Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9630

Native management interface ignores SSL/TLS based on Elytron SSL Context when remote protocol is used

XMLWordPrintable

    • Hide

      Using a new native socket-binding-group, you can follow [1] to set management native-interface (instead of http-interface) backed by SSL Context from Elytron.

      • Add socket-binding, ssl-context, native mgmt interface: 
        /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999)

/subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
 
/subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
 
/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
 
/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
 
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true)

/core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC)
      • Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c
      Show
      Using a new native socket-binding-group , you can follow [1] to set management native-interface (instead of http-interface ) backed by SSL Context from Elytron. Add socket-binding, ssl-context, native mgmt interface: /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999) /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true) /core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC) Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c

      Following [1] to set management native-interface backed by SSL Context from Elytron. Using remote protocol, jboss-cli connects to server ignoring a need to have trusted client certificate.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSfortheManagementInterfacesusingtheElytronSubsystem

            kwills@redhat.com Ken Wills
            okotek@redhat.com Ondrej Kotek
            Ondrej Kotek Ondrej Kotek
            Ondrej Kotek Ondrej Kotek
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: