Bug 1024789

I like the sound of this, I'm just worried about the repercussions / other details for things like domain / host xmls. 

If you can supply the full details of all the changes necessary, I think it may be possible, and worth it to add the feature. The only issue is that CommandContext may block on user input (it does in my case) after applying SSL to it; thus, reconnecting the installer to the server may be difficult. 

I'm leaning towards a NACK if we can't find solutions to these issues in a timely manner.

Hi Tom,

to solve the problem with blocked CommandContext after applying SSL, I'd suggest to update the http-interface with secured port first and than add SSL to ManagementRealm so the first two commands won't be blocked by SSL (standalone will show ERROR during configuration: "A secure port has been specified for the HTTP interface but no SSL configuration in the realm.", but we can ignore this). 

Commnads for standalone are:
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
/core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)
/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=/home/pkremens/ssl.keystore,keystore-password="password")

Commands for domain are:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443) 
/host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port)
/host=master/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=/home/pkremens/ssl.keystore,keystore-password="password")

However there are few thigs we must be aware of:
 - Web console will now listen on secure port https://localhost:9443 not on default http://localhost:9990
   - We must fixt target for shortcuts. 
   - If user decide to Launch browser during installation on server start panel it must also points to https://localhost:9443.
 - Secure http port could be changed during port-offset settings, we must take this into account.

SSL is quite complicated in domain. ManagementRealm is used for DC-HC authentication, so once we secure ManagementRealm with ssl, other hosts will unable to connect to domain unless they have configured truststore to be able to authenticate request for joining the domain from DC (see [1]). I'd stick to configure only standalone and host.xml for now, and leave other domain features to BZ1025340.

I agree that this is quite comlicated feature and we must be aware that next release is CR, so I would be OK if you decide to NACK this and postpone to 6.3.0+ release.

Petr

[1] - http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Using_2-way_SSL_for_the_Management_interface_and_the_CLI.html

As per the decision in https://bugzilla.redhat.com/show_bug.cgi?id=1025340, these enhancements are postponed to 6.3.0+ releases (barring explicit requests.)

Thanks for the information Petr, this is a worthy feature to add to the installer.

Moving to NEW as a part of CLOSED/DEFERRED bz cleanup.

Tom, 
I noticed that JBoss administration (domain) shortcut doesn't work once SSL is configured. It tries to connect to admin console on default unsecured address.

Hi Petr,

I've made the changes to have the shortcuts point to the correct address if ssl is enabled.

Hi Ahmed,
I run into another case:
on Server Launch screen choose to start standalone server and launch browser after startup, configure SSL and finish the installation.

Browser is opened on http://localhost:9990/console/index.html

Hi Petr,

This issue should be resolved. The installer should have the correct management port depending on whether ssl is enabled or if there is a port offset applied.

Verified on EAP 6.4.0.DR12 installer.