Scribd Logo
Upload

Welcome to Scribd!

  • Jboss4.2 SSL

    Uploaded by

    Ruchir Khanna
    9 views7 pages
    SSL for JBOSS

    Original Title

    Jboss4.2 Ssl

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SSL for JBOSS

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views7 pages

    Jboss4.2 SSL

    Uploaded by

    Ruchir Khanna
    SSL for JBOSS

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    5/14/2015 4.2.

     Setting up Client Authentication Between Servers and Agents

    C USTO ME R PO RTAL

    3 For more information on the VENOM QEMU (CVE-2015-3456) security


    vulnerability please refer to this Knowledge Article 
    (https://access.redhat.com/articles/1444903).

    3 Support Cases will be unavailable at times on May 17 for scheduled


    maintenance. More details 
    (https://access.redhat.com/announcements/1448893).

    Support  Product Documentation  JBoss Operations Network  3.2  Configuring JONEnglish


    Servers and Agents
    Formats

    4.2. Setting up Client Authentication Between Servers and Agents

    Authentication  is the process of verifying something's identity. With certificate­based auth
    has to obtain a certificate file from a trusted source and, when initiating an SSL connectio
    used to identify that entity. This ensures that the only parties involved in an SSL connectio
    they are.

    To set up certificate­based authentication for JBoss ON, several steps need to be taken. E
    enabled, certificates have to be issued and stored for the JBoss ON server and agents, a
    agents have to be configured to reject messages from untrusted clients.

    SSL authentication for JBoss ON is bi­directional. The agents are configured to authentic
    then the server is configured to authentication to the agents.

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 1/7
    5/14/2015 4.2. Setting up Client Authentication Between Servers and Agents

    NOTE

    It is possible to configure one­way authentication, where only the server or only the a
    authenticate. The best security is with bi­directional authentication, which is the confi

    There are two transport methods in JBoss ON that allow SSL connections, sslservlet

    The procedure below uses sslsocket, which allows the default given port to be used for G
    special port is used for server­agent SSL connections.

    Using sslservlet leverages the embedded Tomcat server, but this requires GUI users to 
    server as well as enabling certificate­based authentication for agents. To allow GUI users
    their usernames and passwords, set up SSL more or less as outlined below (with some d
    configuration file settings) and edit the JBoss ON server's Tomcat configuration file (
    serverRoot/jon‐server‐3.2.GA/jbossas/server/default/deploy/jboss‐web.deployer/se 
    uncomment the <Connector> section which says Provides a secure but un­authenticated 
    browsers to use. and set the port for them to use.

    1.  Enable encryption, as in Section 4.1, “Setting up Encryption” (configuring­ssl.html#J
    Encryption), only make sure that client authentication is not disabled.

    2.  SSL socket connections will occur over a user­defined port. If necessary, open the f
    access to that port.

    3.  Generate SSL certificates for each JBoss ON server and agent. For example:

    keytool ‐genkey ‐dname "CN=server1.example.com"  ‐keystore server1‐keyst
    3650 ‐alias server1 ‐keyalg DSA ‐storetype JKS ‐keypass secret ‐storepas

    This creates a self­signed certificate with the following characteristics:

    A common name (CN) value that is the same as the server hostname, server1.
    ‐dname value must be the same as the hostname because during the initial step
    (the SSL handshake), the client will verify that the same identity which was issue
    same as the one presenting it. Meaning, it will match the hostname in the CN ag
    the server or agent presenting the certificate.

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 2/7
    5/14/2015 4.2. Setting up Client Authentication Between Servers and Agents

    A keystore file called server1‐keystore.dat

    A validity period of 3650 days

    An alias of server1

    A key algorithm of DSA

    Stored in the JKS format in the keystore

    Key and storage passwords of secret

    Your organization may have a method already for generating or obtaining certificate
    keytool; other utilities, like certutil, can be used as well. The keytool documentat
    the Oracle­Sun site at http://java.sun.com/javase/6/docs/technotes/tools/windows/k
    (http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html).

    4.  Put each self­signed certificate in a single truststore file.

    1.  Export the self­signed certificate from each keystore:

    keytool ‐export ‐keystore server1‐keystore.dat ‐alias server1 ‐stor
    storepass secret ‐file server1‐cert

    2.  Import every certificate into a single truststore file:

    keytool ‐import ‐keystore truststore.dat ‐alias server1 ‐storetype 
    cert ‐noprompt ‐keypass secret ‐storepass secret

    ‐alias is the name to give to the imported certificate in the truststore. For con
    same as the alias of the original keystore file.

    IMPORTANT

    Import every exported server and agent certificate into the same truststo

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 3/7
    5/14/2015 4.2. Setting up Client Authentication Between Servers and Agents

    3.  Verify that all the certificates were successfully imported by using the 

    keytool ‐list ‐keystore truststore.dat ‐storepass secret ‐storetype

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 2 entries

    server2, Feb 25, 2013, trustedCertEntry,
    Certificate fingerprint (MD5): 24:D9:8A:50:BA:1B:26:08:DC:44:A8:2A:
    server, Feb 25, 2013, trustedCertEntry,
    Certificate fingerprint (MD5): 91:F8:78:15:21:E8:0C:73:EC:B6:3B:1D:

    5.  Distribute both the keystore and the truststore files to all the JBoss ON and server a
    sure to distribute the keystores only to the machines which match the hostname in 
    putting the keystore on the wrong machine will cause SSL connections to fail.

    1.  For the server, copy the keystore into the 
    serverRoot/jon‐server‐3.2.GA/jbossas/server/default/conf/ directory of t
    embedded in the JBoss Operations Network server. Make sure this file is nam

    2.  For the server, copy the truststore into the 
    serverRoot/jon‐server‐3.2.GA/jbossas/server/default/conf/ directory of t
    server. Make sure this file is named truststore.dat.

    3.  For the agent, copy the keystore into the agentRoot/rhq‐agent/conf directory
    the agentRoot/rhq‐agent/conf directory is retained even after an automatic u

    6.  Shut down the JBoss ON server.

    serverRoot/jon‐server‐3.2.GA/bin/rhqctl.sh stop

    7.  Open the rhq‐server.properties file for the JBoss ON server.

    vim serverRoot/jon‐server‐3.2.GA/bin/rhq‐server.properties

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 4/7
    5/14/2015 4.2. Setting up Client Authentication Between Servers and Agents

    8.  Enable client authentication by setting the rhq.communications.connector.security
    parameter to need and the rhq.server.client.security.server‐auth‐mode‐enable

    Set the information about the keystore and truststore files.

    All of the configuration for incoming messages (agent­to­server communications) is
    rhq.communications.connector.security.* parameters. The configuration for outg
    rhq.server.client.security.* parameters.

    # Server‐side SSL Security Configuration (for incoming messages from age
    # These are used when secure transports other than sslservlet are used
    rhq.communications.connector.security.secure‐socket‐protocol=TLS
    rhq.communications.connector.security.keystore.file=${jboss.server.home.
    dat
    rhq.communications.connector.security.keystore.algorithm=SunX509
    rhq.communications.connector.security.keystore.type=JKS
    rhq.communications.connector.security.keystore.password=secret
    rhq.communications.connector.security.keystore.key‐password=secret
    rhq.communications.connector.security.keystore.alias=server1
    rhq.communications.connector.security.truststore.file=${jboss.server.hom
    ore.dat
    rhq.communications.connector.security.truststore.algorithm=SunX509
    rhq.communications.connector.security.truststore.type=JKS
    rhq.communications.connector.security.truststore.password=secret
    rhq.communications.connector.security.client‐auth‐mode=need

    ...

    # Client‐side SSL Security Configuration (for outgoing messages to agent
    rhq.server.client.security.secure‐socket‐protocol=TLS
    rhq.server.client.security.keystore.file=${jboss.server.home.dir}/conf/k
    rhq.server.client.security.keystore.algorithm=SunX509
    rhq.server.client.security.keystore.type=JKS
    rhq.server.client.security.keystore.password=secret
    rhq.server.client.security.keystore.key‐password=secret
    rhq.server.client.security.keystore.alias=myhost
    rhq.server.client.security.truststore.file=${jboss.server.home.dir}/conf
    rhq.server.client.security.truststore.algorithm=SunX509
    rhq.server.client.security.truststore.type=JKS
    rhq.server.client.security.truststore.password=secret
    rhq.server.client.security.server‐auth‐mode‐enabled=true

    9.  Save the file and restart the server.

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 5/7
    5/14/2015 4.2. Setting up Client Authentication Between Servers and Agents

    serverRoot/jon‐server‐3.2.GA/bin/rhqctl start

    10.  In the agent configuration file, uncomment the lines related to secure connections. T
    with rhq.communications.connector.security.* and rhq.agent.client.security.*
    communications and server­to­agent connections, respectively.

    Fill in the appropriate values.

    <entry key="rhq.communications.connector.security.secure‐socket‐protocol
    <entry key="rhq.communications.connector.security.keystore.file"        
    value="conf/keystore.dat" />
    <entry key="rhq.communications.connector.security.keystore.algorithm"   
    />
    <entry key="rhq.communications.connector.security.keystore.type"        
    <entry key="rhq.communications.connector.security.keystore.password"    
    <entry key="rhq.communications.connector.security.keystore.key‐password"
    <entry key="rhq.communications.connector.security.keystore.alias"       
    <entry key="rhq.communications.connector.security.truststore.file"
    value="conf/truststore.dat" />
    <entry key="rhq.communications.connector.security.truststore.algorithm" 
    />
    <entry key="rhq.communications.connector.security.truststore.type"      
    <entry key="rhq.communications.connector.security.truststore.password"  
    <entry key="rhq.communications.connector.security.client‐auth‐mode"     

    <entry key="rhq.agent.client.security.secure‐socket‐protocol"   value="T
    <entry key="rhq.agent.client.security.keystore.file"            value="c
    />
    <entry key="rhq.agent.client.security.keystore.algorithm"       value="S
    <entry key="rhq.agent.client.security.keystore.type"            value="J
    <entry key="rhq.agent.client.security.keystore.password"        value="r
    <entry key="rhq.agent.client.security.keystore.key‐password"    value="r
    <entry key="rhq.agent.client.security.keystore.alias"           value="r
    <entry key="rhq.agent.client.security.truststore.file"          value="c
    />
    <entry key="rhq.agent.client.security.truststore.algorithm"     value="S
    <entry key="rhq.agent.client.security.truststore.type"          value="J
    <entry key="rhq.agent.client.security.truststore.password"      value=""
    <entry key="rhq.agent.client.security.server‐auth‐mode‐enabled" value="f

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 6/7
    5/14/2015 4.2. Setting up Client Authentication Between Servers and Agents

    NOTE

    This shows how to edit the agent configuration by editing the agent configuratio
    configuration can also be edited by going through the advanced setup mode in
    script:

    agentRoot/rhq‐agent/bin/rhq‐agent.sh ‐‐cleanconfig ‐‐setup ‐‐advance

    Privacy Policy (http://www.redhat.com/en/about/privacy-policy)


    Customer Portal Terms of Use (https://access.redhat.com/help/terms/)
    All Policies and Guidelines (http://www.redhat.com/en/about/all-policies-guidelines)
    Copyright © 2015 Red Hat, Inc.

    https://access.redhat.com/documentation/en­US/Red_Hat_JBoss_Operations_Network/3.2/html/Admin_and_Config/JBoss_ON_and_SSL­Authentication.html 7/7

    You might also like