Menu Close
Settings Close

Language and Page Formatting Options

Chapter 3. Securing the Fuse Console

To secure the Fuse Console on Apache Karaf:

  • Disable the Fuse Console’s proxy servlet when deploying to AWS

    If you want to deploy a standalone Fuse application to Amazon Web Services (AWS), you should disable the Fuse Console’s proxy servlet by setting the hawtio.disableProxy system property to true.

    Note

    When you disable the Fuse Console proxy servlet, the Fuse Console’s Connect tab is disabled and you cannot connect to other JVMs from the Fuse Console. If you want to deploy more than one Fuse application on AWS, you must deploy the Fuse Console for each application.

  • Set HTTPS as the required protocol

    You can use the hawtio.http.strictTransportSecurity property to require web browsers to use the secure HTTPS protocol to access the Fuse Console. This property specifies that web browsers that try to use HTTP to access the Fuse Console must automatically convert the request to use HTTPS.

  • Use public keys to secure responses

    You can use the hawtio.http.publicKeyPins property to secure the HTTPS protocol by telling the web browser to associate a specific cryptographic public key with the Fuse Console to decrease the risk of “man-in-the-middle” attacks with forged certificates.

  • Enable SSL/TLS security

    SSL/TLS security is not enabled by default for the Fuse Console. It is recommended that you enable SSL/TLS security on the Fuse Console to protect username/password credentials from snooping.

  • Implement Red Hat Single Sign On
  • Control user access

    The operations that an authenticated user is allowed to perform depend on the role (or roles) assigned to that user, as listed in Table 4.1, “Role-based access on Karaf standalone”.

Procedure

  1. To set HTTPS as the required protocol, set the hawtio.http.strictTransportSecurity property in the $KARAF_HOME/etc/system.properties file as shown in the following example:

    hawtio.http.strictTransportSecurity = max-age=31536000; includeSubDomains; preload
  2. To use public keys to secure responses, set the hawtio.http.publicKeyPins property in the $KARAF_HOME/etc/system.properties file as shown in the following example:

    hawtio.http.publicKeyPins = pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs"; max-age=5184000; includeSubDomains
  3. (For deploying on AWS only) To disable the Fuse Console’s proxy servlet, set the hawtio.disableProxy property to true in the $KARAF_HOME/etc/system.properties file as shown in the following example:

    hawtio.disableProxy = true;
  4. For detailed instructions on how to enable SSL/TLS security, see the "Enabling SSL/TLS for Undertow in an Apache Karaf container" section in the Apache Karaf Security Guide.
  5. For information on how to secure the Fuse Console with Red Hat Single Sign-On, see the section on securing the Hawtio administration console in the Red Hat Single Sign-on Securing Applications and Services Guide.
  6. To ensure that a user has the necessary user role authorization to perform the Fuse Console operations that the user needs to perform, follow these steps to set a user role:

    1. Open the Red Hat Fuse etc/users.properties file in an editor.
    2. Add an entry for the user name, password, and role.

      For example, the following entry in the etc/users.properties file defines the admin user and grants the admin role.

      admin = secretpass,admin
    3. Save the file.

Additional resources

  • For a description of the hawtio.http.strictTransportSecurity property’s syntax, see the description page for the HTTP Strict Transport Security (HSTS) response header.
  • For a description of the hawtio.http.publicKeyPins property’s syntax, including instructions on how to extract the Base64 encoded public key, see the description page for the HTTP Public Key Pinning response header.