Chapter 3. Securing the Web Console

Abstract

You can configure the Red Hat JBoss A-MQ Web console to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file.

Prerequisites

The Red Hat JBoss A-MQ Web console is not enabled by default. You can install the web console feature into OSGi by entering the following console command: 
JBossFuse:karaf@root> features:install webconsole

Create X.509 certificate and private key

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.
If you want to run a quick demonstration of SSL/TLS security, you could use a demonstration certificate from one of the examples (see ???).

Enabling SSL/TLS

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false as shown in Example 3.1, “Pax Web Property for Disabling the HTTP Port”.

    Example 3.1. Pax Web Property for Disabling the HTTP Port

    org.osgi.service.http.enabled=false
  3. Enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true as shown in Example 3.2, “Pax Web Property for Enabling the HTTPS Port”.

    Example 3.2. Pax Web Property for Enabling the HTTPS Port

    org.osgi.service.http.secure.enabled=true
  4. If you followed the preceding instructions, the etc/org.ops4j.pax.web.cfg file should now have the following contents: 
    # Configures the SMX Web Console to use SSL
org.osgi.service.http.enabled=false
org.osgi.service.http.port=8181

org.osgi.service.http.secure.enabled=true
  5. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty: 
    <?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">

<Configure class="org.eclipse.jetty.server.Server">

    <!-- =========================================================== -->
    <!-- Set connectors                                              -->
    <!-- =========================================================== -->
    <!-- One of each type!                                           -->
    <!-- =========================================================== -->
    ...
    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
               <Arg>
                  <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                      <!-- in Fuse 6.0, please replace above FQN with "org.eclipse.jetty.util.ssl.SslContextFactory" -->
                      <Set name="ExcludeProtocols">
                          <Array type="java.lang.String">
                              <Item>SSLv3</Item>
                          </Array>
                      </Set>
                  </New>
               </Arg>
               <Set name="Port">8183</Set>
               <Set name="keystore">/home/jdoe/Documents/server.keystore</Set>
               <Set name="password">mykeystorepass</Set>
               <Set name="keyPassword">mykeypass</Set>
           </New>
        </Arg>
    </Call>
    <Call name="addConnector">
        ...
    </Call>

    <Call name="addBean">
        ...
    </Call>
</Configure>
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  6. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    Port
    The secure HTTPS port number.
    keystore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    password
    The store password that unlocks the Java keystore file.
    keyPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).

Connect to the secure Web console

After configuring the Web console and installing the webconsole feature, you should be able to open the Web console by browsing to the following URL:
https://localhost:8183/system/console
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be prompted to enter a username and a password. Log in with the username smx and the password smx.