Secure management interface with HTTPS/TLS in JBoss EAP 7.1+ with Elytron
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.1 or later
- 7.2
- Elytron security
- Hypertext Transfer Protocol Secure (HTTPS)
- Transport Layer Security (TLS)
- JBoss Command-Line interface (CLI), http-remoting connector, or management interface connections
Issue
- Enable One-way SSL/TLS
Resolution
-
Obtain or generate the keystore :
keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
2 Copy the keystore.jks
file to $EAP_HOME/domain/configuration
when using domain mode or $EAP_HOME/standalone/configuration
when using standalone mode.
-
Create a
key-store
,key-manager
, andserver-ssl-context
:-
Standalone mode:
/subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
-
Domain mode:
/host=master/subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.domain.config.dir,credential-reference={clear-text=secret},type=JKS) /host=master/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret}) /host=master/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
-
-
Configure the management console to use
ssl-context
:-
Standalone mode:
/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
-
Domain mode:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
-
-
Configure the management interface to use a secure interface and port :
-
Standalone mode:
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
-
Domain mode:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-interface, value=management) /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port, value=9443)
-
-
Reload the JBoss EAP instance.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments