8 Replies Latest reply on Mar 14, 2016 4:30 AM by udit-mishra-5113a21a

    How to configure infinispan web administration to run on https?

    udit-mishra-5113a21a

      How to configure infinispan web administration to run on https? Does it exposes an ajp port? What do I need to do exactly?

      Please provide clear cut steps

        • 1. Re: How to configure infinispan web administration to run on https?
          nadirx

          I will amend the online documentation for this. In the meantime, this is what you need to do:

           

          Securing the management interface

           

          Standalone mode

          Create the keystore and put it in the standalone configuration directory:

          $ keytool -genkeypair -alias InfinispanServer -storetype jks -keyalg RSA -keysize 2048 -keypass mysecurepassword -keystore standalone/configuration/infinispan.jks -storepass mysecurepassword -dname "CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM" -validity 3650 -v 
          Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days for: CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM [Storing domain/configuration/infinispan.jks]

           

          Next, add the keystore to the ManagementRealm’s server identity:

           

          $ bin/ispn-cli.sh 
          [disconnected /] connect 
          [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(alias=InfinispanServer, keystore-path=infinispan.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=mysecurepassword) 
          { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }

           

          Next, enable the secure port for the management interface and reload the server.

           

          [standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,value=management-https) 
          { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } 
          [standalone@localhost:9990 /] reload

           

          The above will probably automatically disconnect the CLI. If it doesn’t disconnect manually. Next, reconnect and verify that the certificate is being used:

           

          $ ./bin/ispn-cli.sh 
          [disconnected /] connect 
          Unable to connect due to unrecognised server certificate 
          Subject    - CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM 
          Issuer     - CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM 
          Valid From - Wed Mar 09 14:20:10 CET 2016 
          Valid To   - Sat Mar 07 14:20:10 CET 2026 
          MD5 : 54:80:57:61:d3:7a:21:43:ac:93:39:79:8f:cd:3c:56 
          SHA1 : b1:04:05:ae:62:ea:68:24:18:af:3f:79:d3:0f:82:88:ae:1a:b2:66  
          Accept certificate? [N]o, [T]emporarily, [P]ermenantly : p 
          [standalone@localhost:9993 /]

           

           

          Domain mode

          Create the keystore and put it in the domain configuration directory:

          $ keytool -genkeypair -alias InfinispanServer -storetype jks -keyalg RSA -keysize 2048 -keypass mysecurepassword -keystore domain/configuration/infinispan.jks -storepass mysecurepassword -dname "CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM" -validity 3650 -v 
          Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days for: CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM [Storing domain/configuration/infinispan.jks]

           

          Next, add the keystore to the ManagementRealm’s server identity:

           

          $ bin/ispn-cli.sh 
          [disconnected /] connect
          [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(alias=InfinispanServer, keystore-path=infinispan.jks, keystore-relative-to=jboss.domain.config.dir, keystore-password=mysecurepassword) 
          { "outcome" => "success", "result" => undefined, "server-groups" => undefined, "response-headers" => {"process-state" => "reload-required"} }

           

          Next, enable the secure port for the management interface and reload the server.

           

          [domain@localhost:9990 /] /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port, value="${jboss.management.https.port:9993}") 
          [domain@localhost:9990 /] reload --host=master

           

          The above will probably automatically disconnect the CLI. If it doesn’t disconnect manually. Next, reconnect and verify that the certificate is being used:

           

          $ ./bin/ispn-cli.sh 
          [disconnected /] connect 
          Unable to connect due to unrecognised server certificate 
          Subject    - CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM 
          Issuer     - CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM 
          Valid From - Wed Mar 09 13:36:17 CET 2016 
          Valid To   - Sat Mar 07 13:36:17 CET 2026 
          MD5 : 97:72:9c:00:44:2b:b8:93:d4:48:84:09:92:0b:6a:1d 
          SHA1 : 3b:d8:fd:68:1e:40:f7:1a:df:57:fa:2e:9b:c2:df:b5:7a:54:87:cd  
          Accept certificate? [N]o, [T]emporarily, [P]ermenantly : p 
          [domain@localhost:9993 /]

           

          • 2. Re: How to configure infinispan web administration to run on https?
            udit-mishra-5113a21a

            Thank you so much nadirx , it worked like charm

            • 3. Re: How to configure infinispan web administration to run on https?
              udit-mishra-5113a21a

              Just a small query, I secured hotrod client to server communication.

               

              I also enabled https by using the above reference, which means the management users will be logged in to server management console securely.

               

              But, what about the inter cluster communication, like cluster re balancing (which uses jgroups), data transfer to owners etc,  can I assume that too is secured, or do I need to work for that too??

              • 4. Re: How to configure infinispan web administration to run on https?
                nadirx

                Yes, you need to enable jgroups' encrypt protocol: http://jgroups.org/manual/index.html#Security

                • 5. Re: How to configure infinispan web administration to run on https?
                  udit-mishra-5113a21a

                  I studied the reference you provided. But, it does not mention any file, it just mentions the tag. In which file do I have to write the <ENCRYPT> tag?? I searched everywhere. I can see only infinispan-server-jgroups-8.2.0.Final.jar deep down inside my installation directory D:\Infinispan\infinispan-server-8.2.0.Final-bin\infinispan-server-8.2.0.Final\modules\system\layers\base\org\jgroups\extension\main

                  • 6. Re: How to configure infinispan web administration to run on https?
                    nadirx

                    You need to add it to the protocol stack in the jgroups subsystem in domain.xml:

                     

                    <protocol type="ENCRYPT">
                      <property name="key_store_name">${jboss.server.config.dir}/cluster.keystore</property>
                      <property name="store_password">mysecretpassword</property>
                      <property name="alias">InfinispanCluster</property>
                    </protocol>
                    
                    • 7. Re: How to configure infinispan web administration to run on https?
                      udit-mishra-5113a21a

                      Thank you. I added this tag in udp and tcp stacks, copied the keystore file to HC as well. But when I start HC, it gives something like this -

                       

                      Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://192.168.156.111:9999 -- java.lang.IllegalStateException: WFLYHC0110: Unable to connect due to SSL failure.

                      • 8. Re: How to configure infinispan web administration to run on https?
                        udit-mishra-5113a21a

                        It worked. The file needs to present in the jboss.domain.config.dir in both DC and HC. Thanks nadirx