Bug 1024789 - Add option to configure the Management Console for HTTPS with SSL
Add option to configure the Management Console for HTTPS with SSL
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Installer (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity medium
: DR12
: EAP 6.4.0
Assigned To: Thomas Hauser
Petr Kremensky
Russell Dickenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-30 08:49 EDT by Petr Kremensky
Modified: 2015-10-05 22:43 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-06 10:24:02 EST
Type: Enhancement
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Kremensky 2013-10-30 08:49:15 EDT
Description of problem:
 BZ901180 allow us to add ssl keystore to ManagementRealm. Doing this we secure access to server via CLI. We should also offer user to secure access to server via Management console.

Version-Release number of selected component (if applicable):
 Eap 6.2.0.ER6

Actual results:
 'Add SSL keystore to management interface' option can secure only access via CLI now.

Expected results:
 User has option (just some simple checkbox should work) to secure also access via Management Console.

Additional info:
All we need to do is to update CLI commands once user choose to secure also management console. (standalone)
- add https into management http-interfaces
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
- remove http from management http-interfaces
/core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)

Management console will now listen on https://localhost:9443

generate keystore: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Generate_a_SSL_Encryption_Key_and_Certificate.html

configure ssl for https: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Configure_the_Management_Console_for_HTTPS_in_Standalone_mode.html

Server needs to be restarted to load ssl keystore, or error message is thrown for both of commands.
Comment 1 Thomas Hauser 2013-11-05 10:30:12 EST
I like the sound of this, I'm just worried about the repercussions / other details for things like domain / host xmls. 

If you can supply the full details of all the changes necessary, I think it may be possible, and worth it to add the feature. The only issue is that CommandContext may block on user input (it does in my case) after applying SSL to it; thus, reconnecting the installer to the server may be difficult. 

I'm leaning towards a NACK if we can't find solutions to these issues in a timely manner.
Comment 2 Petr Kremensky 2013-11-06 03:43:27 EST
Hi Tom,

to solve the problem with blocked CommandContext after applying SSL, I'd suggest to update the http-interface with secured port first and than add SSL to ManagementRealm so the first two commands won't be blocked by SSL (standalone will show ERROR during configuration: "A secure port has been specified for the HTTP interface but no SSL configuration in the realm.", but we can ignore this). 

Commnads for standalone are:
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
/core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)
/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=/home/pkremens/ssl.keystore,keystore-password="password")

Commands for domain are:
/host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443) 
/host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port)
/host=master/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=/home/pkremens/ssl.keystore,keystore-password="password")

However there are few thigs we must be aware of:
 - Web console will now listen on secure port https://localhost:9443 not on default http://localhost:9990
   - We must fixt target for shortcuts. 
   - If user decide to Launch browser during installation on server start panel it must also points to https://localhost:9443.
 - Secure http port could be changed during port-offset settings, we must take this into account.

SSL is quite complicated in domain. ManagementRealm is used for DC-HC authentication, so once we secure ManagementRealm with ssl, other hosts will unable to connect to domain unless they have configured truststore to be able to authenticate request for joining the domain from DC (see [1]). I'd stick to configure only standalone and host.xml for now, and leave other domain features to BZ1025340.

I agree that this is quite comlicated feature and we must be aware that next release is CR, so I would be OK if you decide to NACK this and postpone to 6.3.0+ release.

Petr

[1] - http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/Using_2-way_SSL_for_the_Management_interface_and_the_CLI.html
Comment 3 Thomas Hauser 2013-11-06 10:24:02 EST
As per the decision in https://bugzilla.redhat.com/show_bug.cgi?id=1025340, these enhancements are postponed to 6.3.0+ releases (barring explicit requests.)

Thanks for the information Petr, this is a worthy feature to add to the installer.
Comment 5 Petr Kremensky 2014-05-22 02:10:16 EDT
Moving to NEW as a part of CLOSED/DEFERRED bz cleanup.
Comment 9 Petr Kremensky 2014-10-27 08:35:39 EDT
Tom, 
I noticed that JBoss administration (domain) shortcut doesn't work once SSL is configured. It tries to connect to admin console on default unsecured address.
Comment 10 Ahmed Abu Lawi 2014-11-04 16:11:27 EST
Hi Petr,

I've made the changes to have the shortcuts point to the correct address if ssl is enabled.
Comment 11 Petr Kremensky 2014-11-14 09:57:25 EST
Hi Ahmed,
I run into another case:
on Server Launch screen choose to start standalone server and launch browser after startup, configure SSL and finish the installation.

Browser is opened on http://localhost:9990/console/index.html
Comment 12 Ahmed Abu Lawi 2014-11-20 16:20:01 EST
Hi Petr,

This issue should be resolved. The installer should have the correct management port depending on whether ssl is enabled or if there is a port offset applied.
Comment 13 Petr Kremensky 2014-12-08 08:48:30 EST
Verified on EAP 6.4.0.DR12 installer.

Note You need to log in before you can comment on or make changes to this bug.