Hi,

In this demonstration we will see how to configure Native Management Interface to use the SSL, As it is desired in many production/secure environment to access the JBoss via CLI utility over SSL sothat the communication will be in SSL encrypted format. So in this example we will see how to configure the JBoss AS7.1.2 sothat we can connect to it via SSL port 9443 (management-https socket binding).

Step1). First if all we will create Security certificates with the help of JDK provided utility “keytool”, So make sure that the JDK’s bin directory is added in your shell/command prompts PATH variable like following (We are creating the “chap8.keystore” inside “$JBOSS_HOME/standalone/configuration” directory):

.
[userone@localhost ~]$ cd /home/userone/jboss-as-7.1.2.Final/standalone/configuration/

[userone@localhost configuration]$ export PATH=/home/userone/MyJdks/jdk1.6.0_21/bin:$PATH

[userone@localhost configuration] keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl -keyalg RSA -alias chapter8 -validity 3650 -dname "cn=chapter8 example,ou=admin book,dc=jboss,dc=org"
.

Step2). Make sure that the JBoss AS7.1.2 is running, In our case we started JBossAS7.1.2 “standalone-full.xml” profile.

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml
.

Step3). Now We will configure the <server-identities> for ManagementRealm By specifying the SSL informations. We will use the following CLI Commands in order to achieve the goal

[userone@localhost bin]$ cd /home/userone/jboss-as-7.1.2.Final/bin

[userone@localhost bin]$ ./jboss-cli.sh -c --controller=localhost:9999

[standalone@localhost:9999 /] /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-password="rmi+ssl", keystore-path="chap8.keystore", keystore-relative-to="jboss.server.config.dir", alias="chapter8",protocol="TLSv1")


{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}


[standalone@localhost:9999 /] /core-service=management/management-interface=native-interface/:write-attribute(name=socket-binding,value=management-https)


{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Once your above CLI command is executed successfully you will notice the following in your JBossAS 7.1.2 configuration file “standalone-full.xml”:


    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <server-identities>
                    <ssl protocol="TLSv1">
                        <keystore path="chap8.keystore" relative-to="jboss.server.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-https"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
    </management>

Step4). Now restart your JBoss AS 7.1.2 again as following:
-Djavax.net.debug=all This System property will give us more details about the SSL Communication so we enabled it just to varify if the SSL configuration is working properly or not.

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml  -Djavax.net.debug=all
.

Step5). Now there will be a slignt change in the way we used to connect to the JBoss Via CLI command, It will be happening via “management-https” (9443) now as following:

.
[userone@localhost bin]$ ./jboss-cli.sh -c --controller=localhost:9443
Unable to connect due to unrecognised server certificate
Subject    - CN=chapter8 example,OU=admin book,DC=jboss,DC=org
Issuer     - CN=chapter8 example, OU=admin book, DC=jboss, DC=org
Valid From - Sat Sep 15 20:13:01 IST 2012
Valid To   - Tue Sep 13 20:13:01 IST 2022
MD5 : 20:c7:41:56:34:c2:15:49:e3:95:84:ab:19:fc:1f:ca
SHA1 : c9:c0:b4:8b:82:18:6b:3d:35:c3:1e:26:7f:52:e5:8c:ab:93:35:78

Accept certificate? [N]o, [T]emporarily, [P]ermenantly : T
[standalone@localhost:9443 /] 

.

.
.
Thanks 🙂
MiddlewareMagic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.