Este conteúdo não está disponível no idioma selecionado.

Chapter 3. Securing the Jetty HTTP Server


Abstract

You can configure the built-in Jetty HTTP server to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file. In particular, you can add SSL/TLS security to the Fuse Management Console in this way.

Jetty server

The JBoss A-MQ container is pre-configured with a Jetty server, which acts as a general-purpose HTTP server and HTTP servlet container. Through a single HTTP port (by default, http://Host:8181), the Jetty container can host multiple services, for example:
  • Fuse Management Console (by default, http://Host:8181/hawtio)
  • Apache CXF Web services endpoints (if the host and port are left unspecified in the endpoint configuration)
  • Some Apache Camel endpoints
If you use the default Jetty server for all of your HTTP endpoints, you can conveniently add SSL/TLS security to these HTTP endpoints by following the steps described here.

Create X.509 certificate and private key

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.

Enabling SSL/TLS

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false; and enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true. The etc/org.ops4j.pax.web.cfg file should now have the following contents:
    # Configures the SMX Web Console to use SSL
    org.ops4j.pax.web.config.file=etc/jetty.xml
    
    org.osgi.service.http.enabled=false
    org.osgi.service.http.port=8181
    
    org.osgi.service.http.secure.enabled=true
  3. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty:
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
    DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
    
    <Configure class="org.eclipse.jetty.server.Server">
    
        <!-- ============================= -->
        <!-- Set connectors                -->
        <!-- ============================= -->
        <!-- One of each type!             -->
        <!-- ============================= -->
        ...
        <Call name="addConnector">
            <Arg>
                <!-- The SslSelectChannelConnector class uses the Java NIO SslEngine -->
                <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                    <Arg>
                        <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                            <!-- Protect against the POODLE security vulnerability -->
                            <Set name="ExcludeProtocols">
                                <Array type="java.lang.String">
                                    <Item>SSLv3</Item>
                                </Array>
                            </Set>
                            <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
                            <Set name="keyStorePassword">mykeystorepass</Set>
                            <Set name="keyManagerPassword">mykeypass</Set>
                        </New>
                    </Arg>
                    <Set name="port">8183</Set>
                    <Set name="maxIdleTime">30000</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addConnector">
            ...
        </Call>
    
        <Call name="addBean">
            ...
        </Call>
    </Configure>
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  4. (Optional) If you prefer, you can use a system property to help you specify the location of the Java keystore file. For example, instead of setting the keyStore property explicitly (in the preceding etc/jetty.xml configuration):
    <Set name="keyStore">/home/jdoe/Documents/jetty.ks</Set>
    You could use the karaf.home system property to specify the location of the keystore file relative to the JBoss A-MQ install directory:
    <Set name="keyStore">
        <SystemProperty name="karaf.home"/>/etc/jetty.ks
    </Set>
  5. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    port
    The secure HTTPS port number.
    keyStore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    keyStorePassword
    The store password that unlocks the Java keystore file.
    keyManagerPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).
  6. Restart the JBoss A-MQ container, in order for the configuration changes to take effect.

Connect to the secure console

After configuring SSL security for the Jetty server in the Pax Web configuration file, you should be able to open the Fuse Management Console by browsing to the following URL:
https://localhost:8183/
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be presented with the login screen for the Fuse Management Console.

Advanced Jetty security configuration

The Jetty server provides flexible and sophisticated options for configuring security. You can exploit these advanced options by editing the etc/jetty.xml file and configuring it as described in the Jetty security documentation:
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja oBlog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.