Add Domain Controller Public Key to CLI Truststore: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 15: Line 15:
The management interface may be protected by configuring it to require all management traffic to go over SSL/TLS. This adds an additional layer of security by preventing management traffic to travel in clear over the network. SSL/TLS enablement on management interfaces is described here: [[WildFly_Management_API_Configuration#Enabling_SSL.2FTSL_for_the_Management_Interfaces|Enabling SSL/TLS for Management Interfaces]].
The management interface may be protected by configuring it to require all management traffic to go over SSL/TLS. This adds an additional layer of security by preventing management traffic to travel in clear over the network. SSL/TLS enablement on management interfaces is described here: [[WildFly_Management_API_Configuration#Enabling_SSL.2FTSL_for_the_Management_Interfaces|Enabling SSL/TLS for Management Interfaces]].


However, when the management interface is protected by SSL/TLS, but without additional configuration on CLI client side, the CLI does not recognizes by default the server certificate and challenges the user to manually accept the certificate:
However, when the management interface is protected by SSL/TLS, but without additional configuration on CLI client side, the CLI does not recognizes by default the server certificate and challenges the user to manually accept it:


<pre>
<pre>

Revision as of 22:46, 20 March 2017

External

Internal

Relevance

EAP 7

Overview

The management interface may be protected by configuring it to require all management traffic to go over SSL/TLS. This adds an additional layer of security by preventing management traffic to travel in clear over the network. SSL/TLS enablement on management interfaces is described here: Enabling SSL/TLS for Management Interfaces.

However, when the management interface is protected by SSL/TLS, but without additional configuration on CLI client side, the CLI does not recognizes by default the server certificate and challenges the user to manually accept it:

NOMBP2:bin ovidiu$ ./jboss-cli.sh --connect --controller=127.0.0.1:9999
Unable to connect due to unrecognised server certificate
Subject    - CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
Issuer     - CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Valid From - Mon Mar 20 16:33:27 EDT 2017
Valid To   - Fri Dec 18 15:33:27 EST 2026
MD5 : 69:25:1b:97:9d:3f:63:80:bd:5d:47:13:97:34:7a:9f
SHA1 : 6c:ac:67:33:6d:9b:fd:22:00:b3:ec:67:76:e9:a3:e4:0c:45:74:9e

Accept certificate? [N]o, [T]emporarily, [P]ermenantly : t
[domain@127.0.0.1:9999 /]

The challenge is issued both in the case of local authentication and username-based authentication.