Chapter 4. Securing the Fuse Console
To secure the Fuse Console on EAP:
Disable the Fuse Console’s proxy servlet when deploying to AWS
If you want to deploy a standalone Fuse application to Amazon Web Services (AWS), you should disable the Fuse Console’s proxy servlet by setting the
hawtio.disableProxy
system property totrue
.NoteWhen you disable the Fuse Console proxy servlet, the Fuse Console’s Connect tab is disabled and you cannot connect to other JVMs from the Fuse Console. If you want to deploy more than one Fuse application on AWS, you must deploy the Fuse Console for each application.
Set HTTPS as the required protocol
You can use the
hawtio.http.strictTransportSecurity
property to require web browsers to use the secure HTTPS protocol to access the Fuse Console. This property specifies that web browsers that try to use HTTP to access the Fuse Console must automatically convert the request to use HTTPS.Use public keys to secure responses
You can use the
hawtio.http.publicKeyPins
property to secure the HTTPS protocol by telling the web browser to associate a specific cryptographic public key with the Fuse Console to decrease the risk of “man-in-the-middle” attacks with forged certificates.
Procedure
Set the
hawtio.http.strictTransportSecurity
and thehawtio.http.publicKeyPins
properties in the system-properties section of the$EAP_HOME/standalone/configuration/standalone*.xml
file as shown in the following example:<property name="hawtio.http.strictTransportSecurity" value="max-age=31536000; includeSubDomains; preload"/> <property name="hawtio.http.publicKeyPins" value="pin-sha256=cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs"; max-age=5184000; includeSubDomains"/>
(For deploying on AWS only) To disable the Fuse Console’s proxy servlet, set the
hawtio.disableProxy
property in the system-properties section of the$EAP_HOME/standalone/configuration/standalone*.xml
file as shown in the following example:<property name="hawtio.disableProxy" value="true"/>
Additional resources
-
For a description of the
hawtio.http.strictTransportSecurity
property’s syntax, see the description page for the HTTP Strict Transport Security (HSTS) response header. -
For a description of the
hawtio.http.publicKeyPins
property’s syntax, including instructions on how to extract the Base64 encoded public key, see the description page for the HTTP Public Key Pinning response header.