7 Replies Latest reply on Mar 18, 2016 4:35 PM by aleques

    jboss-cli and certificate confirmation

    zulk666

      Hi

       

      I have a problem with running batch scripts when my connection has ssl enabled.

      When I connecting first time jboss-cli ask me about confirmation of server certificate.

       

      Unable to connect due to unrecognised server certificate

      Subject    - CN=xxx,OU=a,O=b,C=c

      Issuer     - CN=yyy, OU=xxx, O=aa, C=oo

      Valid From - Fri Aug 09 15:45:05 CEST 2013

      Valid To   - Thu Nov 07 14:45:05 CET 2013

      SHA1 : f4:5b:79:bd:4f:f7:54:20:19:ac:96:8e:de:95:9e:a4:28:a3:b6:13

      MD5 : c7:a9:65:1d:4c:39:47:b9:b5:bd:32:42:8e:d5:c7:72

       

      Accept certificate? [N]o, [T]emporarily, [P]ermenantly :

       

      when I set silent mode in jboss-cli.xml then only shows

      Accept certificate? [N]o, [T]emporarily, [P]ermenantly :

       

      but I always have to confirm it manually.

      I can use expect command to confirm it but my question is:

       

      Is some way to set jboss-cli to accept certificate always without asking ?

       

      Thanks for answers.

        • 1. Re: jboss-cli and certificate confirmation
          dlofthouse

          When you run the CLI what option are you selecting for that question?

          • 2. Re: jboss-cli and certificate confirmation
            zulk666

            I run jboss-cli.sh -c "command" --controller=ip:9999

             

            Then ask me about confirmation of ssl cert, as in my first post.

            Obviously server is proper configured to do ssl connection, then I confirm  everything works fine.

            Also I have set silent mode true in cli configuration xml.

            JBoss EAP 6.1.

            • 3. Re: jboss-cli and certificate confirmation
              dlofthouse

              You are given three options when the CLI connect to the server which is configured to use SSL: -

               

              Accept certificate? [N]o, [T]emporarily, [P]ermenantly :

               

              Of the three options which one do you pick?

               

              1. No
              2. Temporarily
              3. Permenantly

               

              The option you should be picking is P for Permenantly and this should result in the servers certificate being cached in a local trust store.

              • 4. Re: jboss-cli and certificate confirmation
                zulk666

                Yes I know that, but my problem is that I can't do it without manual intervention.

                I always have to first time run jboss-cli and and pick [P]ermenantly by hand.

                 

                My question is that, is some way to do this without manual intervention, because of process automation.

                I want to run cli with some option and then I would not have to pick [P] manually.

                But I don't see any option for that even when I set silent mode in jboss-cli.xml this don't work as I expected.

                 

                Sorry for my english.

                • 5. Re: jboss-cli and certificate confirmation
                  dlofthouse

                  Have a look at the jboss-cli.xml configuration file and the associated schema, it is possible to configure the CLI to use a trust store that already contains the servers certificate - that way you would not need to provide a response to this prompt.

                   

                  I always have to first time run jboss-cli and and pick [P]ermenantly by hand.

                   

                  That is the correct way to do it - accepting a certificate automatically would seriously reduce the benefits you gain from enabling TLS.

                  • 6. Re: jboss-cli and certificate confirmation
                    zulk666

                    Yes it is true but I have to run this full automatically.

                    I found some workaround and works well for me.

                     

                    openssl s_client -connect $HOST:$HTTPSPORT 2>&1 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |keytool -import -keystore ~/.jboss-cli.truststore -storepass cli_truststore -noprompt

                     

                    Thanks for your effort.

                    • 7. Re: jboss-cli and certificate confirmation
                      aleques

                      jboss-cli.xml

                       

                      <ssl>
                        <alias>keystoreAlias</alias>
                        <trust-store>keystore.jks</trust-store>
                        <trust-store-password>keystorePass</trust-store-password>
                      </ssl>

                       

                      This worked for me