5.7. Configure the Management Console for HTTPS

Procedure 5.2. 

1. Create a keystore to secure the management console.

   Note

   This keystore must be in JKS format as the management console is not compatible with keystores in JCEKS format.
   In a terminal emulator, enter the following command. For the parameters alias, keypass, keystore, storepass and dname, replace the example values with values of your choice.
   The parameter validity specifies for how many days the key is valid. A value of 730 equals two years.

   keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore EAP_HOME/standalone/configuration/identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

   Copy to Clipboard Toggle word wrap

2. Ensure the Management Console Binds to HTTPS

   • Standalone Mode

     Ensure the management console binds to HTTPS for its interface by adding the management-https configuration and removing the management-http configuration.
     Ensure the JBoss EAP instance is running, then enter the following management CLI commands:

     /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)

     Copy to Clipboard Toggle word wrap

     /core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)

     Copy to Clipboard Toggle word wrap
     The expected output from these commands is:

     {"outcome" => "success"}
     

     Copy to Clipboard Toggle word wrap

     Note

     At this point the JBoss EAP log may display the following error message. This is to be expected because the SSL configuration is not yet completed.

     JBAS015103: A secure port has been specified for the HTTP interface but no SSL configuration in the realm.
     

     Copy to Clipboard Toggle word wrap

   • Domain Mode

     Change the socket element within the management-interface section by adding secure-port and removing port configuration.
     Ensure the JBoss EAP instance is running, then enter the following management CLI commands:

     /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port,value=9443)
     /host=master/core-service=management/management-interface=http-interface:undefine-attribute(name=port)

     Copy to Clipboard Toggle word wrap

     Note

     At this point the JBoss EAP log may display the following error message. This is to be expected because the SSL configuration is not yet completed.

     JBAS015103: A secure port has been specified for the HTTP interface but no SSL configuration in the realm.
     

     Copy to Clipboard Toggle word wrap

3. Optional: Custom socket-binding group

   If you are using a custom socket-binding group, ensure the management-https binding is defined (it is present by default, bound to port 9443). Edit the master configuration file - for example standalone.xml - to match the following.

    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
           <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
           <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
           <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
   
   

   Copy to Clipboard Toggle word wrap

4. Create a new Security Realm

   Enter the following commands to create a new security realm named ManagementRealmHTTPS:

   /host=master/core-service=management/security-realm=ManagementRealmHTTPS/:add
   /host=master/core-service=management/security-realm=ManagementRealmHTTPS/authentication=properties/:add(path=ManagementUsers.properties, relative-to=jboss.domain.config.dir)

   Copy to Clipboard Toggle word wrap

5. Configure Management Interface to use the new security realm

   Enter the following commands:

   /host=master/core-service=management/management-interface=http-interface/:write-attribute(name=security-realm,value=ManagementRealmHTTPS)

   Copy to Clipboard Toggle word wrap

6. Configure the management console to use the keystore.

   Enter the following management CLI command. For the parameters file, password and alias their values must be copied from the step Create a keystore to secure the management console.

   /core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl:add(keystore-path=identity.jks,keystore-relative-to=jboss.server.config.dir, keystore-password=password1, alias=appserver)

   Copy to Clipboard Toggle word wrap
   The expected output from this command is:

   {
       "outcome" => "success",
       "response-headers" => {
           "operation-requires-reload" => true,
           "process-state" => "reload-required"
       }
   }

   Copy to Clipboard Toggle word wrap

7. Restart the JBoss EAP server.

   On restarting the server the log should contain the following, just before the text which states the number of services that are started. The management console is now listening on port 9443, which confirms that the procedure was successful.

   14:53:14,720 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015962: Http management interface listening on https://127.0.0.1:9443/management
   14:53:14,721 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015952: Admin console listening on https://127.0.0.1:9443
   

   Copy to Clipboard Toggle word wrap