10.10. Using 2-way SSL for the Management interface and the CLI

In this topic the following conventions are used:

The JBoss server hostname. For example; jboss.redhat.com
A suitable name for the client. For example: myclient. Note this is not necessarily an actual hostname.
The DN (distinguished name) to use for the HOST1 certificate. For example cn=jboss,dc=redhat,dc=com.
The DN (distinguished name) to use for the HOST2 certificate. For example cn=myclient,dc=redhat,dc=com.

Procedure 10.4. 

  1. Generate the stores:
    keytool -genkeypair -alias HOST1_alias -keyalg RSA -keysize 1024 -validity 365 -keystore host1.keystore.jks -dname "CA_HOST1" -keypass secret -storepass secret
    keytool -genkeypair -alias HOST2_alias -keyalg RSA -keysize 1024 -validity 365 -keystore host2.keystore.jks -dname "CA_HOST2" -keypass secret -storepass secret
  2. Export the certificates:
    keytool -exportcert  -keystore HOST1.keystore.jks -alias HOST1_alias -keypass secret -storepass secret -file HOST1.cer
    keytool -exportcert  -keystore HOST2.keystore.jks -alias HOST2_alias -keypass secret -storepass secret -file HOST2.cer
  3. Import the certificates into the opposing trust stores:
    keytool -importcert -keystore HOST1.truststore.jks -storepass secret -alias HOST2_alias -trustcacerts -file HOST2.cer
    keytool -importcert -keystore HOST2.truststore.jks -storepass secret -alias HOST1_alias -trustcacerts -file HOST1.cer
  4. Define a CertificateRealm in the configuration for your installation (host.xml or standalone.xml) and point the interface to it:
    This can be done by manually editing the configuration file (not recommended) or by using the following commands:
    /core-service=management/security-realm=CertificateRealm:add/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks,keystore-password=secret, alias=HOST1_alias)
  5. Edit the JBOSS_HOME/bin/jboss-cli.xml and add the SSL configuration (using the appropriate values for the variables):