Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 3. Securing the Web Console

Abstract

You can configure the Red Hat JBoss A-MQ Web console to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file.

Prerequisites

The Red Hat JBoss A-MQ Web console is not enabled by default. You can install the web console feature into OSGi by entering the following console command: 
JBossFuse:karaf@root> features:install webconsole

Create X.509 certificate and private key

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.
If you want to run a quick demonstration of SSL/TLS security, you could use a demonstration certificate from one of the examples (see ???).

Enabling SSL/TLS

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false as shown in Example 3.1, “Pax Web Property for Disabling the HTTP Port”.

    Example 3.1. Pax Web Property for Disabling the HTTP Port

    org.osgi.service.http.enabled=false
  3. Enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true as shown in Example 3.2, “Pax Web Property for Enabling the HTTPS Port”.

    Example 3.2. Pax Web Property for Enabling the HTTPS Port

    org.osgi.service.http.secure.enabled=true
  4. If you followed the preceding instructions, the etc/org.ops4j.pax.web.cfg file should now have the following contents: 
    # Configures the SMX Web Console to use SSL
org.osgi.service.http.enabled=false
org.osgi.service.http.port=8181

org.osgi.service.http.secure.enabled=true
  5. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty: 
    <?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">

<Configure class="org.eclipse.jetty.server.Server">

    <!-- =========================================================== -->
    <!-- Set connectors                                              -->
    <!-- =========================================================== -->
    <!-- One of each type!                                           -->
    <!-- =========================================================== -->
    ...
    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
               <Arg>
                  <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                      <!-- in Fuse 6.0, please replace above FQN with "org.eclipse.jetty.util.ssl.SslContextFactory" -->
                      <Set name="ExcludeProtocols">
                          <Array type="java.lang.String">
                              <Item>SSLv3</Item>
                          </Array>
                      </Set>
                  </New>
               </Arg>
               <Set name="Port">8183</Set>
               <Set name="keystore">/home/jdoe/Documents/server.keystore</Set>
               <Set name="password">mykeystorepass</Set>
               <Set name="keyPassword">mykeypass</Set>
           </New>
        </Arg>
    </Call>
    <Call name="addConnector">
        ...
    </Call>

    <Call name="addBean">
        ...
    </Call>
</Configure>
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  6. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    Port
    The secure HTTPS port number.
    keystore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    password
    The store password that unlocks the Java keystore file.
    keyPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).

Connect to the secure Web console

After configuring the Web console and installing the webconsole feature, you should be able to open the Web console by browsing to the following URL:
https://localhost:8183/system/console
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be prompted to enter a username and a password. Log in with the username smx and the password smx.
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.