Configure WildFly to use HTTPS

I am using WildFly25, and have it running with default settings.

Server console

WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3938ms - Started 308 of 547 services (338 services are lazy, passive or on-demand)
Http management interface listening on http://127.0.0.1:9990/management
Admin console listening on http://127.0.0.1:9990

I want to update the config, so it runs using SSL/TLS on https.

So I follow the WildFly documentation to configure it using the WildFly CLI (advise is to use the CLI and not to edit the XML manually because there is less chance for errors).

Configuration

Connect via the CLI:

/home/jboss/wildfly/wildfly-25.0.0.Final/bin ./jboss-cli.sh
connect

I have a keystore (mykeystore.jks). So then I add the keystore to the WildFly config:

/subsystem=elytron/key-store=httpsKS:add(path=/home/jboss/wildfly/wildfly-25.0.0.Final/standalone/configuration/mykeystore.jks,credential-reference={clear-text=password},type=JKS)

/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=password})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])

When I check the security-realm:

/subsystem=undertow/server=default-server/https-listener=https:read-attribute(name=security-realm)
{
    "outcome" => "success",
    "result" => undefined
}

This is visible in standalone.xml:

        <tls>
            <key-stores>
                <key-store name="applicationKS">
                    <credential-reference clear-text="password"/>
                    <implementation type="JKS"/>
                    <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                </key-store>
                <key-store name="httpsKS">
                    <credential-reference clear-text="password"/>
                    <implementation type="JKS"/>
                    <file path="/home/jboss/wildfly/wildfly-25.0.0.Final/standalone/configuration/mykeystore.jks"/>
                </key-store>
            </key-stores>
            <key-managers>
                <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                    <credential-reference clear-text="password"/>
                </key-manager>
                <key-manager name="httpsKM" key-store="httpsKS">
                    <credential-reference clear-text="password"/>
                </key-manager>
            </key-managers>
            <server-ssl-contexts>
                <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                <server-ssl-context name="httpsSSC" protocols="TLSv1.2" key-manager="httpsKM"/>
            </server-ssl-contexts>
        </tls>

But I don't see any <security-realm> in the xml:

        <security-realms>
            <identity-realm name="local" identity="$local"/>
            <properties-realm name="ApplicationRealm">
                <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
                <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
            </properties-realm>
            <properties-realm name="ManagementRealm">
                <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
                <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
            </properties-realm>
        </security-realms>

As the security-realm is undefined (before and after any changes), I run the following (from the WildFly documentation), but it has no affect. (this looks like it sets the security-realm to undefined so it should not have any affect to an already undefined security-realm).

batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
run-batch

reload

Question

What am I missing? After following the WildFly documentation, I would expect to have the following (i.e. the server listening for the management console on https and port 9993):

Server console

WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3938ms - Started 308 of 547 services (338 services are lazy, passive or on-demand)
Http management interface listening on https://127.0.0.1:9993/management
Admin console listening on https://127.0.0.1:9993

More info

[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
{
    "outcome" => "failed",
    "failure-description" => "WFLYSRV0259: If attribute secure-socket-binding is defined ssl-context must also be defined",
    "rolled-back" => true
}

When I ran this it started to work:

/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,value=httpsSSC)
reload
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
reload

console output:

09:25:59,234 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0062: Http management interface listening on http://127.0.0.1:9990/management and https://127.0.0.1:9993/management
09:25:59,234 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0053: Admin console listening on http://127.0.0.1:9990 and https://127.0.0.1:9993