==================================================================================================== #################### Two-way SSL configuration (contains proper authentication-context setup): ### create keystores keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer -noprompt keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer -noprompt ### add management user bin/add-user -dc domain-eap7-632/configuration name: mgmtuser password: mgmtuser1! ### start EAPs (note that the management port for slave needs to be set to something different, if starting on one node) bin/domain.sh --host-config=host-master.xml -Djboss.domain.base.dir=domain-eap7-632 bin/domain.sh --host-config=host-slave.xml -Djboss.domain.base.dir=domain-eap7-632 -Djboss.domain.master.address=127.0.0.1 -Djboss.management.native.port=19999 bin/jboss-cli.sh -c ### disable autostart servers /host=rjanik.brq.redhat.com/server-config=server-one:write-attribute(name=auto-start,value=false) /host=rjanik.brq.redhat.com/server-config=server-two:write-attribute(name=auto-start,value=false) ### add slave authentication context /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-context=slaveHostSSLContext:add() /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:add() /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=allow-sasl-mechanisms,value=[DIGEST-MD5]) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=authentication-name,value=mgmtuser) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=realm,value=ManagementRealm) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=credential-reference,value={clear-text=mgmtuser1!}) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-context=slaveHostSSLContext:write-attribute(name=match-rules,value=[{match-host=127.0.0.1,authentication-configuration=slaveHostSSLConfiguration}] ### set the domain controller to use the authentication context /host=rjanik.brq.redhat.com:write-remote-domain-controller(host=127.0.0.1,port=9999,protocol=remote,authentication-context=slaveHostSSLContext) /host=rjanik.brq.redhat.com/core-service=discovery-options/static-discovery=primary:remove() ### disable local auth /host=rjanik.brq.redhat.com/core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=value,value="bWdtdHVzZXIxIQ==") /host=master/core-service=management/security-realm=ManagementRealm/authentication=local:remove() /host=master/core-service=management/security-realm=ApplicationRealm/authentication=local:remove() ### enable ssl on host=master management interface (two-way ssl) /host=master/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/server.keystore.jks,credential-reference={clear-text=secret},type=JKS) /host=master/subsystem=elytron/key-store=twoWayTS:add(path=/tmp/server.truststore.jks,credential-reference={clear-text=secret},type=JKS) /host=master/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /host=master/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /host=master/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true) /host=master/core-service=management/management-interface=native-interface:write-attribute(name=ssl-context, value=twoWaySSC) ### add keystores to client-side elytron subsystem (two-way ssl) /host=rjanik.brq.redhat.com/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/client.keystore.jks,credential-reference={clear-text=secret},type=JKS) /host=rjanik.brq.redhat.com/subsystem=elytron/key-store=twoWayTS:add(path=/tmp/client.truststore.jks,credential-reference={clear-text=secret},type=JKS) /host=rjanik.brq.redhat.com/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /host=rjanik.brq.redhat.com/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /host=rjanik.brq.redhat.com/subsystem=elytron/client-ssl-context=twoWayCSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-context=slaveHostSSLContext:write-attribute(name=match-rules,value=[{match-host=127.0.0.1,authentication-configuration=slaveHostSSLConfiguration,ssl-context=twoWayCSC}]) ### disable local access /host=master/core-service=management/security-realm=ManagementRealm/authentication=local:remove() /host=master/core-service=management/security-realm=ApplicationRealm/authentication=local:remove() ### and reload it all reload --host=rjanik.brq.redhat.com reload --host=master ==================================================================================================== #################### One-way SSL configuration: ### generate server keystore keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -importcert -keystore truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer -noprompt ### add management user bin/add-user -dc domain-eap7-632/configuration name: mgmtuser password: mgmtuser1! ### start EAPs (note that the management port for slave needs to be set to something different, if starting on one node) bin/domain.sh --host-config=host-master.xml -Djboss.domain.base.dir=domain-eap7-632 bin/domain.sh --host-config=host-slave.xml -Djboss.domain.base.dir=domain-eap7-632 -Djboss.domain.master.address=127.0.0.1 -Djboss.management.native.port=19999 bin/jboss-cli.sh -c ### disable autostart servers /host=rjanik.brq.redhat.com/server-config=server-one:write-attribute(name=auto-start,value=false) /host=rjanik.brq.redhat.com/server-config=server-two:write-attribute(name=auto-start,value=false) ### set the domain controller to use the authentication context /host=rjanik.brq.redhat.com:write-remote-domain-controller(host=127.0.0.1,port=9999,protocol=remote,authentication-context=slaveHostSSLContext) /host=rjanik.brq.redhat.com/core-service=discovery-options/static-discovery=primary:remove() ### disable local auth /host=rjanik.brq.redhat.com/core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=value,value="bWdtdHVzZXIxIQ==") /host=master/core-service=management/security-realm=ManagementRealm/authentication=local:remove() /host=master/core-service=management/security-realm=ApplicationRealm/authentication=local:remove() ### set up elytron references for later /host=master/subsystem=elytron/key-store=httpsKS:add(path=/tmp/keystore.jks,credential-reference={clear-text=secret},type=JKS) /host=master/subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret}) /host=master/subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.2"]) ### add slave authentication context and truststore to the authentication-context /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-context=slaveHostSSLContext:add() /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:add() /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=allow-sasl-mechanisms,value=[DIGEST-MD5]) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=authentication-name,value=mgmtuser) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=realm,value=ManagementRealm) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-configuration=slaveHostSSLConfiguration:write-attribute(name=credential-reference,value={clear-text=mgmtuser1!}) /host=rjanik.brq.redhat.com/subsystem=elytron/key-store=oneWayTS:add(path=/tmp/truststore.jks,credential-reference={clear-text=secret},type=JKS) /host=rjanik.brq.redhat.com/subsystem=elytron/trust-managers=oneWayTM:add(key-store=oneWayTS,algorithm="SunX509") /host=rjanik.brq.redhat.com/subsystem=elytron/client-ssl-context=oneWayCSC:add(protocols=["TLSv1.2"],trust-managers=oneWayTM) /host=rjanik.brq.redhat.com/subsystem=elytron/authentication-context=slaveHostSSLContext:write-attribute(name=match-rules,value=[{match-host=127.0.0.1,authentication-configuration=slaveHostSSLConfiguration,ssl-context=oneWayCSC}]) ### set up server ssl context for native interface /host=master/core-service=management/management-interface=native-interface:write-attribute(name=ssl-context,value=httpsSSC) ### and reload it all reload --host=rjanik.brq.redhat.com reload --host=master ====================================================================================================