Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

このコンテンツは選択した言語では利用できません。

Chapter 3. Securing the Jetty HTTP Server

Abstract

You can configure the built-in Jetty HTTP server to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file. In particular, you can add SSL/TLS security to the Fuse Management Console in this way.

Jetty server
リンクのコピー

The JBoss A-MQ container is pre-configured with a Jetty server, which acts as a general-purpose HTTP server and HTTP servlet container. Through a single HTTP port (by default, http://Host:8181), the Jetty container can host multiple services, for example:
  • Fuse Management Console (by default, http://Host:8181/hawtio)
  • Apache CXF Web services endpoints (if the host and port are left unspecified in the endpoint configuration)
  • Some Apache Camel endpoints
If you use the default Jetty server for all of your HTTP endpoints, you can conveniently add SSL/TLS security to these HTTP endpoints by following the steps described here.

Create X.509 certificate and private key
リンクのコピー

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.

Enabling SSL/TLS
リンクのコピー

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false; and enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true. The etc/org.ops4j.pax.web.cfg file should now have the following contents: 
    # Configures the SMX Web Console to use SSL
org.ops4j.pax.web.config.file=etc/jetty.xml

org.osgi.service.http.enabled=false
org.osgi.service.http.port=8181

org.osgi.service.http.secure.enabled=true
    Copy to Clipboard Toggle word wrap
  3. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty: 
    <?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">

<Configure class="org.eclipse.jetty.server.Server">

    <!-- ============================= -->
    <!-- Set connectors                -->
    <!-- ============================= -->
    <!-- One of each type!             -->
    <!-- ============================= -->
    ...
    <Call name="addConnector">
        <Arg>
            <!-- The SslSelectChannelConnector class uses the Java NIO SslEngine -->
            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                <Arg>
                    <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                        <!-- Protect against the POODLE security vulnerability -->
                        <Set name="ExcludeProtocols">
                            <Array type="java.lang.String">
                                <Item>SSLv3</Item>
                            </Array>
                        </Set>
                        <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
                        <Set name="keyStorePassword">mykeystorepass</Set>
                        <Set name="keyManagerPassword">mykeypass</Set>
                    </New>
                </Arg>
                <Set name="port">8183</Set>
                <Set name="maxIdleTime">30000</Set>
            </New>
        </Arg>
    </Call>
    <Call name="addConnector">
        ...
    </Call>

    <Call name="addBean">
        ...
    </Call>
</Configure>
    Copy to Clipboard Toggle word wrap
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  4. (Optional) If you prefer, you can use a system property to help you specify the location of the Java keystore file. For example, instead of setting the keyStore property explicitly (in the preceding etc/jetty.xml configuration): 
    <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
    Copy to Clipboard Toggle word wrap
    You could use the karaf.home system property to specify the location of the keystore file relative to the JBoss A-MQ install directory: 
    <Set name="keyStore">
    <SystemProperty name="karaf.home"/>/etc/jetty.ks
</Set>
    Copy to Clipboard Toggle word wrap
  5. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    port
    The secure HTTPS port number.
    keyStore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    keyStorePassword
    The store password that unlocks the Java keystore file.
    keyManagerPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).
  6. Restart the JBoss A-MQ container, in order for the configuration changes to take effect.

Connect to the secure console
リンクのコピー

After configuring SSL security for the Jetty server in the Pax Web configuration file, you should be able to open the Fuse Management Console by browsing to the following URL: 
https://localhost:8183/
Copy to Clipboard Toggle word wrap
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be presented with the login screen for the Fuse Management Console.

Advanced Jetty security configuration
リンクのコピー

The Jetty server provides flexible and sophisticated options for configuring security. You can exploit these advanced options by editing the etc/jetty.xml file and configuring it as described in the Jetty security documentation:
トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat