Using 2-way SSL for the Management Interface and JBoss CLI in EAP 6/7

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6
- 7

Issue

We want to configure the management interface to use 2-way SSL connections with certificates.
How do we configure this ?
How can we configure the CLI to connect ?
How to connect to CLI remotely using SSL?
Can you please suggest a way to have password less/key based/cert based authentication with jboss cli, so that we can easily manage deployments through Jenkins and customer health check which are connecting remotely to JBoss CLI.

Resolution

The setup is very simple, create a key pair for each side (Server and Client) and import the public certificate from one to the other. Start with setting up the required key and truststores:

In the below use:

$HOST1 : The JBoss EAP server hostname, example: "jboss.redhat.com"
$HOST2 : A suitable name for the client, example: "client". Note this is not necessarily an actual hostname.
$CA_HOST1 : The DN (distinguished name) to use for the $HOST1 certificate, example "cn=jboss,dc=redhat,dc=com"
$CA_HOST2 : The DN to use for the $HOST2 certificate, example "cn=myclient,dc=redhat,dc=com"

Step 1: Generate the key stores:

keytool -genkeypair -alias $HOST1alias -keyalg RSA -keysize 1024 -validity 365 -keystore host1.keystore.jks -dname "$CA_HOST1" -keypass secret -storepass secret
keytool -genkeypair -alias $HOST2alias -keyalg RSA -keysize 1024 -validity 365 -keystore host2.keystore.jks -dname "$CA_HOST2" -keypass secret -storepass secret

Step 2: Export the certificates:

keytool -exportcert  -keystore $HOST1.keystore.jks -alias $HOST1alias -keypass secret -storepass secret -file $HOST1.cer
keytool -exportcert  -keystore $HOST2.keystore.jks -alias $HOST2alias -keypass secret -storepass secret -file $HOST2.cer

Step 3: Import them in the opposite truststores

keytool -importcert -keystore $HOST1.truststore.jks -storepass secret -alias $HOST2alias -trustcacerts -file $HOST2.cer
keytool -importcert -keystore $HOST2.truststore.jks -storepass secret -alias $HOST1alias -trustcacerts -file $HOST1.cer

Step 4: Configure JBoss EAP

Using the CLI, run the following commands to add a CertificateRealm and point the interface to it.
Make sure to replace "$HOST1" with the correct value as used above.
For domain mode, prepend each command with /host=master.

/core-service=management/security-realm=CertificateRealm:add
/core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path="$HOST1.truststore.jks", keystore-password="secret",keystore-relative-to=jboss.server.config.dir)
/core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(keystore-path="$HOST1.keystore.jks",keystore-password="secret", alias="$HOST1alias", keystore-relative-to=jboss.server.config.dir)
/core-service=management/management-interface=native-interface:write-attribute(name=security-realm,value=CertificateRealm)

This will modify "standalone.xml" or "host.xml" (for domain mode) to add the following:

<management>
 <security-realms>
  ...
  <security-realm name="CertificateRealm">
    <server-identities>
      <ssl>
        <keystore path="$HOST1.keystore.jks" keystore-password="secret" alias="$HOST1alias" relative-to="jboss.server.config.dir"/>
      </ssl>
    </server-identities>
    <authentication>
      <truststore path="$HOST1.truststore.jks" keystore-password="secret" relative-to="jboss.server.config.dir"/>
    </authentication>
  </security-realm>
 </security-realms>
 <management-interfaces>
  <native-interface security-realm="CertificateRealm">
    <socket-binding native="management-native"/>
  </native-interface>
  ...
 </management-interfaces>
</management>

In domain mode, the interface section looks like this:

<native-interface security-realm="CertificateRealm">
    <socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>

Similarly, edit "$JBOSS_HOME/bin/jboss-cli.xml" and add the SSL configuration.
Again, replace "$HOST2" with the correct value as used above

<ssl>
  <alias>$HOST2alias</alias>
  <key-store>/path/to/$HOST2.keystore.jks</key-store>
  <key-store-password>secret</key-store-password>
  <trust-store>/path/to/$HOST2.truststore.jks</trust-store>
  <trust-store-password>secret</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>

The passwords can be encrypted starting in EAP 6.3 by adding a Vault to the SSL settings, example:

<ssl>
    <vault>
        <vault-option name="KEYSTORE_URL" value="/path/to/vault.jks"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-2jnUzkgi5BWt0d5OTWFE41"/>
        <vault-option name="KEYSTORE_ALIAS" value="vault"/>
        <vault-option name="SALT" value="saltsalt"/>
        <vault-option name="ITERATION_COUNT" value="44"/>
        <vault-option name="ENC_FILE_DIR" value="/path/to/vaultdir/"/>
    </vault>

  <alias>$HOST2alias</alias>
  <key-store>/path/to/$HOST2.keystore.jks</key-store>
  <key-store-password>${VAULT::admin::keystore::1}</key-store-password>
  <trust-store>/path/to/$HOST2.truststore.jks</trust-store>
  <trust-store-password>${VAULT::admin::truststore::1}</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>

More details on using the vault can be found in How to encrypt passwords in my EAP 6 configuration files using vault?
See more in documentation Setting up Two-way SSL/TLS for the Management Interfaces.

Note: A related article with further information on "jboss-cli.xml" can be found here

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.