-
1. Re: jboss-cli and certificate confirmation
dlofthouse Aug 9, 2013 10:25 AM (in response to zulk666)When you run the CLI what option are you selecting for that question?
-
2. Re: jboss-cli and certificate confirmation
zulk666 Aug 9, 2013 4:35 PM (in response to dlofthouse)I run jboss-cli.sh -c "command" --controller=ip:9999
Then ask me about confirmation of ssl cert, as in my first post.
Obviously server is proper configured to do ssl connection, then I confirm everything works fine.
Also I have set silent mode true in cli configuration xml.
JBoss EAP 6.1.
-
3. Re: jboss-cli and certificate confirmation
dlofthouse Aug 12, 2013 5:57 AM (in response to zulk666)You are given three options when the CLI connect to the server which is configured to use SSL: -
Accept certificate? [N]o, [T]emporarily, [P]ermenantly :
Of the three options which one do you pick?
- No
- Temporarily
- Permenantly
The option you should be picking is P for Permenantly and this should result in the servers certificate being cached in a local trust store.
- No
-
4. Re: jboss-cli and certificate confirmation
zulk666 Aug 12, 2013 8:57 AM (in response to dlofthouse)Yes I know that, but my problem is that I can't do it without manual intervention.
I always have to first time run jboss-cli and and pick [P]ermenantly by hand.
My question is that, is some way to do this without manual intervention, because of process automation.
I want to run cli with some option and then I would not have to pick [P] manually.
But I don't see any option for that even when I set silent mode in jboss-cli.xml this don't work as I expected.
Sorry for my english.
-
5. Re: jboss-cli and certificate confirmation
dlofthouse Aug 12, 2013 9:04 AM (in response to zulk666)Have a look at the jboss-cli.xml configuration file and the associated schema, it is possible to configure the CLI to use a trust store that already contains the servers certificate - that way you would not need to provide a response to this prompt.
I always have to first time run jboss-cli and and pick [P]ermenantly by hand.
That is the correct way to do it - accepting a certificate automatically would seriously reduce the benefits you gain from enabling TLS.
-
6. Re: jboss-cli and certificate confirmation
zulk666 Aug 13, 2013 5:44 AM (in response to dlofthouse)Yes it is true but I have to run this full automatically.
I found some workaround and works well for me.
openssl s_client -connect $HOST:$HTTPSPORT 2>&1 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |keytool -import -keystore ~/.jboss-cli.truststore -storepass cli_truststore -noprompt
Thanks for your effort.
-
7. Re: jboss-cli and certificate confirmation
aleques Mar 18, 2016 4:35 PM (in response to zulk666)jboss-cli.xml
<ssl> <alias>keystoreAlias</alias> <trust-store>keystore.jks</trust-store> <trust-store-password>keystorePass</trust-store-password> </ssl> This worked for me