Protect wildly management interface

Want to protect your wildfly administrative console with https only access ? See this tech tip. It will protect the web console and jboss-cli.

First step is to create the self-signed digital certificate with keytool. Open the terminal and go to conf directory (standalone or domain), add the certs directory and cd into it. Modify the parameters below to fit your needs.

keytool -genkey -alias wildfly_mgmt -keyalg RSA -keystore wildfly.jks -storepass admin123 -keypass admin123 --dname "CN=mgmt-connector,OU=jboss,O=jboss,L=Brasilia,S=DF,C=BR"

Now, lets configure wildfly.

Standalone mode

Edit standalone.xml and modify as the sample below, a server-identities section is added and the http-interface is modified.

<security-realm name="ManagementRealm">
    <server-identities>
        <ssl>
            <keystore path="${jboss.server.config.dir}/certs/wildfly.jks" keystore-password="admin123" />
        </ssl>
    </server-identities>

<management-interfaces>
    <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
        <socket-binding https="management-https"/>
    </http-interface>
</management-interfaces>

Start Wildfly in standalone mode and point the browser navigator to https://localhost:9993. it will ask you to trust the self-signed certificate.

To use jboss-cli.sh, it should use the https protocol, see below how to modify jboss-cli.xml.

<default-protocol use-legacy-override="true">https-remoting</default-protocol>

<!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
<default-controller>
    <protocol>https-remoting</protocol>
    <host>localhost</host>
    <port>9993</port>
</default-controller>

That way, jboss-cli.sh will connect to Wildfly with no additional parameter on command line, only ./jboss-cli.sh -c

 

Domain mode

Domain mode has a slightly different configuration, edit host.xml as below

<security-realm name="ManagementRealm">
    <server-identities>
        <ssl>
            <keystore path="${jboss.domain.config.dir}/certs/wildfly.jks" keystore-password="admin123" />
        </ssl>
    </server-identities>

<management-interfaces>
    <native-interface security-realm="ManagementRealm">
        <socket interface="management" port="${jboss.management.native.port:9999}"/>
    </native-interface>
    <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
        <socket interface="management" secure-port="${jboss.management.http.port:9993}"/>
    </http-interface>
</management-interfaces>

jboss-cli.xml must be modified as show before.

Comment below if this was of some help for you.

Um Comentário

  1. Great tutorial, very straight forward.
    additional hint: If you are using one of the scripts in [WILDFLY_HOME]/bin/init.d/ as startup / shutdown script and for some reason shutdown hangs forever, then it might be necessary to invoke jboss-cli.sh manually once because the jboss-cli.sh script may be waiting for a user to manually accept the certificate permanently – which, of course, the startup / shutdown script does not do.

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *