このコンテンツは選択した言語では利用できません。
Chapter 3. Securing the Web Console
Abstract
You can configure the Red Hat JBoss A-MQ Web console to use SSL/TLS security by adding the relevant configuration properties to the
etc/org.ops4j.pax.web.cfg configuration file.
Prerequisites
The Red Hat JBoss A-MQ Web console is not enabled by default. You can install the web console feature into OSGi by entering the following console command:
JBossFuse:karaf@root> features:install webconsole
Create X.509 certificate and private key
Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.
If you want to run a quick demonstration of SSL/TLS security, you could use a demonstration certificate from one of the examples (see ???).
Enabling SSL/TLS
To enable SSL/TLS:
- Open
etc/org.ops4j.pax.web.cfgin a text editor. - Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false as shown in Example 3.1, “Pax Web Property for Disabling the HTTP Port”.
Example 3.1. Pax Web Property for Disabling the HTTP Port
org.osgi.service.http.enabled=false
- Enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to
trueas shown in Example 3.2, “Pax Web Property for Enabling the HTTPS Port”.Example 3.2. Pax Web Property for Enabling the HTTPS Port
org.osgi.service.http.secure.enabled=true
- If you followed the preceding instructions, the
etc/org.ops4j.pax.web.cfgfile should now have the following contents:# Configures the SMX Web Console to use SSL org.osgi.service.http.enabled=false org.osgi.service.http.port=8181 org.osgi.service.http.secure.enabled=true
- Edit the
etc/jetty.xmlfile and add the followingCallelement to configure the SSL connector for Jetty:<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> <Configure class="org.eclipse.jetty.server.Server"> <!-- =========================================================== --> <!-- Set connectors --> <!-- =========================================================== --> <!-- One of each type! --> <!-- =========================================================== --> ... <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSocketConnector"> <Arg> <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> <!-- in Fuse 6.0, please replace above FQN with "org.eclipse.jetty.util.ssl.SslContextFactory" --> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> </New> </Arg> <Set name="Port">8183</Set> <Set name="keystore">/home/jdoe/Documents/server.keystore</Set> <Set name="password">mykeystorepass</Set> <Set name="keyPassword">mykeypass</Set> </New> </Arg> </Call> <Call name="addConnector"> ... </Call> <Call name="addBean"> ... </Call> </Configure>ImportantThe preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x. - Customize the properties of the
SslSocketConnectorinstance defined in theetc/jetty.xmlfile, as follows:Port- The secure HTTPS port number.
keystore- The location of the Java keystore file on the file system. Relative paths are resolved relative to the
KARAF_HOMEenvironment variable (by default, the install directory). password- The store password that unlocks the Java keystore file.
keyPassword- The key password that decrypts the private key stored in the keystore (usually the same as the store password).
Connect to the secure Web console
After configuring the Web console and installing the
webconsole feature, you should be able to open the Web console by browsing to the following URL:
Note
Remember to type the
https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be prompted to enter a username and a password. Log in with the username
smx and the password smx.
