Bug 997686
Summary: | [PRD] EAP62_2030 - TLS configuration for the CLI and HTTP management interfaces. | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Russell Dickenson <rdickens> |
Component: | Documentation | Assignee: | Scott Mumford <smumford> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Russell Dickenson <rdickens> |
Severity: | unspecified | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.2.0 | CC: | asaldhan, darran.lofthouse, fbogyai |
Target Milestone: | GA | ||
Target Release: | EAP 6.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-15 16:20:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Russell Dickenson
2013-08-16 02:31:32 UTC
Additional information: https://access.redhat.com/site/solutions/229963 details the SSL configuration https://access.redhat.com/site/solutions/427463 2-way SSL configuration https://access.redhat.com/site/solutions/224623 SSL in domain mode The above information sources have been converted to CCMS topics as follows: Topic 22638: Configure the Management Console for HTTPS in Standalone mode Topic 22639: Configure the Management Console for HTTPS in Domain mode Topic 22641: Using 2-way SSL for the Management interface and the CLI The next step is to decide on placement within a contentspec (Security Guide?) before they are released for review. Do the topics above fulfill the coverage requirements of this ticket at a conceptual level? (obviously the content itself will need technical verification) Are there any other concepts that should be touched on and, if so, is there source material available? Please provide links for these topics for review. They should be placed in 3.Management Interface Security as a new topic. I think that combining these 3 topics into one will be sufficient. Now I don't have more information, but somebody from development must have. The topics have been added to the suggested section of the Security Guide contentspec. Moving this ticket to MODIFIED pending a re-stage of the document. Will move to ON_QA for technical verification once the update is available for review. The new topics have been made available for review on the Documentation Stage. They are sections 3.8, 3.9, 3.10 (titles listed in comment 2) http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html Corrections and missing commands: Section 3.8 1) Ensure the management console binds to HTTPS for its interface by adding the 'management-https' configuration and removing the 'management-http' configuration. This can be done by editing the standalone.xml file (which is not recommended) or by using the following CLI interface commands: /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https) /core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding) ... 4) Add a server-identities element to the security-realm section of the standalone.xml configuration file of your installation. Within this element you define the SSL protocol, the keystore path, the keystore password and alias for SSL certificate. Execute the following CLI command, substituting your own values for the example ones. This example assumes that the keystore is copied to the server configuration directory, which is EAP_HOME/standalone/configuration/ for a standalone server. /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=server.keystore,keystore-relative-to=jboss.server.config.dir, keystore-password=SECRET, alias=KEY_ALIAS) 5) Restart your standalone server. Section 3.9 2) Add a server-identities element to the security-realm section of the host.xml configuration file of your installation. Within this element you define the SSL protocol, the keystore path, the keystore password and alias for SSL certificate. Execute the following CLI command, substituting your own values for the example ones. This example assumes that the keystore is copied to the server configuration directory, which is EAP_HOME/domain/configuration/ for a managed domain. /host=master/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(protocol=TLSv1, keystore-path=server.keystore,keystore-relative-to=jboss.domain.config.dir, keystore-password=SECRET, alias=KEY_ALIAS) The block should appear similar to the following example: <security-realm name="ManagementRealm"> <server-identities> <ssl protocol="TLSv1"> <keystore path="server.keystore" relative-to="jboss.domain.config.dir" keystore-password="SECRET" alias="KEY_ALIAS"/> </ssl> </server-identities> <authentication> <local default-user="$local"/> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> 3) Change the socket element within the management-interface section by adding secure-port and removing port configuration. Use the following command: /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443) /host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port) .. Section 3.10 4) This can be done by manually editing the configuration file (not recommended) or by using the following commands: /core-service=management/security-realm=CertificateRealm:add() /core-service=management/security-realm=CertificateRealm:add/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks,keystore-password=secret, alias=HOST1_alias) /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path=/path/to/HOST1.truststore.jks,keystore-password=secret) Thanks for the intel, Filip. That's awesome stuff. I've updated the content accordingly. I've take the liberty of removing XML fragments as we're attempting to drive people to using the CLI for config changes. Further to this, there's a step in section 3.10 that only has XML editing as an instruction. I've added a comment there as to whether there's a CLI command that would achieve the same thing. Moving this ticket to MODIFIED until the book is restaged and will move to QA once it's available for review. The updated text is available for review at the link in comment 5. Note that while the topic titles are the same, the topics are now sections 9.9, 9.10 and 9.11. I found some minor mistakes: In section 9.9 1) Change first sentence from: Ensure the management console binds to HTTPS for its interface by disabling or removing the management-http configuration. To: Ensure the management console binds to HTTPS for its interface by adding the 'management-https' configuration and removing the 'management-http' configuration. 4) Change sentence: Within this element you define the SSL protocol, the keystore path, the keystore password and alias for SSL certificate. To: Within this element you define the protocol, the keystore path, the keystore password and alias for key pair. -------------- In section 9.10 2) Change same sentence from previous point. -------------- In section 9.11 5) Command for editing /bin/jboss-cli.xml doesn't exist, so user must manually change this xml file. The above changes have been made and the updated content is available for review at: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html The version number will be 2.0-6 or later. Please note that due to work being done on the structure of the book, the section numbers are in flux. Look for the section headings: Configure the Management Console for HTTPS in Standalone mode Configure the Management Console for HTTPS in Domain mode Using 2-way SSL for the Management interface and the CLI (also clearing NEEDINFO flag) |