Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

10.10. Using 2-way SSL for the Management interface and the CLI

In this topic the following conventions are used:

HOST1
The JBoss server hostname. For example; jboss.redhat.com
HOST2
A suitable name for the client. For example: myclient. Note this is not necessarily an actual hostname.
CA_HOST1
The DN (distinguished name) to use for the HOST1 certificate. For example cn=jboss,dc=redhat,dc=com.
CA_HOST2
The DN (distinguished name) to use for the HOST2 certificate. For example cn=myclient,dc=redhat,dc=com.

Procedure 10.4. 

  1. Generate the stores: 
    keytool -genkeypair -alias HOST1_alias -keyalg RSA -keysize 1024 -validity 365 -keystore host1.keystore.jks -dname "CA_HOST1" -keypass secret -storepass secret
    Copy to Clipboard Toggle word wrap 
    keytool -genkeypair -alias HOST2_alias -keyalg RSA -keysize 1024 -validity 365 -keystore host2.keystore.jks -dname "CA_HOST2" -keypass secret -storepass secret
    Copy to Clipboard Toggle word wrap
  2. Export the certificates: 
    keytool -exportcert  -keystore HOST1.keystore.jks -alias HOST1_alias -keypass secret -storepass secret -file HOST1.cer
    Copy to Clipboard Toggle word wrap 
    keytool -exportcert  -keystore HOST2.keystore.jks -alias HOST2_alias -keypass secret -storepass secret -file HOST2.cer
    Copy to Clipboard Toggle word wrap
  3. Import the certificates into the opposing trust stores: 
    keytool -importcert -keystore HOST1.truststore.jks -storepass secret -alias HOST2_alias -trustcacerts -file HOST2.cer
    Copy to Clipboard Toggle word wrap 
    keytool -importcert -keystore HOST2.truststore.jks -storepass secret -alias HOST1_alias -trustcacerts -file HOST1.cer
    Copy to Clipboard Toggle word wrap
  4. Define a CertificateRealm in the configuration for your installation (host.xml or standalone.xml) and point the interface to it:
    This can be done by manually editing the configuration file (not recommended) or by using the following commands: 
    /core-service=management/security-realm=CertificateRealm:add()
    Copy to Clipboard Toggle word wrap 
    /core-service=management/security-realm=CertificateRealm:add/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks,keystore-password=secret, alias=HOST1_alias)
    Copy to Clipboard Toggle word wrap 
    /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path=/path/to/HOST1.truststore.jks,keystore-password=secret)
    Copy to Clipboard Toggle word wrap
  5. Edit the JBOSS_HOME/bin/jboss-cli.xml and add the SSL configuration (using the appropriate values for the variables): 
    <ssl>
  <alias>$HOST2alias</alias>
  <key-store>/path/to/HOST2.keystore.jks</key-store>
  <key-store-password>secret</key-store-password>
  <trust-store>/path/to/HOST2.truststore.jks</trust-store>
  <trust-store-password>secret</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>
    Copy to Clipboard Toggle word wrap
Report a bug
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat