Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 3. Securing the Jetty HTTP Server

Abstract

You can configure the built-in Jetty HTTP server to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file. In particular, you can add SSL/TLS security to the Fuse Management Console in this way.

Jetty server
링크 복사

The JBoss A-MQ container is pre-configured with a Jetty server, which acts as a general-purpose HTTP server and HTTP servlet container. Through a single HTTP port (by default, http://Host:8181), the Jetty container can host multiple services, for example:
  • Fuse Management Console (by default, http://Host:8181/hawtio)
  • Apache CXF Web services endpoints (if the host and port are left unspecified in the endpoint configuration)
  • Some Apache Camel endpoints
If you use the default Jetty server for all of your HTTP endpoints, you can conveniently add SSL/TLS security to these HTTP endpoints by following the steps described here.

Create X.509 certificate and private key
링크 복사

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.

Enabling SSL/TLS
링크 복사

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false; and enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true. The etc/org.ops4j.pax.web.cfg file should now have the following contents: 
    # Configures the SMX Web Console to use SSL
org.ops4j.pax.web.config.file=etc/jetty.xml

org.osgi.service.http.enabled=false
org.osgi.service.http.port=8181

org.osgi.service.http.secure.enabled=true
    Copy to Clipboard Toggle word wrap
  3. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty: 
    <?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">

<Configure class="org.eclipse.jetty.server.Server">

    <!-- ============================= -->
    <!-- Set connectors                -->
    <!-- ============================= -->
    <!-- One of each type!             -->
    <!-- ============================= -->
    ...
    <Call name="addConnector">
        <Arg>
            <!-- The SslSelectChannelConnector class uses the Java NIO SslEngine -->
            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                <Arg>
                    <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                        <!-- Protect against the POODLE security vulnerability -->
                        <Set name="ExcludeProtocols">
                            <Array type="java.lang.String">
                                <Item>SSLv3</Item>
                            </Array>
                        </Set>
                        <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
                        <Set name="keyStorePassword">mykeystorepass</Set>
                        <Set name="keyManagerPassword">mykeypass</Set>
                    </New>
                </Arg>
                <Set name="port">8183</Set>
                <Set name="maxIdleTime">30000</Set>
            </New>
        </Arg>
    </Call>
    <Call name="addConnector">
        ...
    </Call>

    <Call name="addBean">
        ...
    </Call>
</Configure>
    Copy to Clipboard Toggle word wrap
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  4. (Optional) If you prefer, you can use a system property to help you specify the location of the Java keystore file. For example, instead of setting the keyStore property explicitly (in the preceding etc/jetty.xml configuration): 
    <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
    Copy to Clipboard Toggle word wrap
    You could use the karaf.home system property to specify the location of the keystore file relative to the JBoss A-MQ install directory: 
    <Set name="keyStore">
    <SystemProperty name="karaf.home"/>/etc/jetty.ks
</Set>
    Copy to Clipboard Toggle word wrap
  5. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    port
    The secure HTTPS port number.
    keyStore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    keyStorePassword
    The store password that unlocks the Java keystore file.
    keyManagerPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).
  6. Restart the JBoss A-MQ container, in order for the configuration changes to take effect.

Connect to the secure console
링크 복사

After configuring SSL security for the Jetty server in the Pax Web configuration file, you should be able to open the Fuse Management Console by browsing to the following URL: 
https://localhost:8183/
Copy to Clipboard Toggle word wrap
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be presented with the login screen for the Fuse Management Console.

Advanced Jetty security configuration
링크 복사

The Jetty server provides flexible and sophisticated options for configuring security. You can exploit these advanced options by editing the etc/jetty.xml file and configuring it as described in the Jetty security documentation:
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat