5.3. Encrypting the Connection to the Management Console Server
| Revision History | |
|---|---|
| 11/28/12 | |
| Updated to use fabric configuration | |
Abstract
By default the connection to the management console server is unencrypted. To use a secure connection you must configure it to use HTTPS.
Overview
Out of the box the management console is configured to use an unencrypted connection. This makes it easy to demo and use in testing environments. However, it is not suitable for use in production environments.
To enable HTTPS, you need to create and install X.509 certificates and keys for the console. You must also enable the management console to use HTTPS.
Creating certificates
Before you can enable SSL, you must create an X.509 certificate and private key for the console. The certificate and private key must be in Java keystore format.
Installing the certificates
The recommended location to install the certificates for the console is in the management console's
etc/certs folder. You can, however, store the certificates in any folder from which the container can access them.
Note
You will need the location to configure the management console.
Enabling HTTPS
The management console's HTTP port is configured using the
org.ops4j.pax.web PID. To enable HTTPS, you will need to change the properties in that PID for the container in which the management console is running. You can do this is to update the fmc profile deployed to the container. Alternatively, you could create a separate profile to configure the HTTP port.
To enable HTTPS by modifying the
fmc profile:
- Open a command console connected to one of the container in the fabric.
- Disable the insecure HTTP port setting the org.osgi.service.http.enabled property to
falseas shown in Example 5.4, “Disabling the HTTP Port”.Example 5.4. Disabling the HTTP Port
fabric:profile-edit -p org.ops4j.pax.web/org.osgi.service.http.enabled=false fmc
- Enable the secure HTTPS port by setting the org.osgi.service.http.secure.enabled property to true as shown in Example 5.5, “Property for Enabling the HTTPS Port”.
Example 5.5. Property for Enabling the HTTPS Port
fabric:profile-edit -p org.ops4j.pax.web/org.osgi.service.http.secure.enabled=true fmc
- Specify the port used for connecting over HTTPS by setting the org.osgi.service.http.port.secure property to an available port as shown in Example 5.6, “Property for Specifying the HTTPS Port”.
Example 5.6. Property for Specifying the HTTPS Port
fabric:profile-edit -p org.ops4j.pax.web/org.osgi.service.http.port.secure=8108 fmc
NoteYou can reuse port 8107. - Configure the keystore used to hold the X.509 certificates.
- Specify the location of the keystore by adding the org.ops4j.pax.web.ssl.keystore property.
- Specify the type of keystore used by adding the org.ops4j.pax.web.ssl.keystore.type property and setting it to
JKS. - Specify the password for unlocking the Java keystore by adding the org.ops4j.pax.web.ssl.password property.
- Specify the password for decrypting the private key by adding the org.ops4j.pax.web.ssl.keypassword property.NoteThis is typically the same as the password used to unlock the keystore.
- Specify if certificate-based client authentication at the server is wanted by adding the org.ops4j.pax.web.ssl.clientauthwanted property.When set to
truethe server will request that the client send an X.509 certificate during the SSL handshake. - Specify if certificate-based client authentication at the server is required by adding the org.ops4j.pax.web.ssl.clientauthneeded property.When set to
truean exception is thrown if the client does not present a valid X.509 certificate during the SSL handshake.
