第1章 JBOSS SSL配置
1.1 启用jboss ssl
1.1.1 生成keystore
在unix环境下,使用keytool命令去生成keystore文件: -bash-3.00$ keytool -genkey -alias jbosskey -keyalg RSA
Re-enter new password:
What is your first and last name?
[Unknown]: test
What is the name of your organizational unit?
[Unknown]: ailk
What is the name of your organization?
[Unknown]: ailk
What is the name of your City or Locality? [Unknown]: gz
What is the name of your State or Province?
[Unknown]: gd
What is the two-letter country code for this unit? [Unknown]: CN
Is CN=test, OU=ailk, O=ailk, L=gz, ST=gd, C=CN correct?
[no]: y
Enter key password for <jey>
(RETURN if same as keystore password):
aidm@suse9t90:~>
在输入命令中,“jbosskey”是自定义名称,密码必须记住,在后面配置中会使用,如(dm_jboss);完成后,在$HOME目录能找到生成的.keystore文件:
aidm@suse9t90:~> cd $HOME
aidm@suse9t90:~> ls -a .key*
.keystore
把该文件mv到${JBOSS}/server/default/conf/目录下:
mv .keystore guanql/jboss/jboss-5.1.0.GA/server/default/conf/jboss90.keystore 其中jboss90.keystore这个文件名可自定义,在2.1.2章节中会使用。
1.1.2 启用ssl端口
进入${JBOSS}/server/default/deploy/ jbossweb.sar/ 目录,打开server.xml文件,找到以下关于ssl的配置段: <!-- SSL/TLS Connector configuration using the admin devl guide keystore <Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->
去除该段的注释,并把keystoreFile修改成正确文件名,把keystorePass改成生成密钥时配置的密码dm_jboss,修改如下:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/jboss.keystore" keystorePass="dm_jboss" sslProtocol = "TLS" />
至此,JBOSS的SSL端口8443已开启,启动JBOSS后,在IE中输入 https://127.0.0.1:8443/ 即可看到SSL页面。
注意:如果JBOSS原来已设置了端口offset,则SSL端口8443也会随着偏移值变更。
1.2 控制台的SSL配置
1.2.1 隐藏ROOT页面
ROOT页面是指在仅仅输入 即可看到的JBOSS基本页面,该页面仅作显示及跳转之用,可以通过移除 ${JBOSS}/server/default/depoly/ROOT.war 应用包进行隐藏。隐藏该页面后,JBOSS的其它控制台还是可以通过输入完整路径登录,如 http://127.0.0.1:8080/admin-console 可以登入admin-console页面。下面继续配置这些控制台的ssl登录控制。
1.2.2 配置admin-console的ssl登录
进入 ${JBOSS}/ server/default/deploy/admin-console.war/WEB-INF 目录,修改 web.xml 文件,找到以下配置段: <!--<security-constraint>-->
<!--<web-resource-collection>-->
<!--<web-resource-name>HtmlAdaptor</web-resource-name>-->
<!--<description> An example security config that only allows users with--> <!--the role JBossAdmin to access the embedded console web--> <!--application </description>-->
<!--<url-pattern>/*</url-pattern>-->
<!--<http-method>GET</http-method>-->
<!--<http-method>POST</http-method>-->
<!--</web-resource-collection>-->
<!--<auth-constraint>-->
<!--<role-name>JBossAdmin</role-name>-->
<!--</auth-constraint>-->
<!--</security-constraint>--> 把该注释段全部解除注释,并修改成如下内容,注意保留的注释及添加的部分:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<url-pattern>/*</url-pattern> <http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!--
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint> -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
配置完毕,在输入 http://127.0.0.1:8080/admin-console 时,就会自动跳转到 ,并要求输入登录用户名及密码。
1.2.3 配置jmx-console 的ssl 登录
进入${JBOSS}/ server/default/deploy/jmx-console.war/WEB-INF/ 目录,修改 web.xml 和 jboss-web.xml 两个文件。
1.2.3.1 修改 web.xml 文件
打开文件,找到以下配置内容: <!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method> </web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
-->
解除注释并添加红色部份内容:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
<role-name>ssiadmin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
1.2.3.2 修改 jboss-web.xml 文件
打开文件,如下: <jboss-web>
<!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users.
<security-domain>java:/jaas/jmx-console</security-domain>
-->
</jboss-web>
去除<security-domain>的注释,修改如下: <jboss-web>
<!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users.
-->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
至此,完成 jmx-console 的ssl配置,登录方式同上。
1.2.4 配置web-console 的ssl登录
进入 ${JBOSS}/ server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/ 目录,修改web.xml 和 jboss-web.xml 两个文件。
1.2.4.1 修改 web.xml 文件
同 jmx-console 修改方式一致,请参考上文内容。
1.2.4.2 修改 jboss-web.xml 文件
同jmx-console 修改方式一致,注意把文件中的修改java:/jaas/web-console为java:/jaas/jmx-console: <jboss-web>
<!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. -->
<security-domain>java:/jaas/jmx-console</security-domain>
<!-- The war depends on the -->
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>
至此,web-console的ssl登录控制配置完毕,登录方式同上。
1.3 修改jboss控制台登录密码 在上述SSL登录中,用户名和密码均为admin/admin,为系统默认配置。进行修改时,进入 ${JBOSS}/server/default/conf/props/ 目录,打开 jmx-console-users.properties 文件:
# A sample users.properties file for use with the UsersRolesLoginModule admin=admin
其中配置格式为 “username=password”,用户名或密码均可修改成用户自定义值。