Hi,

In this demonstration we will see how to access the JBoss Management Console over HTTPS in a secured manner, As it is desired in many production/secure environment to access the JBoss Management Console over https sothat the communication will be in SSL encrypted format. So in this example we will see how to configure the JBoss AS7.1.2 sothat we can connect to JBoss Management Console via SSL port 9991 (management-console-https socket binding).

Step1). First if all we will create Security certificates with the help of JDK provided utility “keytool”, So make sure that the JDK’s bin directory is added in your shell/command prompts PATH variable like following (We are creating the “chap8.keystore” inside “$JBOSS_HOME/standalone/configuration” directory):

.
[userone@localhost ~]$ cd /home/userone/jboss-as-7.1.2.Final/standalone/configuration/

[userone@localhost configuration]$ export PATH=/home/userone/MyJdks/jdk1.6.0_21/bin:$PATH

[userone@localhost configuration] keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl -keyalg RSA -alias chapter8 -validity 3650 -dname "cn=chapter8 example,ou=admin book,dc=jboss,dc=org"
.

Step2). Make sure that the JBoss AS7.1.2 is running, In our case we started JBossAS7.1.2 “standalone-full.xml” profile.

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml
.

Step3). Now We will configure the <server-identities> for ManagementRealm By specifying the SSL informations. We will use the following CLI Commands in order to achieve the goal

[userone@localhost bin]$ cd /home/userone/jboss-as-7.1.2.Final/bin

[userone@localhost bin]$ ./jboss-cli.sh -c --controller=localhost:9999
.
[standalone@localhost:9999 /] /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-password="rmi+ssl", keystore-path="chap8.keystore", keystore-relative-to="jboss.server.config.dir", alias="chapter8",protocol="TLSv1")
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}


[standalone@localhost:9999 /] /socket-binding-group=standard-sockets/socket-binding=management-console-https/:add(port=9991,interface=management,fixed-port=false)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}


[standalone@localhost:9999 /] /core-service=management/management-interface=http-interface/:write-attribute(name=secure-socket-binding,value=management-console-https)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}


[standalone@localhost:9999 /] /core-service=management/management-interface=http-interface/:undefine-attribute(name=socket-binding)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}
.

Once your above CLI command is executed successfully you will notice the following in your JBossAS 7.1.2 configuration file “standalone-full.xml”:


    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <server-identities>
                    <ssl protocol="TLSv1">
                        <keystore path="chap8.keystore" relative-to="jboss.server.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket-binding https="management-console-https"/>
            </http-interface>
        </management-interfaces>
    </management>
    .
    .
    .
    .
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
         .
         .
        <socket-binding name="management-console-https" interface="management" port="9991" fixed-port="false"/>
         .
         .
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>

Step4). Now restart your JBoss AS 7.1.2 again as following:

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml 
.

Step5). Now Try to access the JBoss Management Console with the following URL:

https://localhost:9991/console

Achieving same in Domain Mode

In your “master” Host “$JBOSS_HOME/domain/configuration/host.xml” you will need to define the tag as following:

            <security-realm name="ManagementRealm">
                <server-identities>
                    <ssl protocol="TLSv1">
                        <keystore path="chap8.keystore" relative-to="jboss.domain.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
            </security-realm>

Alter the “http-interface” as following in the same “master” host.xml file.

        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket interface="management" secure-port="9991"/>
            </http-interface>
        </management-interfaces>

Or you can use the following command to achieve the same:

/host=master/core-service=management/management-interface=http-interface/:write-attribute(name=secure-port,value=9991)
/host=master/core-service=management/management-interface=http-interface/:undefine-attribute(name=port)

Restart JBoss EAP6 and then check the CONSOLE output to see if you find the following:

[Host Controller] 10:00:04,445 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015952: Admin console listening on https://127.0.0.1:9991

.
.
Thanks 🙂
MiddlewareMagic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.