Chapter 4. Configuring SSL Connections for Server-Agent Communication
By default, the JBoss ON server and JBoss ON agents talk to each other in the clear, meaning all communications traffic is unencrypted and no authentication is performed on either end.
Running servers in the clear, particularly since JBoss ON can perform configuration changes on some types of resources, can have security considerations for your network. JBoss ON should only be run without encryption or authentication if JBoss ON is being tested or if all JBoss ON servers and agents are deployed on a fully secured network, with access limited by a firewall or VPN and restricted to trusted personnel.
JBoss ON uses SSL/TLS to secure connections between agents and servers in two separate ways:
- Encryption specially encodes the data sent between agents and servers during a session.
- Authentication uses SSL server and client certificates to verify the identity of an agent before it connects to a server, and vice versa.
Note
There is a basic authentication mechanism employed by the server in which it assigns security tokens to its agents which are used to identify and "authenticate" registered agents. This token mechanism should not, however, be considered a strong authentication scheme for the purposes of protecting your JBoss ON network from infiltration.
Setting up encryption is very simple; it only requires enabling the proper transport mechanism between servers and agents. This prevents an attacker from intercepting communications or data between a legitimate JBoss ON server and a legitimate JBoss ON agent, by sniffing data or setting up a man-in-the-middle attack.
Authentication adds another layer of protection by preventing an attacker from installing a "rogue" JBoss ON agent and letting it register itself on the JBoss ON system, so that the rogue agent has access to the network. Although setting up authentication is more complicated than using encryption alone, it is worth the effort to implement for the additional protection, especially if there are vulnerabilities in the network setup.
4.1. Setting up Encryption
All that need to be done to set up encryption is to enable the SSL transport connectors in the JBoss ON server and agent configuration files. There are two transport options for SSL, sslservlet and sslsocket.
The JBoss ON server has a default certificate that it can use for encryption and the agent can generate a self-signed certificate, so it's not necessary to generate or install additional SSL certificates for encryption alone.
- First, enable SSL encryption on the JBoss ON server.
- Shut down the JBoss ON server.
serverRoot/jon-server-3.3.0.GA/bin/rhqctl.sh stop
- Open the
serverRoot/jon-server-3.3.0.GA/bin/rhq-server.properties
file for the JBoss ON server. - Edit the rhq.communications.connector.* settings to use SSL. To use the sslsocket transport method, which is recommended for authentication, update the rhq.communications.connector.transport method, set the port number to use for the socket, and remove the servlet specified in the transport parameters setting.
rhq.communications.connector.transport=sslsocket
rhq.communications.connector.bind-address=rhq.communications.connector.bind-port=55555
rhq.communications.connector.transport-params=To use the sslservlet transport method, all that's necessary is to change the rhq.communications.connector.transport method.rhq.communications.connector.transport=sslservlet
rhq.communications.connector.bind-address= rhq.communications.connector.bind-port= rhq.communications.connector.transport-params=/jboss-remoting-servlet-invoker/ServerInvokerServlet - For setting encryption alone, make sure that certificate-based authentication is disabled:
rhq.server.tomcat.security.client-auth-mode=false rhq.server.client.security.server-auth-mode-enabled=false
- Optionally, define the secure protocol to use. The default is TLS (which is usually fine), but you can set it to SSL.
rhq.server.tomcat.security.secure-socket-protocol=TLSv1,TLSv1.1,TLSv1.2 rhq.server.client.security.secure-socket-protocol=TLS
- Save the changes, and restart the JBoss ON server.
serverRoot/jon-server-3.3.0.GA/bin/rhqctl start
- Verify that the end point address and port number given in the configuration are actually the settings set for the server in JBoss ON.
- Click the Administration tab in the top menu.
- In the Topology box on the left, select the Servers item.
- Check the port number in the Secure Port column.
- If the value is wrong, click the name of the server to open the edit page.
- Click the Edit under the server information, and reset the end point address or port as necessary.
- Then, enable SSL encryption in the agent.NoteThis shows how to edit the agent configuration by editing the agent configuration file. The agent configuration can also be edited by going through the advanced setup mode in the agent start script:
agentRoot/rhq-agent/bin/rhq-agent.sh --cleanconfig --setup --advanced
- Open the agent configuration file:
vim agentRoot/rhq-agent/conf/agent-configuration.xml
- Change the transport protocol to sslsocket.
<entry key="rhq.communications.connector.transport"
value="sslsocket"
/> - Set the appropriate server connection information so that it matches the configuration for the server. The following configuration would allow the agent to connect to a JBoss ON server on server.example.com port 55555 using sslsocket.
<entry key="rhq.agent.server.transport" value="sslsocket" /> <entry key="rhq.agent.server.bind-port" value="55555" /> <entry key="rhq.agent.server.bind-address" value="server.example.com" /> <entry key="rhq.agent.server.transport-params" value="" />
If using sslservlet, the configuration may look like:<entry key="rhq.agent.server.transport" value="sslservlet" /> <entry key="rhq.agent.server.bind-port" value="7443" /> <entry key="rhq.agent.server.bind-address" value="server.example.com" /> <entry key="rhq.agent.server.transport-params" value="/jboss-remoting-servlet-invoker/ServerInvokerServlet" />
- For setting encryption alone, ensure that certificate-based authentication is disabled. These parameters can be left commented out or can be explicitly set to turn off authentication.
<entry key="rhq.communications.connector.security.client-auth-mode"
value="none"
/> <entry key="rhq.agent.client.security.server-auth-mode-enabled"value="false"
/> - Optionally, define additional protocol settings for the agent. This is necessary if the server is configured to use transport protocols other than TLS.
<entry key="rhq.communications.connector.security.secure-socket-protocol" value="TLS" /> <entry key="rhq.agent.client.security.secure-socket-protocol" value="TLS" />
- Exit the agent and restart it, using the
--cleanconfig
option to load the new configuration.agentRoot/rhq-agent/bin/rhq-agent.sh --cleanconfig