StackLeader Blog

Post Image
Apr 10, 2017

Configuring Two-way SSL on EAP 7


Configuring Two-way SSL Authentication on EAP 7

two-way_ssl_eap_7

Creating certificates

It is possible to create certificates using other methods (e.g. openssl); however, the java keytool utility is used in this example. Throughout the example, it is important to keep in mind that you should replace the parameter values being passed to be values that makes sense for your environment.

Creating the server certificate

keytool -genkeypair -alias server -keyalg RSA -keystore keystore.jks -keysize 2048 -dname "CN=sslExample,OU=redhat-consulting,O=redhat,L=US,ST=NJ,C=US" -keypass asd56jko -storepass asd56jko

Creating the client certificate

keytool -genkeypair -alias client -keyalg RSA -keystore client_keystore.jks -keysize 2048 -dname "CN=sslExample,OU=redhat-consulting,O=redhat,L=US,ST=NJ,C=US" -keypass asd56jko -storepass asd56jko

Exporting the client certificate

keytool -exportcert -rfc -alias client -file client.cer -keypass asd56jko -keystore client_keystore.jks -storepass asd56jko

Exporting the server certificate

keytool -exportcert -rfc -alias server -file server.cer -keypass asd56jko -keystore keystore.jks -storepass asd56jko

Importing the server certificate to the client

keytool -importcert -alias server -file server.cer -keystore client_keystore.keystore -storepass asd56jko -noprompt

Importing the client certificate to the server

keytool -importcert -alias client -file client.cer -keystore keystore.keystore -storepass asd56jko -noprompt

Asciinema Demo

Configure Two Way SSL for the management Interface in EAP 7

This step assumes the server keystore generated above has been moved to the following location:

$EAP_HOME/ssl/keystore.jks

Using the CLI to configure the management interface

Updating the ManagementRealm for SSL
/core-service=management/security-realm=ManagementRealm/server-identity= \
ssl:add(keystore-path=${jboss.home.dir}/ssl/keystore.jks, keystore-password=asd56jko, \
alias=server)
/core-service=management/security-realm=ManagementRealm/server-identity= \
ssl:add(keystore-path=${jboss.home.dir}/ssl/keystore.jks, keystore-password=asd56jko, \
alias=server)
/core-service=management/management-interface=http-interface:write-attribute( \
name=secure-socket-binding, value=management-https)
/core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)

Resulting XML

<security-realm name="ManagementRealm">
    <server-identities>
        <ssl>
            <keystore path="${jboss.home.dir}/ssl/keystore.jks" keystore-password="asd56jko" alias="server"/>
        </ssl>
    </server-identities>
    <authentication>
        <local default-user="$local" skip-group-loading="true"/>
        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    <authorization map-groups-to-roles="false">
        <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
    </authorization>
</security-realm>

Configure https listener for the undertow subsystem on EAP 7 for SSL

For simplicity, we will use the ManagementRealm in this step. In practice, you may want to setup a new realm for applications or configure the ApplicationRealm.

/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=ManagementRealm, verify-client=REQUIRED)

Configuring the jboss-cli.sh for two-way SSL

Update jboss-cli.xml.

<ssl>
    <alias>client</alias>
    <key-store>../ssl/client_keystore.jks</key-store>
    <key-store-password>asd56jko</key-store-password>
    <key-password>asd56jko</key-password>
    <trust-store>../ssl/client_keystore.jks</trust-store>
    <trust-store-password>asd56jko</trust-store-password>
    <modify-trust-store>false</modify-trust-store>
</ssl>

Running the CLI after adding ssl configuration:

sh jboss-cli.sh -c --controller=https-remoting://localhost:9993

Update jboss-cli.xml defaults (Optional)

<default-controller>
    <protocol>https-remoting</protocol>
    <host>localhost</host>
    <port>9993</port>
</default-controller>

After changing the defaults, it is possible to run the cli without additional parameters. </web-app>

Enforcing HTTPS

Configuring HTTPS does not enforce the use of https. To prevent the possibility of unsecure connections, you can do a number of things.

Completely remove https listener (preferred approach)

To completely remove http as an option, you can remove the undertow http listener and update the references to it. When an edge approapriate proxy is sitting in front of EAP (e.g. apache/nginx), this configuration typically makes the most sense. If there was no proxy redirecting http to https, this setup would not be ideal since it would prevent http redirects to https.

Cli commands

/subsystem=undertow/server=default-server/http-listener=default:remove
/subsystem=undertow/server=default-server/https-listener=default:add(socket-binding="https", security-realm="ManagementRealm", verify-client=REQUIRED)

Enforcing HTTPS without removing http listener

Add Strict-Transport-Security header

/subsystem=undertow/configuration=filter/response-header=hsts-header:add(header-name="Strict-Transport-Security", header-value="max-age=31536000;")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=hsts-header:add()

Use servlet api transport guarantee

Add transport guarantee to web.xml

 <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
version="3.0"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
  ...
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure URLs</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  ...
  </web-app>