Enabling SSL/TSL for the Native Management Interface in EAP 7 Domain Mode

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

Procedure

Add a SSL Keystore as SSL Server Identity under the Management Realm

In host.xml:

<host>
  ...
  <management>
    <security-realms>
      <security-realm name="ManagementRealm">
        <server-identities>
          <ssl>
            <keystore path="management-realm-keystore.jks" 
                      relative-to="jboss.domain.config.dir"
                      keystore-password="management-realm-keystore123" 
                      alias="domain-controller-key"/>
          </ssl>
        </server-identities>
        ...
      </security-realm>
      ...

Note that if you don't want the password in clear, you should use the password vault.

An example of how to create the keystore is available below:

keytool -genkey -v -validity 3560 -alias domain-controller-key -keystore ./management-realm-keystore.jks

Connect CLI to the Native Interface

./jboss-cli.sh --connect --controller=127.0.0.1:9999

Because the interface has now SSL/TLS enabled, and the client was not configured to recognize the server's certificate, it will be challenged to accept the server's certificate at stdout:

NOMBP2:bin ovidiu$ ./jboss-cli.sh --connect --controller=127.0.0.1:9999
Unable to connect due to unrecognised server certificate
Subject    - CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
Issuer     - CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Valid From - Mon Mar 20 16:33:27 EDT 2017
Valid To   - Fri Dec 18 15:33:27 EST 2026
MD5 : 69:25:1b:97:9d:3f:63:80:bd:5d:47:13:97:34:7a:9f
SHA1 : 6c:ac:67:33:6d:9b:fd:22:00:b3:ec:67:76:e9:a3:e4:0c:45:74:9e

Accept certificate? [N]o, [T]emporarily, [P]ermenantly :

The client can be configured to recognize server's certificate and avoid stdout/stdin interaction. The procedure is available here:

Add Domain Controller Public Key to CLI Truststore