Version 2
Created by jason.marley on Apr 22, 2014 12:21 PM. Last modified by jason.marley on Apr 22, 2014 9:45 PM.

    Certificate keystore, Vault keystore, Trust keystore

     

     

    If you’re setting up ssl communication on EAP 6 leveraging vault and public/private certificates, you will have to set up a seperate keystore for each purpose. In my example below I used a basic war file that allows us to test whether we have created an ssl connection. I will post in another doucment how to export/import CA certs, but for now lets just use self certificates.

    We will be creating 3 keystores, two RSA algorithms and an AES. AES is specific to vault to ensure the security breach has been addressed (https://access.redhat.com/site/solutions/70057). We then us the vault keystore to encrypt the certifcate keystore’s password so we can securley reference it in our configuration.

    Warning

     

    		In the documentation for EAP, don’t be confused you have to create your keystores in the following way in order for the certificate keys to not be corrupted by the vault mechanism as well the key algorithms with which the certificates will work.

     

    Configure cert kestore

    >$ keytool -genkeypair -v -alias hostAlias -keyalg RSA -keysize 2048 -dname "CN=80488782,OU=ITI,O=COTS,L=Kearneysville,S=WV,C=US" -keypass hostKeyPass  -keystore hostServer.keystore -storepass hostKeyPass

     

     

    Configure vault kestore

    >$ keytool -genseckey -v -alias vaultAlias -keyalg AES -keysize 128 -storetype jceks -dname "CN=80488782,OU=ITI,O=COTS,L=Kearneysville,S=WV,C=US" -keypass vaultKeyPass  -keystore vault.jks -storepass vaultKeyPass

     

     

    Configure trust keystore

    >$ keytool -genkeypair -v -alias trustAlias -keyalg RSA -keysize 2048 -dname "CN=80488782,OU=ITI,O=COTS,L=Kearneysville,S=WV,C=US" -keypass trustKeyPass  -keystore trust.keystore -storepass trustKeyPass

     

     

    create vault

    >$ sh ./bin/vault.sh --keystore vault.jks --keystore-password vaultKeyPass --alias vaultAlias --salt 12457898 --iteration 15 -c

     

     

    Add cert password to vault

    >$ sh ./jboss-eap-6.1/bin/vault.sh --keystore vault.jks --keystore-password vaultKeyPass --alias vaultAlias --salt 12457898 --iteration 15 --attribute certKeystorePass --sec-attr hostKeyPass

     

     

    Add Vault to EAP

    1. Log into cli
     /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/opt/app/jboss/jboss-eap-6.1/standalone/configuration/vault.jks"), ("KEYSTORE_PASSWORD" => "MASK-BMaMuwDrHt6Mrmx8f/e.T"),("KEYSTORE_ALIAS" => "vaultAlias"), ("SALT" => "12457898"),("ITERATION_COUNT" =>"15"), ("ENC_FILE_DIR" => "/opt/app/jboss/jboss-eap-6.1/vault/")])

     

     

    Configure webconnector

    1. Log into cli and execute following commands
     /subsystem=web/connector=http/ssl=configuration:add(key-alias=hostAlias, password="${VAULT::vb::certKeystorePass::1}", certificate-key-file="${jboss.server.config.dir}/hostServer.keystore",  cipher-suite=ALL, protocol=TLS)

     

     

     /subsystem=web/connector=http:write-attribute(name=scheme,value=https

     

     

     /subsystem=web/connector=http:write-attribute(name=secure,value=true

     

     

     /subsystem=web/connector=http:write-attribute(name=socket-binding,value=https

     

     

     reload

     

     

    Deploy test app

    1. Log into cli and execute following commands
     deploly /dir/to/testApp

     

     

    Reload EAP

    1. Log into cli and execute following commands
     reload

     

     

    Test firefox

    1. https://hostname:8443/testApp
    2. Success!!!