Secure management interface with HTTPS/TLS in JBoss EAP 7.1+ with Elytron

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.1 or later
    • 7.2
  • Elytron security
  • Hypertext Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS)
  • JBoss Command-Line interface (CLI), http-remoting connector, or management interface connections

Issue

  • Enable One-way SSL/TLS

Resolution

  1. Obtain or generate the keystore :

    keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
    

2 Copy the keystore.jks file to $EAP_HOME/domain/configuration when using domain mode or $EAP_HOME/standalone/configuration when using standalone mode.

  1. Create a key-store, key-manager, and server-ssl-context :

    • Standalone mode:

      /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
      
      /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
      
      /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
      
    • Domain mode:

      /host=master/subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.domain.config.dir,credential-reference={clear-text=secret},type=JKS)
      
      /host=master/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
      
      /host=master/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
      
  2. Configure the management console to use ssl-context :

    • Standalone mode:

      /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
      
    • Domain mode:

      /host=master/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
      
  3. Configure the management interface to use a secure interface and port :

    • Standalone mode:

      /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
      
    • Domain mode:

      /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-interface, value=management)
      
      /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port, value=9443)
      
  4. Reload the JBoss EAP instance.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments