Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2548

Native management interface ignores SSL/TLS based on Elytron SSL Context when remote protocol is used

XMLWordPrintable

    • Hide

      Using a new native socket-binding-group, you can follow [1] to set management native-interface (instead of http-interface) backed by SSL Context from Elytron.

      • Add socket-binding, ssl-context, native mgmt interface: 
        /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999)

/subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
 
/subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
 
/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
 
/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
 
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true)

/core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC)
      • Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c
      Show
      Using a new native socket-binding-group , you can follow [1] to set management native-interface (instead of http-interface ) backed by SSL Context from Elytron. Add socket-binding, ssl-context, native mgmt interface: /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999) /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true) /core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC) Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c

      Following [1] to set management native-interface backed by SSL Context from Elytron. Using remote protocol, jboss-cli connects to server ignoring a need to have trusted client certificate.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSfortheManagementInterfacesusingtheElytronSubsystem

              kwills@redhat.com Ken Wills
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: