Chapter 3. Securing the Jetty HTTP Server

Abstract

You can configure the built-in Jetty HTTP server to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file. In particular, you can add SSL/TLS security to the Fuse Management Console in this way.

Jetty server

The JBoss Fuse container is pre-configured with a Jetty server, which acts as a general-purpose HTTP server and HTTP servlet container. Through a single HTTP port (by default, http://Host:8181), the Jetty container can host multiple services, for example:
  • Fuse Management Console (by default, http://Host:8181/hawtio)
  • Apache CXF Web services endpoints (if the host and port are left unspecified in the endpoint configuration)
  • Some Apache Camel endpoints
If you use the default Jetty server for all of your HTTP endpoints, you can conveniently add SSL/TLS security to these HTTP endpoints by following the steps described here.

Create X.509 certificate and private key

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.

Enabling SSL/TLS

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false; and enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true. The etc/org.ops4j.pax.web.cfg file should now have the following contents:
    # Configures the SMX Web Console to use SSL
    org.ops4j.pax.web.config.file=etc/jetty.xml
    
    org.osgi.service.http.enabled=false
    org.osgi.service.http.port=8181
    
    org.osgi.service.http.secure.enabled=true
  3. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty:
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
    DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
    
    <Configure class="org.eclipse.jetty.server.Server">
    
        <!-- ============================= -->
        <!-- Set connectors                -->
        <!-- ============================= -->
        <!-- One of each type!             -->
        <!-- ============================= -->
        ...
        <Call name="addConnector">
            <Arg>
                <!-- The SslSelectChannelConnector class uses the Java NIO SslEngine -->
                <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                    <Arg>
                        <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                            <!-- Protect against the POODLE security vulnerability -->
                            <Set name="ExcludeProtocols">
                                <Array type="java.lang.String">
                                    <Item>SSLv3</Item>
                                </Array>
                            </Set>
                            <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
                            <Set name="keyStorePassword">mykeystorepass</Set>
                            <Set name="keyManagerPassword">mykeypass</Set>
                        </New>
                    </Arg>
                    <Set name="port">8183</Set>
                    <Set name="maxIdleTime">30000</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addConnector">
            ...
        </Call>
    
        <Call name="addBean">
            ...
        </Call>
    </Configure>
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  4. (Optional) If you prefer, you can use a system property to help you specify the location of the Java keystore file. For example, instead of setting the keyStore property explicitly (in the preceding etc/jetty.xml configuration):
    <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
    You could use the karaf.home system property to specify the location of the keystore file relative to the JBoss Fuse install directory:
    <Set name="keyStore">
        <SystemProperty name="karaf.home"/>/etc/jetty.ks
    </Set>
  5. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    port
    The secure HTTPS port number.
    keyStore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    keyStorePassword
    The store password that unlocks the Java keystore file.
    keyManagerPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).
  6. Restart the JBoss Fuse container, in order for the configuration changes to take effect.

Connect to the secure console

After configuring SSL security for the Jetty server in the Pax Web configuration file, you should be able to open the Fuse Management Console by browsing to the following URL:
https://localhost:8183/
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be presented with the login screen for the Fuse Management Console.

Advanced Jetty security configuration

The Jetty server provides flexible and sophisticated options for configuring security. You can exploit these advanced options by editing the etc/jetty.xml file and configuring it as described in the Jetty security documentation: