Reload keystore and truststore at runtime in JBoss EAP 6 and 7
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6
- 7
- Legacy or Elytron Security
- Hypertext Transfer Protocol Secure (HTTPS) / Transport Layer Security (TLS) (SSL)
- Transport Layer Security (TLS) encrypted LDAP
Issue
- Reload keystore and trust store certificates at runtime / dynamically
- In JBoss EAP 5 there was an option to
reloadKeyAndTrustStoreusing twiddle/JMX, is there a similar option in JBoss EAP.
Resolution
- This is not possible in JBoss EAP 6 or 7.0+ when using legacy or picketbox security.
-
To reload a keystore in JBoss EAP 7.1+ with elytron, use the CLI:
/subsystem=elytron/key-store=KSNAME:loadThen reload the trust-manager or key-manager using it
/subsystem=elytron/trust-manager=NAME:init /subsystem=elytron/key-manager=NAME:initNote Replace NAME with the names used in the configuration.
Root Cause
A Request For Enhancement (RFE) was logged as (PRODMGT-549) and fixed in EAP 7.1, which means it is possible to reload keystore and truststore at runtime using Elytron subsystem, see Reload a keystore and Reinitialize a Trust Manager.
There is no mechanism to reload a keystore initialized in the java system properties in JBoss EAP.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments