5.7. Configure the Management Console for HTTPS
Configuring the JBoss EAP management console for communication only via HTTPS provides increased security. All network traffic between the client (web browser) and management console is encrypted, which reduces the risk of security attacks such as a man-in-the-middle attack. Anyone administering a JBoss EAP instance has greater permissions on that instance than non-privileged users, and using HTTPS helps protect the integrity and availability of that instance.
In this procedure unencrypted communications with the JBoss EAP standalone instance or domain is disabled. Passwords used in these communications are stored encrypted using the JBoss EAP vault feature, and passwords used in configuration files are masked.
This procedure applies to both
standalone and domain mode configurations. For domain mode, prefix the management CLI commands with the name of the host, for example: /host=master.
Procedure 5.2.
Create a keystore to secure the management console.
Note
This keystore must be in JKS format as the management console is not compatible with keystores in JCEKS format.In a terminal emulator, enter the following command. For the parametersalias,keypass,keystore,storepassanddname, replace the example values with values of your choice.The parametervalidityspecifies for how many days the key is valid. A value of 730 equals two years.keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore
EAP_HOME/standalone/configuration/identity.jks-storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -vEnsure the Management Console Binds to HTTPS
Standalone Mode
Ensure the management console binds toHTTPSfor its interface by adding themanagement-httpsconfiguration and removing themanagement-httpconfiguration.Ensure the JBoss EAP instance is running, then enter the following management CLI commands:/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)/core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)The expected output from these commands is:{"outcome" => "success"}Note
At this point the JBoss EAP log may display the following error message. This is to be expected because the SSL configuration is not yet completed.JBAS015103: A secure port has been specified for the HTTP interface but no SSL configuration in the realm.
Domain Mode
Change the socket element within the management-interface section by adding secure-port and removing port configuration.Ensure the JBoss EAP instance is running, then enter the following management CLI commands:/host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443)/host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port)Note
At this point the JBoss EAP log may display the following error message. This is to be expected because the SSL configuration is not yet completed.JBAS015103: A secure port has been specified for the HTTP interface but no SSL configuration in the realm.
Optional: Custom socket-binding group
If you are using a customsocket-bindinggroup, ensure themanagement-httpsbinding is defined (it is present by default, bound to port9443). Edit the master configuration file - for examplestandalone.xml- to match the following.<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>Create a new Security Realm
Enter the following commands to create a new security realm namedManagementRealmHTTPS:/host=master/core-service=management/security-realm=ManagementRealmHTTPS/:add /host=master/core-service=management/security-realm=ManagementRealmHTTPS/authentication=properties/:add(path=ManagementUsers.properties, relative-to=jboss.domain.config.dir)
Configure Management Interface to use the new security realm
Enter the following commands:/host=master/core-service=management/management-interface=http-interface/:write-attribute(name=security-realm,value=ManagementRealmHTTPS)
Configure the management console to use the keystore.
Enter the following management CLI command. For the parametersfile,passwordandaliastheir values must be copied from the step Create a keystore to secure the management console./core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl:add(keystore-path=
identity.jks,keystore-relative-to=jboss.server.config.dir, keystore-password=password1, alias=appserver)The expected output from this command is:{ "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }Restart the JBoss EAP server.
On restarting the server the log should contain the following, just before the text which states the number of services that are started. The management console is now listening on port 9443, which confirms that the procedure was successful.14:53:14,720 INFO [org.jboss.as] (Controller Boot Thread) JBAS015962: Http management interface listening on https://127.0.0.1:9443/management 14:53:14,721 INFO [org.jboss.as] (Controller Boot Thread) JBAS015952: Admin console listening on https://127.0.0.1:9443
Note
For security reasons it is recommended that you mask the keystore password. For details on how to do this see Section 7.1, “Password Vault System”.
