudo cat /root/wildfly-credentials.txt

# WildFly 40 — generated on first boot by wildfly-firstboot.service
# These credentials are unique to this VM. Store them somewhere safe.

WILDFLY_URL=http://172.31.83.236/
WILDFLY_CONSOLE_URL=http://127.0.0.1:9990/console
WILDFLY_ADMIN_USER=admin
WILDFLY_ADMIN_PASSWORD=<redacted>
WILDFLY_APP_USER=appuser
WILDFLY_APP_PASSWORD=<redacted>

The admin user signs in to the Management Console (ManagementRealm). The appuser user is an ApplicationRealm identity you can use to secure your own deployed applications.

Step 6 — Open the application

The WildFly welcome page is served by nginx on port 80. From your workstation, browse to:

http://<instance-public-ip>/

You can confirm it returns HTTP 200 from the instance itself:

curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://127.0.0.1/

HTTP 200

WildFly welcome page

Step 7 — Reach the Management Console over an SSH tunnel

The Management Console binds to loopback only, so open an SSH tunnel from your workstation that forwards your local port 9990 to the instance's loopback:

ssh -L 9990:127.0.0.1:9990 ubuntu@<instance-public-ip>

Leave that session open and browse to http://127.0.0.1:9990/console on your workstation. Sign in as admin with the password from /root/wildfly-credentials.txt.

WildFly Management Console homepage

The Runtime tab shows the running server, JVM metrics and log files.

WildFly Management Console runtime view

You can verify the running version and state through the management API without the console. This reads the per-instance admin password from the credentials file:

PASS=$(sudo grep '^WILDFLY_ADMIN_PASSWORD=' /root/wildfly-credentials.txt | cut -d= -f2-)
curl -s --digest -u "admin:${PASS}" -H 'Content-Type: application/json' \
  -d '{"operation":"read-attribute","name":"product-version","address":[]}' \
  http://127.0.0.1:9990/management

{"outcome" : "success", "result" : "40.0.0.Final"}

Step 8 — Deploy a Jakarta EE application

There are three ways to deploy a WAR or EAR.

a. Drop it into the deployments directory. Copy your archive to the WildFly deployments folder; the deployment scanner picks it up automatically:

scp -i /path/to/your-key.pem myapp.war ubuntu@<instance-public-ip>:/tmp/
ssh -i /path/to/your-key.pem ubuntu@<instance-public-ip> \
  'sudo install -o wildfly -g wildfly /tmp/myapp.war /opt/wildfly/standalone/deployments/'

b. Use the management CLI. WildFly ships jboss-cli.sh. Connect to the loopback management interface and deploy:

PASS=$(sudo grep '^WILDFLY_ADMIN_PASSWORD=' /root/wildfly-credentials.txt | cut -d= -f2-)
sudo -u wildfly /opt/wildfly/bin/jboss-cli.sh --connect \
  --controller=127.0.0.1:9990 --user=admin --password="${PASS}" \
  --command=":read-attribute(name=server-state)"

{
    "outcome" => "success",
    "result" => "running"
}

c. Use the Management Console. Open the Deployments tab over the SSH tunnel and use Add → Upload a new deployment.

Step 9 — Confirm the Java runtime

WildFly 40 runs on OpenJDK 21:

java -version

openjdk version "21.0.11" 2026-04-21
OpenJDK Runtime Environment (build 21.0.11+10-1-26.04.2-Ubuntu)
OpenJDK 64-Bit Server VM (build 21.0.11+10-1-26.04.2-Ubuntu, mixed mode, sharing)

Enabling HTTPS

The image fronts WildFly with nginx on port 80, which is the natural place to terminate TLS. Install a certificate with Let's Encrypt and let certbot configure nginx:

sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.example.com

certbot adds a TLS server block on port 443 and a redirect from port 80, and renews the certificate automatically. Open port 443 in your security group.

Backup and maintenance

  • Deployments and configuration live under /opt/wildfly on a dedicated EBS volume. Take EBS snapshots of that volume to back up your applications and server configuration.
  • Restart the server with sudo systemctl restart wildfly. Restart the proxy with sudo systemctl restart nginx.
  • Server logs are under /opt/wildfly/standalone/log/ (and in the journal: sudo journalctl -u wildfly).
  • OS updates: apply with sudo apt-get update && sudo apt-get upgrade and reboot during a maintenance window.

Support

This image is backed by 24/7 cloudimg support, covering WildFly deployment, Jakarta EE application hosting, datasource and messaging configuration, clustering, TLS and JVM tuning. Contact support through the channel listed on the product's AWS Marketplace page.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.