Configuring Two-way SSL on EAP 7
- Configuring Two-way SSL Authentication on EAP 7
- Creating certificates
- Configure Two Way SSL for the management Interface in EAP 7
- Configure https listener for the undertow subsystem on EAP 7 for SSL and enforce client certificate verification
- Configuring the jboss-cli.sh for two-way SSL
- Enforcing HTTPS
Configuring Two-way SSL Authentication on EAP 7
In this example, a single jks file is used as both the keystore and the truststore for both the client and server. It is useful to call attention to this detail as it would be common to use separate jks files or in some cases to simply append the trusted certificates or certificate authoricity certs into the jre’s truststore.
It is possible to create certificates using other methods (e.g. openssl); however, the java keytool utility is used in this example. Throughout the example, it is important to keep in mind that you should replace the parameter values being passed to be values that makes sense for your environment.
Creating the server certificate
Creating the client certificate
Exporting the client certificate
Exporting the server certificate
Importing the server certificate to the client
Importing the client certificate to the server
Configure Two Way SSL for the management Interface in EAP 7
This step assumes the server keystore generated above has been moved to the following location:
Using the CLI to configure the management interface
Updating the ManagementRealm for SSL
Configure https listener for the undertow subsystem on EAP 7 for SSL and enforce client certificate verification
For simplicity, we will use the ManagementRealm in this step. In practice, you may want to setup a new realm for applications or configure the ApplicationRealm.
Configuring the jboss-cli.sh for two-way SSL
Running the CLI after adding ssl configuration:
Update jboss-cli.xml defaults (Optional)
After changing the defaults, it is possible to run the cli without additional parameters. </web-app>
Configuring HTTPS does not enforce the use of https. To prevent the possibility of unsecure connections, you can do a number of things.
Completely remove https listener (preferred approach)
To completely remove http as an option, you can remove the undertow http listener and update the references to it. When an edge approapriate proxy is sitting in front of EAP (e.g. apache/nginx), this configuration typically makes the most sense. If there was no proxy redirecting http to https, this setup may not be ideal since it would prevent http redirects to https.
Add Strict-Transport-Security header
Use servlet api transport guarantee
At the applcation level, you can also add a CONFIDENTIAL transport guarantee to web.xml