DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

SBOMs are essential to circumventing software supply chain attacks, and they provide visibility into various software components.

Related

  • Evolution of Recommendation Systems: From Legacy Rules Engines to Machine Learning
  • Okta + SAML + JBoss EAP 6.4.x + Picketlink

Trending

  • 10 Predictions Shaping the Future of Web Data Extraction Services
  • Squid Game: The Clean Code Trials — A Java Developer's Survival Story
  • Understanding N-Gram Language Models and Perplexity
  • Evaluating Accuracy in RAG Applications: A Guide to Automated Evaluation
  1. DZone
  2. Coding
  3. Java
  4. Securing JBoss EAP 6 - Implementing SSL

Securing JBoss EAP 6 - Implementing SSL

By 
Arvind Anandam user avatar
Arvind Anandam
·
Aug. 28, 14 · Interview
Likes (0)
Comment
Save
Tweet
Share
11.2K Views

Join the DZone community and get the full member experience.

Join For Free

Security is one of the most important features while running a JBoss server in a production environment. Implementing SSL and securing communications is a must do, to avoid malicious use.

This blogs details the steps you could take to secure JBoss EAP 6 running in Domain mode. These are probably documented by RedHat but the documentation seems a bit scattered. The idea behind this blog is to put together everything in one place.

In Order to enhance security in JBoss EAP 6, SSL/encryption can be implemented for the following

  • Admin console access – enable https access for admin console
  • Domain Controller – Host controller communication – Communication between the main domain controller and all the other host controllers should be secured.
  • Jboss CLI – enable ssl for the command line interface

The below example uses a single keystore being both the key and truststore and also uses CA signed certificates. 

You could use self-signed certificates and/or separated keystores and truststores if required.

  1. Create the keystores (certificates for each of the servers)
      • keytool -genkeypair -alias testServer.prd -keyalg RSA -keysize 2048 -validity 730 -keystore testServer.prd.jks
  2. Generate a certificate signing request (CSR) for the Java keystore
      • keytool -certreq -alias testServer.prd -keystore testServer.prd.jks -file testServer.prd.csr
  3. Get the CSR signed by the Certificate Authorities
  4.  Import a root or intermediate CA certificate to the existing Java keystore
      • keytool -import -trustcacerts -alias root -file rootCA.crt -keystore testServer.prd.jks
  5. Import the signed primary certificate to the existing Java keystore.
      • Keytool -importcert -keystore testServer.prd.jks -trustcacerts -alias testServer.prd -file testServer.prd.crt
  6. Repeat steps 1-6 for each of the servers.

In order to establish trust between the master and slave hosts,

  1. Import the signed certificates of all the (slave) servers that the Domain Controller must trust onto the Domain Controllers Keystore
      • keytool -importcert -keystore testServer.prd.jks  -trustcacerts -alias slaveServer.prd -file slaveServers.prd.crt
      •  repeat step for all slave hosts.
  2. Import the signed certificate of the Domain controller onto the slave hosts
      •  keytool -importcert -keystore slaveServer.prd.jks  -trustcacerts -alias testServer.prd -file testServer.prd.crt
      • repeat steps for all slave hosts

This has be to done because (as per RedHat’s Documentation)

There is a problem with this methodology when trying to configure one way SSL between the servers, because there the HC's and the DC (depending on what action is being performed) switch roles (client, server). Because of this one way SSL configuration will not work and it is recommended that if you need SSL between these two endpoints that you configure two way SSL

Once this is done, we now have signed certificates loaded onto the java keystore.

In Jboss EAP 6 , the http-interface which provides access to the admin console, by default uses the ManagementRealm to provide file based authentication. (mgmt.-users.properties).The next step is to modify the configurations in the host.xml, to make the ManagementRealm use the certificates we created above.

The host.xml should be modified to look like:

view source
print?
01.<management>
02. 
03.        <security-realms>
04. 
05.            <security-realm name="ManagementRealm">
06. 
07.                <server-identities>
08. 
09.                    <ssl protocol="TLSv1">
10. 
11.                         <keystore path="testServer.prd.jks" relative-to="jboss.domain.config.dir" keystore-password="xxxx" alias="testServer.prd"/>
12. 
13.                    </ssl>
14. 
15.                </server-identities>
16. 
17.                <authentication>
18. 
19.                    <truststore path="testServer.prd.jks" relative-to="jboss.domain.config.dir" keystore-password="xxxx"/>
20. 
21.                    <local default-user="$local"/>
22. 
23.                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
24. 
25.                </authentication>
26. 
27.            </security-realm>
28. 
29.<management-interfaces>
30. 
31.            <native-interface security-realm="ManagementRealm">
32. 
33.                <socket interface="management" port="${jboss.management.native.port:9999}"/>
34. 
35.            </native-interface>
36. 
37.            <http-interface security-realm="ManagementRealm">
38. 
39.                <socket interface="management" secure-port="9443"/>
40. 
41.            </http-interface>
42. 
43.        </management-interfaces>

On the Slave hosts, In addition to the above configuration, the following needs to be changed

view source
print?
1.<domain-controller>
2. 
3.   <remote host="testServer" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>"
4. 
5.</domain-controller>

Once you make the above changes and restart the servers, you should be able to access the admin console via https.

https://testServer.prd:9443/console

Finally, in order to secure cli authentication

 Modify /opt/jboss/jboss-eap-6.1/bin/jboss-cli.xml for each server and add

view source
print?
01.<ssl>
02. 
03.       <alias>testServer.prd</alias>
04. 
05.       <key-store>/opt/jboss/jboss-eap-6.1/domain/configuration/testServer.prd.jks</key-store>
06. 
07.       <key-store-password>xxxx </key-store-password>
08. 
09.       <trust-store>/opt/jboss/jboss-eap-6.1/domain/configuration/testServer.prd.jks</trust-store>
10. 
11.       <trust-store-password>xxxx </trust-store-password>
12. 
13.       <modify-trust-store>true</modify-trust-store>
14. 
15.    </ssl>
Enterprise architecture planning JBoss

Published at DZone with permission of Arvind Anandam. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Evolution of Recommendation Systems: From Legacy Rules Engines to Machine Learning
  • Okta + SAML + JBoss EAP 6.4.x + Picketlink

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: