5.3. Encrypting the Connection to the Management Console Server

Revision History
11/28/12
Updated to use fabric configuration

Abstract

By default the connection to the management console server is unencrypted. To use a secure connection you must configure it to use HTTPS.

Overview

Out of the box the management console is configured to use an unencrypted connection. This makes it easy to demo and use in testing environments. However, it is not suitable for use in production environments.
To enable HTTPS, you need to create and install X.509 certificates and keys for the console. You must also enable the management console to use HTTPS.

Creating certificates

Before you can enable SSL, you must create an X.509 certificate and private key for the console. The certificate and private key must be in Java keystore format.

Installing the certificates

The recommended location to install the certificates for the console is in the management console's etc/certs folder. You can, however, store the certificates in any folder from which the container can access them.
Note
You will need the location to configure the management console.

Enabling HTTPS

The management console's HTTP port is configured using the org.ops4j.pax.web PID. To enable HTTPS, you will need to change the properties in that PID for the container in which the management console is running. You can do this is to update the fmc profile deployed to the container. Alternatively, you could create a separate profile to configure the HTTP port.
To enable HTTPS by modifying the fmc profile:
  1. Open a command console connected to one of the container in the fabric.
  2. Disable the insecure HTTP port setting the org.osgi.service.http.enabled property to false as shown in Example 5.4, “Disabling the HTTP Port”.

    Example 5.4. Disabling the HTTP Port

    fabric:profile-edit -p org.ops4j.pax.web/org.osgi.service.http.enabled=false fmc
  3. Enable the secure HTTPS port by setting the org.osgi.service.http.secure.enabled property to true as shown in Example 5.5, “Property for Enabling the HTTPS Port”.

    Example 5.5. Property for Enabling the HTTPS Port

    fabric:profile-edit -p org.ops4j.pax.web/org.osgi.service.http.secure.enabled=true fmc
  4. Specify the port used for connecting over HTTPS by setting the org.osgi.service.http.port.secure property to an available port as shown in Example 5.6, “Property for Specifying the HTTPS Port”.

    Example 5.6. Property for Specifying the HTTPS Port

    fabric:profile-edit -p org.ops4j.pax.web/org.osgi.service.http.port.secure=8108 fmc
    Note
    You can reuse port 8107.
  5. Configure the keystore used to hold the X.509 certificates.
    1. Specify the location of the keystore by adding the org.ops4j.pax.web.ssl.keystore property.
    2. Specify the type of keystore used by adding the org.ops4j.pax.web.ssl.keystore.type property and setting it to JKS.
    3. Specify the password for unlocking the Java keystore by adding the org.ops4j.pax.web.ssl.password property.
    4. Specify the password for decrypting the private key by adding the org.ops4j.pax.web.ssl.keypassword property.
      Note
      This is typically the same as the password used to unlock the keystore.
    5. Specify if certificate-based client authentication at the server is wanted by adding the org.ops4j.pax.web.ssl.clientauthwanted property.
      When set to true the server will request that the client send an X.509 certificate during the SSL handshake.
    6. Specify if certificate-based client authentication at the server is required by adding the org.ops4j.pax.web.ssl.clientauthneeded property.
      When set to true an exception is thrown if the client does not present a valid X.509 certificate during the SSL handshake.