Chapter 2. Securing the Fuse Console
You can implement any or all of the following security features to secure Fuse containers for standalone deployments:
2.1. Set HTTPS as the required protocol
You can use the hawtio.http.strictTransportSecurity property to require web browsers to use the secure HTTPS protocol to access the Fuse Console. This property specifies that web browsers that try to use HTTP to access the Fuse Console must automatically convert the request to use HTTPS.
For a description of the property’s syntax, see the description page for the HTTP Strict Transport Security (HSTS) response header.
Set the hawtio.http.strictTransportSecurity property as shown in the following examples:
For Karaf standalone:
Set this property in the
$KARAF_HOME/etc/system.propertiesfile as shown in the following example:hawtio.http.strictTransportSecurity = max-age=31536000; includeSubDomains; preload
For JBoss EAP standalone:
Set this property in the system-properties section of the
$EAP_HOME/standalone/configuration/standalone*.xmlfile as shown in the following example:<property name="hawtio.http.strictTransportSecurity" value="max-age=31536000; includeSubDomains; preload"/>
For Spring Boot standalone:
Set this property as shown in the following example:
public static void main(String[] args) { System.setProperty("hawtio.http.strictTransportSecurity", "max-age=31536000; includeSubDomains; preload"); SpringApplication.run(YourSpringBootApplication.class, args); }
2.2. Use public keys to secure responses
You can use the hawtio.http.publicKeyPins property to secure the HTTPS protocol by telling the web browser to associate a specific cryptographic public key with the Fuse Console to decrease the risk of “man-in-the-middle” attacks with forged certificates.
For a description of the property’s syntax, including instructions on how to extract the Base64 encoded public key, see the description page for the HTTP Public Key Pinning response header.
Set the hawtio.http.publicKeyPins property as shown in the following examples:
For Karaf standalone:
Set this property in the
$KARAF_HOME/etc/system.propertiesfile as shown in the following example:hawtio.http.publicKeyPins = pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs"; max-age=5184000; includeSubDomains
For JBoss EAP standalone:
Set this property in the system-properties section of the
$EAP_HOME/standalone/configuration/standalone*.xmlfile as shown in the following example:<property name="hawtio.http.publicKeyPins" value="pin-sha256=cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs"; max-age=5184000; includeSubDomains"/>
For Spring Boot standalone:
Set this property as shown in the following example:
public static void main(String[] args) { System.setProperty("hawtio.http.publicKeyPins", "pin-sha256=cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs"; max-age=5184000; includeSubDomains"); SpringApplication.run(YourSpringBootApplication.class, args); }
2.3. Enable SSL/TLS security (Karaf only)
SSL/TLS security is not enabled by default for the Fuse Console. It is recommended that you enable SSL/TLS security on the Fuse Console to protect username/password credentials from snooping. For detailed instructions on how to enable SSL/TLS security, see the "Enabling SSL/TLS for Undertow in an Apache Karaf container" section in the Apache Karaf Security Guide.
2.4. Red Hat Single Sign On (Karaf)
For information on how to secure the Fuse Console with Red Hat Single Sign-On, see the section on securing the Hawtio administration console in the Red Hat Single Sign-on Securing Applications and Services Guide.
2.5. Control user access (Karaf only)
For this release, role-based access control for the Fuse Console is only enabled for Fuse on Karaf standalone.
The operations that an authenticated user is allowed to perform depend on the role (or roles) assigned to that user, as listed in Table 2.1, “Role-based access on Karaf standalone”.
Ensure that a user has the necessary user role authorization to perform the Fuse Console operations that the user needs to perform.
To set a user role:
-
Open the Red Hat Fuse
etc/users.propertiesfile in an editor. Add an entry for the user name, password, and role.
For example, the following entry in the
etc/users.propertiesfile defines the admin user and grants the admin role.admin = secretpass,admin
- Save the file.
| Operation | admin | manager | viewer |
|---|---|---|---|
| Log in/Log out | Y | Y | Y |
| View Help topics | Y | Y | Y |
| Set user preferences | Y | Y | Y |
| Connect | |||
| Discover and connect to remote integrations | Y | Y | Y |
| Discover and connect to local integrations | Y | Y | Y |
| Camel | |||
| View all running Camel applications | Y | Y | Y |
| Start, suspend, resume, and delete Camel contexts | Y | Y | |
| Send messages | Y | Y | |
| Add endpoints | Y | Y | |
| View routes, route diagrams, and runtime statistics | Y | Y | Y |
| Start and stop routes | Y | Y | |
| Delete routes | Y | Y | |
| JMX | |||
| Change attribute values | Y | Y | |
| Select and view attributes in a time-based chart | Y | Y | Y |
| View operations | Y | Y | Y |
| OSGI | |||
| View bundles, features, packages, services, servers, framework, and configurations | Y | Y | Y |
| Add and delete bundles | Y | Y | |
| Add configurations | Y | Y | |
| Install and uninstall features | Y | ||
| Runtime | |||
| View system properties, metrics, and threads | Y | Y | Y |
| Logs | |||
| View logs | Y | Y | Y |
For more information on role-based access control, see Deploying into Apache Karaf.
