此内容没有您所选择的语言版本。

Chapter 3. Securing the Web Console


Abstract

You can configure the Red Hat JBoss A-MQ Web console to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file.

Prerequisites

The Red Hat JBoss A-MQ Web console is not enabled by default. You can install the web console feature into OSGi by entering the following console command:
JBossFuse:karaf@root> features:install webconsole

Create X.509 certificate and private key

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Appendix A, Managing Certificates.
If you want to run a quick demonstration of SSL/TLS security, you could use a demonstration certificate from one of the examples (see ???).

Enabling SSL/TLS

To enable SSL/TLS:
  1. Open etc/org.ops4j.pax.web.cfg in a text editor.
  2. Disable the insecure HTTP port by adding the org.osgi.service.http.enabled and setting it to false as shown in Example 3.1, “Pax Web Property for Disabling the HTTP Port”.

    Example 3.1. Pax Web Property for Disabling the HTTP Port

    org.osgi.service.http.enabled=false
  3. Enable the secure HTTPS port by adding the org.osgi.service.http.secure.enabled and setting it to true as shown in Example 3.2, “Pax Web Property for Enabling the HTTPS Port”.

    Example 3.2. Pax Web Property for Enabling the HTTPS Port

    org.osgi.service.http.secure.enabled=true
  4. If you followed the preceding instructions, the etc/org.ops4j.pax.web.cfg file should now have the following contents:
    # Configures the SMX Web Console to use SSL
    org.osgi.service.http.enabled=false
    org.osgi.service.http.port=8181
    
    org.osgi.service.http.secure.enabled=true
  5. Edit the etc/jetty.xml file and add the following Call element to configure the SSL connector for Jetty:
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
    DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
    
    <Configure class="org.eclipse.jetty.server.Server">
    
        <!-- =========================================================== -->
        <!-- Set connectors                                              -->
        <!-- =========================================================== -->
        <!-- One of each type!                                           -->
        <!-- =========================================================== -->
        ...
        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                   <Arg>
                      <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                          <!-- in Fuse 6.0, please replace above FQN with "org.eclipse.jetty.util.ssl.SslContextFactory" -->
                          <Set name="ExcludeProtocols">
                              <Array type="java.lang.String">
                                  <Item>SSLv3</Item>
                              </Array>
                          </Set>
                      </New>
                   </Arg>
                   <Set name="Port">8183</Set>
                   <Set name="keystore">/home/jdoe/Documents/server.keystore</Set>
                   <Set name="password">mykeystorepass</Set>
                   <Set name="keyPassword">mykeypass</Set>
               </New>
            </Arg>
        </Call>
        <Call name="addConnector">
            ...
        </Call>
    
        <Call name="addBean">
            ...
        </Call>
    </Configure>
    Important
    The preceding configuration explicitly disables the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
  6. Customize the properties of the SslSocketConnector instance defined in the etc/jetty.xml file, as follows:
    Port
    The secure HTTPS port number.
    keystore
    The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
    password
    The store password that unlocks the Java keystore file.
    keyPassword
    The key password that decrypts the private key stored in the keystore (usually the same as the store password).

Connect to the secure Web console

After configuring the Web console and installing the webconsole feature, you should be able to open the Web console by browsing to the following URL:
Note
Remember to type the https: scheme, instead of http:, in this URL.
Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be prompted to enter a username and a password. Log in with the username smx and the password smx.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.