10.10. 对管理接口和 CLI 使用双向 SSL

过程 10.4. 

1. 生成库：

   keytool -genkeypair -alias HOST1_alias -keyalg RSA -keysize 1024 -validity 365 -keystore host1.keystore.jks -dname "CA_HOST1" -keypass secret -storepass secret

   keytool -genkeypair -alias HOST2_alias -keyalg RSA -keysize 1024 -validity 365 -keystore host2.keystore.jks -dname "CA_HOST2" -keypass secret -storepass secret

2. 导出证书：

   keytool -exportcert  -keystore HOST1.keystore.jks -alias HOST1_alias -keypass secret -storepass secret -file HOST1.cer
   

   keytool -exportcert  -keystore HOST2.keystore.jks -alias HOST2_alias -keypass secret -storepass secret -file HOST2.cer
   

3. 将证书导入到对应的信任库：

   keytool -importcert -keystore HOST1.truststore.jks -storepass secret -alias HOST2_alias -trustcacerts -file HOST2.cer
   

   keytool -importcert -keystore HOST2.truststore.jks -storepass secret -alias HOST1_alias -trustcacerts -file HOST1.cer
   

4. 在配置文件（host.xml 或 standalone.xml）里定义一个 CertificateRealm 并让接口指向它：
   这可以通过编辑配置文件文件（我们不推荐这么做）或者使用下列命令来完成：

   /core-service=management/security-realm=CertificateRealm:add()

   /core-service=management/security-realm=CertificateRealm:add/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks,keystore-password=secret, alias=HOST1_alias)

   /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path=/path/to/HOST1.truststore.jks,keystore-password=secret)

5. 编辑 JBOSS_HOME/bin/jboss-cli.xml 并添加 SSL 配置（使用合适的值）：

   <ssl>
     <alias>$HOST2alias</alias>
     <key-store>/path/to/HOST2.keystore.jks</key-store>
     <key-store-password>secret</key-store-password>
     <trust-store>/path/to/HOST2.truststore.jks</trust-store>
     <trust-store-password>secret</trust-store-password>
     <modify-trust-store>true</modify-trust-store>
   </ssl>