Certificate keystore, Vault keystore, Trust keystore
If you’re setting up ssl communication on EAP 6 leveraging vault and public/private certificates, you will have to set up a seperate keystore for each purpose. In my example below I used a basic war file that allows us to test whether we have created an ssl connection. I will post in another doucment how to export/import CA certs, but for now lets just use self certificates.
We will be creating 3 keystores, two RSA algorithms and an AES. AES is specific to vault to ensure the security breach has been addressed (https://access.redhat.com/site/solutions/70057). We then us the vault keystore to encrypt the certifcate keystore’s password so we can securley reference it in our configuration.
Warning
| In the documentation for EAP, don’t be confused you have to create your keystores in the following way in order for the certificate keys to not be corrupted by the vault mechanism as well the key algorithms with which the certificates will work. |
Configure cert kestore
>$ keytool -genkeypair -v -alias hostAlias -keyalg RSA -keysize 2048 -dname "CN=80488782,OU=ITI,O=COTS,L=Kearneysville,S=WV,C=US" -keypass hostKeyPass -keystore hostServer.keystore -storepass hostKeyPass
Configure vault kestore
>$ keytool -genseckey -v -alias vaultAlias -keyalg AES -keysize 128 -storetype jceks -dname "CN=80488782,OU=ITI,O=COTS,L=Kearneysville,S=WV,C=US" -keypass vaultKeyPass -keystore vault.jks -storepass vaultKeyPass
Configure trust keystore
>$ keytool -genkeypair -v -alias trustAlias -keyalg RSA -keysize 2048 -dname "CN=80488782,OU=ITI,O=COTS,L=Kearneysville,S=WV,C=US" -keypass trustKeyPass -keystore trust.keystore -storepass trustKeyPass
create vault
>$ sh ./bin/vault.sh --keystore vault.jks --keystore-password vaultKeyPass --alias vaultAlias --salt 12457898 --iteration 15 -c
Add cert password to vault
>$ sh ./jboss-eap-6.1/bin/vault.sh --keystore vault.jks --keystore-password vaultKeyPass --alias vaultAlias --salt 12457898 --iteration 15 --attribute certKeystorePass --sec-attr hostKeyPass
Add Vault to EAP
- Log into cli
/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/opt/app/jboss/jboss-eap-6.1/standalone/configuration/vault.jks"), ("KEYSTORE_PASSWORD" => "MASK-BMaMuwDrHt6Mrmx8f/e.T"),("KEYSTORE_ALIAS" => "vaultAlias"), ("SALT" => "12457898"),("ITERATION_COUNT" =>"15"), ("ENC_FILE_DIR" => "/opt/app/jboss/jboss-eap-6.1/vault/")])
Configure webconnector
- Log into cli and execute following commands
/subsystem=web/connector=http/ssl=configuration:add(key-alias=hostAlias, password="${VAULT::vb::certKeystorePass::1}", certificate-key-file="${jboss.server.config.dir}/hostServer.keystore", cipher-suite=ALL, protocol=TLS)
/subsystem=web/connector=http:write-attribute(name=scheme,value=https
/subsystem=web/connector=http:write-attribute(name=secure,value=true
/subsystem=web/connector=http:write-attribute(name=socket-binding,value=https
reload
Deploy test app
- Log into cli and execute following commands
deploly /dir/to/testApp
Reload EAP
- Log into cli and execute following commands
reload
Test firefox
- https://hostname:8443/testApp
- Success!!!
Comments