5.7. Configure the Management Console for HTTPS

Configuring the JBoss EAP management console for communication only via HTTPS provides increased security. All network traffic between the client (web browser) and management console is encrypted, which reduces the risk of security attacks such as a man-in-the-middle attack. Anyone administering a JBoss EAP instance has greater permissions on that instance than non-privileged users, and using HTTPS helps protect the integrity and availability of that instance.
In this procedure unencrypted communications with the JBoss EAP standalone instance or domain is disabled. Passwords used in these communications are stored encrypted using the JBoss EAP vault feature, and passwords used in configuration files are masked.
This procedure applies to both standalone and domain mode configurations. For domain mode, prefix the management CLI commands with the name of the host, for example: /host=master.

Procedure 5.2. 

  1. Create a keystore to secure the management console.

    Note

    This keystore must be in JKS format as the management console is not compatible with keystores in JCEKS format.
    In a terminal emulator, enter the following command. For the parameters alias, keypass, keystore, storepass and dname, replace the example values with values of your choice.
    The parameter validity specifies for how many days the key is valid. A value of 730 equals two years. 
    keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore EAP_HOME/standalone/configuration/identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

  2. Ensure the Management Console Binds to HTTPS

    • Standalone Mode

      Ensure the management console binds to HTTPS for its interface by adding the management-https configuration and removing the management-http configuration.
      Ensure the JBoss EAP instance is running, then enter the following management CLI commands: 
      /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
      /core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)
      The expected output from these commands is: 
      {"outcome" => "success"}

      Note

      At this point the JBoss EAP log may display the following error message. This is to be expected because the SSL configuration is not yet completed. 
      JBAS015103: A secure port has been specified for the HTTP interface but no SSL configuration in the realm.

    • Domain Mode

      Change the socket element within the management-interface section by adding secure-port and removing port configuration.
      Ensure the JBoss EAP instance is running, then enter the following management CLI commands: 
      /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443)
/host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port)

      Note

      At this point the JBoss EAP log may display the following error message. This is to be expected because the SSL configuration is not yet completed. 
      JBAS015103: A secure port has been specified for the HTTP interface but no SSL configuration in the realm.

  3. Optional: Custom socket-binding group

    If you are using a custom socket-binding group, ensure the management-https binding is defined (it is present by default, bound to port 9443). Edit the master configuration file - for example standalone.xml - to match the following. 
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>

  4. Create a new Security Realm

    Enter the following commands to create a new security realm named ManagementRealmHTTPS: 
    /host=master/core-service=management/security-realm=ManagementRealmHTTPS/:add
/host=master/core-service=management/security-realm=ManagementRealmHTTPS/authentication=properties/:add(path=ManagementUsers.properties, relative-to=jboss.domain.config.dir)

  5. Configure Management Interface to use the new security realm

    Enter the following commands: 
    /host=master/core-service=management/management-interface=http-interface/:write-attribute(name=security-realm,value=ManagementRealmHTTPS)

  6. Configure the management console to use the keystore.

    Enter the following management CLI command. For the parameters file, password and alias their values must be copied from the step Create a keystore to secure the management console. 
    /core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl:add(keystore-path=identity.jks,keystore-relative-to=jboss.server.config.dir, keystore-password=password1, alias=appserver)
    The expected output from this command is: 
    {
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

  7. Restart the JBoss EAP server.

    On restarting the server the log should contain the following, just before the text which states the number of services that are started. The management console is now listening on port 9443, which confirms that the procedure was successful. 
    14:53:14,720 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015962: Http management interface listening on https://127.0.0.1:9443/management
14:53:14,721 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015952: Admin console listening on https://127.0.0.1:9443

Note

For security reasons it is recommended that you mask the keystore password. For details on how to do this see Section 7.1, “Password Vault System”.
Report a bug