Description of problem: BZ901180 allow us to add ssl keystore to ManagementRealm. Doing this we secure access to server via CLI. We should also offer user to secure access to server via Management console. Version-Release number of selected component (if applicable): Eap 6.2.0.ER6 Actual results: 'Add SSL keystore to management interface' option can secure only access via CLI now. Expected results: User has option (just some simple checkbox should work) to secure also access via Management Console. Additional info: All we need to do is to update CLI commands once user choose to secure also management console. (standalone) - add https into management http-interfaces /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https) - remove http from management http-interfaces /core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding) Management console will now listen on https://localhost:9443 generate keystore: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Generate_a_SSL_Encryption_Key_and_Certificate.html configure ssl for https: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Configure_the_Management_Console_for_HTTPS_in_Standalone_mode.html Server needs to be restarted to load ssl keystore, or error message is thrown for both of commands.
I like the sound of this, I'm just worried about the repercussions / other details for things like domain / host xmls. If you can supply the full details of all the changes necessary, I think it may be possible, and worth it to add the feature. The only issue is that CommandContext may block on user input (it does in my case) after applying SSL to it; thus, reconnecting the installer to the server may be difficult. I'm leaning towards a NACK if we can't find solutions to these issues in a timely manner.
Hi Tom, to solve the problem with blocked CommandContext after applying SSL, I'd suggest to update the http-interface with secured port first and than add SSL to ManagementRealm so the first two commands won't be blocked by SSL (standalone will show ERROR during configuration: "A secure port has been specified for the HTTP interface but no SSL configuration in the realm.", but we can ignore this). Commnads for standalone are: /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https) /core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding) /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=/home/pkremens/ssl.keystore,keystore-password="password") Commands for domain are: /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443) /host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port) /host=master/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=/home/pkremens/ssl.keystore,keystore-password="password") However there are few thigs we must be aware of: - Web console will now listen on secure port https://localhost:9443 not on default http://localhost:9990 - We must fixt target for shortcuts. - If user decide to Launch browser during installation on server start panel it must also points to https://localhost:9443. - Secure http port could be changed during port-offset settings, we must take this into account. SSL is quite complicated in domain. ManagementRealm is used for DC-HC authentication, so once we secure ManagementRealm with ssl, other hosts will unable to connect to domain unless they have configured truststore to be able to authenticate request for joining the domain from DC (see [1]). I'd stick to configure only standalone and host.xml for now, and leave other domain features to BZ1025340. I agree that this is quite comlicated feature and we must be aware that next release is CR, so I would be OK if you decide to NACK this and postpone to 6.3.0+ release. Petr [1] - http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Using_2-way_SSL_for_the_Management_interface_and_the_CLI.html
As per the decision in https://bugzilla.redhat.com/show_bug.cgi?id=1025340, these enhancements are postponed to 6.3.0+ releases (barring explicit requests.) Thanks for the information Petr, this is a worthy feature to add to the installer.
Moving to NEW as a part of CLOSED/DEFERRED bz cleanup.
Tom, I noticed that JBoss administration (domain) shortcut doesn't work once SSL is configured. It tries to connect to admin console on default unsecured address.
Hi Petr, I've made the changes to have the shortcuts point to the correct address if ssl is enabled.
Hi Ahmed, I run into another case: on Server Launch screen choose to start standalone server and launch browser after startup, configure SSL and finish the installation. Browser is opened on http://localhost:9990/console/index.html
Hi Petr, This issue should be resolved. The installer should have the correct management port depending on whether ssl is enabled or if there is a port offset applied.
Verified on EAP 6.4.0.DR12 installer.