Red Hat SummitFuse 6 is no longer supported
As of February 2025, Red Hat Fuse 6 is no longer supported. If you are using Fuse 6, please upgrade to Red Hat build of Apache Camel.Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Securing the Web Console
Abstract
You can configure the Red Hat JBoss Fuse Web console to use SSL/TLS security by adding the relevant configuration properties to the
etc/org.ops4j.pax.web.cfg configuration file.
Prerequisites
Copier lienLien copié sur presse-papiers!
The Red Hat JBoss Fuse Web console is not enabled by default. You can install the web console feature into OSGi by entering the following console command:
JBossFuse:karaf@root> features:install webconsole
JBossFuse:karaf@root> features:install webconsoleCreate X.509 certificate and private key
Copier lienLien copié sur presse-papiers!
Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.
If you want to run a quick demonstration of SSL/TLS security, you could use a demonstration certificate from one of the examples (see the section called “Install sample keystore files”).
Enabling SSL/TLS
Copier lienLien copié sur presse-papiers!
To enable SSL/TLS:
- Open
etc/org.ops4j.pax.web.cfgin a text editor. - Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false as shown in Example 3.1, “Pax Web Property for Disabling the HTTP Port”.
Example 3.1. Pax Web Property for Disabling the HTTP Port
org.osgi.service.http.enabled=false
org.osgi.service.http.enabled=falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to
trueas shown in Example 3.2, “Pax Web Property for Enabling the HTTPS Port”.Example 3.2. Pax Web Property for Enabling the HTTPS Port
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.secure.enabled=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Specify the port used for connecting over HTTPS by adding the org.osgi.service.http.port.secure and setting it to an available port as shown in Example 3.3, “Pax Web Property for Enabling the HTTPS Port”.
Example 3.3. Pax Web Property for Enabling the HTTPS Port
org.osgi.service.http.port.secure=8183
org.osgi.service.http.port.secure=8183Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Configure the keystore used to hold the X.509 certificates.
- Specify the location of the keystore by adding the org.ops4j.pax.web.ssl.keystore.
- Specify the type of keystore used by adding the org.ops4j.pax.web.ssl.keystore.type and setting it to
JKS. - Specify the password for unlocking the Java keystore by adding the org.ops4j.pax.web.ssl.password property.
- Specify the password for decrypting the private key by adding the org.ops4j.pax.web.ssl.keypassword property.NoteThis is typically the same as the password used to unlock the keystore.
- Specify if certificate-based client authentication at the server is wanted by adding the org.ops4j.pax.web.ssl.clientauthwanted property.When set to
truethe server will request that the client send an X.509 certificate during the SSL handshake. - Specify if certificate-based client authentication at the server is required by adding the org.ops4j.pax.web.ssl.clientauthneeded property.When set to
truean exception is thrown if the client does not present a valid X.509 certificate during the SSL handshake.
Example
Copier lienLien copié sur presse-papiers!
Example 3.4, “Configuration for Web Console to use SSL” shows the Pax Web configuration for a server whose X.509 certificate and private key are in the keystore
cherry.jks. The keystore has the store password password and the key password password.
Example 3.4. Configuration for Web Console to use SSL
SSL configuration properties
Copier lienLien copié sur presse-papiers!
The following configuration properties are used to configure SSL/TLS:
org.ops4j.pax.web.ssl.keystore- The location of the Java keystore file on the file system. Relative paths are resolved relative to the
KARAF_HOMEenvironment variable (by default, the install directory). org.ops4j.pax.web.ssl.keystore.type- The implementation of the keystore, which is normally
JKS. (In principle, the JDK allows you to plug in a custom keystore implementation.) org.ops4j.pax.web.ssl.password- The store password that unlocks the Java keystore file.
org.ops4j.pax.web.ssl.keypassword- The key password that decrypts the private key stored in the keystore (usually the same as the store password).
org.ops4j.pax.web.ssl.clientauthwanted- When
true, during the SSL handshake, the secure socket requests the client to send an X.509 certificate. The client is not necessarily obliged to send the certificate, however. org.ops4j.pax.web.ssl.clientauthneeded- When
true, the SSL protocol throws an exception, if the client does not present a valid certificate during the SSL handshake.
Configuration reference
Copier lienLien copié sur presse-papiers!
For the complete list of configuration properties supported by the Web console endpoint, see WebContainerConstants.
Connect to the secure Web console
Copier lienLien copié sur presse-papiers!
After configuring the Web console and installing the
webconsole feature, you should be able to open the Web console by browsing to the following URL:
Note
Remember to type the
https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be prompted to enter a username and a password. Log in with the username
smx and the password smx.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}