Chapter 3. Securing the Jetty HTTP Server
Abstract
You can configure the built-in Jetty HTTP server to use SSL/TLS security by adding the relevant configuration properties to the
etc/org.ops4j.pax.web.cfg
configuration file. In particular, you can add SSL/TLS security to the Fuse Management Console in this way.
Jetty server
The JBoss Fuse container is pre-configured with a Jetty server, which acts as a general-purpose HTTP server and HTTP servlet container. Through a single HTTP port (by default,
http://Host:8181
), the Jetty container can host multiple services, for example:
- Fuse Management Console (by default,
http://Host:8181/hawtio
) - Apache CXF Web services endpoints (if the host and port are left unspecified in the endpoint configuration)
- Some Apache Camel endpoints
If you use the default Jetty server for all of your HTTP endpoints, you can conveniently add SSL/TLS security to these HTTP endpoints by following the steps described here.
Create X.509 certificate and private key
Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.
Enabling SSL/TLS
To enable SSL/TLS:
- Open
etc/org.ops4j.pax.web.cfg
in a text editor. - Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to
false
; and enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it totrue
. Theetc/org.ops4j.pax.web.cfg
file should now have the following contents:# Configures the SMX Web Console to use SSL org.ops4j.pax.web.config.file=etc/jetty.xml org.osgi.service.http.enabled=false org.osgi.service.http.port=8181 org.osgi.service.http.secure.enabled=true
- Edit the
etc/jetty.xml
file and add the followingCall
element to configure the SSL connector for Jetty:<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> <Configure class="org.eclipse.jetty.server.Server"> <!-- ============================= --> <!-- Set connectors --> <!-- ============================= --> <!-- One of each type! --> <!-- ============================= --> ... <Call name="addConnector"> <Arg> <!-- The SslSelectChannelConnector class uses the Java NIO SslEngine --> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> <!-- Protect against the POODLE security vulnerability --> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set> <Set name="keyStorePassword">mykeystorepass</Set> <Set name="keyManagerPassword">mykeypass</Set> </New> </Arg> <Set name="port">8183</Set> <Set name="maxIdleTime">30000</Set> </New> </Arg> </Call> <Call name="addConnector"> ... </Call> <Call name="addBean"> ... </Call> </Configure>
ImportantThe preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x. - (Optional) If you prefer, you can use a system property to help you specify the location of the Java keystore file. For example, instead of setting the
keyStore
property explicitly (in the precedingetc/jetty.xml
configuration):<Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
You could use thekaraf.home
system property to specify the location of the keystore file relative to the JBoss Fuse install directory:<Set name="keyStore"> <SystemProperty name="karaf.home"/>/etc/jetty.ks </Set>
- Customize the properties of the
SslSocketConnector
instance defined in theetc/jetty.xml
file, as follows:port
- The secure HTTPS port number.
keyStore
- The location of the Java keystore file on the file system. Relative paths are resolved relative to the
KARAF_HOME
environment variable (by default, the install directory). keyStorePassword
- The store password that unlocks the Java keystore file.
keyManagerPassword
- The key password that decrypts the private key stored in the keystore (usually the same as the store password).
- Restart the JBoss Fuse container, in order for the configuration changes to take effect.
Connect to the secure console
After configuring SSL security for the Jetty server in the Pax Web configuration file, you should be able to open the Fuse Management Console by browsing to the following URL:
https://localhost:8183/
Note
Remember to type the
https:
scheme, instead of http:
, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be presented with the login screen for the Fuse Management Console.
Advanced Jetty security configuration
The Jetty server provides flexible and sophisticated options for configuring security. You can exploit these advanced options by editing the
etc/jetty.xml
file and configuring it as described in the Jetty security documentation: