-
1. Re: How to configure infinispan web administration to run on https?
nadirx Mar 9, 2016 8:48 AM (in response to udit-mishra-5113a21a)I will amend the online documentation for this. In the meantime, this is what you need to do:
Securing the management interface
Standalone mode
Create the keystore and put it in the standalone configuration directory:
$ keytool -genkeypair -alias InfinispanServer -storetype jks -keyalg RSA -keysize 2048 -keypass mysecurepassword -keystore standalone/configuration/infinispan.jks -storepass mysecurepassword -dname "CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM" -validity 3650 -v Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days for: CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM [Storing domain/configuration/infinispan.jks]
Next, add the keystore to the ManagementRealm’s server identity:
$ bin/ispn-cli.sh [disconnected /] connect [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(alias=InfinispanServer, keystore-path=infinispan.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=mysecurepassword) { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }
Next, enable the secure port for the management interface and reload the server.
[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,value=management-https) { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9990 /] reload
The above will probably automatically disconnect the CLI. If it doesn’t disconnect manually. Next, reconnect and verify that the certificate is being used:
$ ./bin/ispn-cli.sh [disconnected /] connect Unable to connect due to unrecognised server certificate Subject - CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM Issuer - CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM Valid From - Wed Mar 09 14:20:10 CET 2016 Valid To - Sat Mar 07 14:20:10 CET 2026 MD5 : 54:80:57:61:d3:7a:21:43:ac:93:39:79:8f:cd:3c:56 SHA1 : b1:04:05:ae:62:ea:68:24:18:af:3f:79:d3:0f:82:88:ae:1a:b2:66 Accept certificate? [N]o, [T]emporarily, [P]ermenantly : p [standalone@localhost:9993 /]
Domain mode
Create the keystore and put it in the domain configuration directory:
$ keytool -genkeypair -alias InfinispanServer -storetype jks -keyalg RSA -keysize 2048 -keypass mysecurepassword -keystore domain/configuration/infinispan.jks -storepass mysecurepassword -dname "CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM" -validity 3650 -v Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days for: CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM [Storing domain/configuration/infinispan.jks]
Next, add the keystore to the ManagementRealm’s server identity:
$ bin/ispn-cli.sh [disconnected /] connect [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(alias=InfinispanServer, keystore-path=infinispan.jks, keystore-relative-to=jboss.domain.config.dir, keystore-password=mysecurepassword) { "outcome" => "success", "result" => undefined, "server-groups" => undefined, "response-headers" => {"process-state" => "reload-required"} }
Next, enable the secure port for the management interface and reload the server.
[domain@localhost:9990 /] /host=master/core-service=management/management-interface=http-interface:write-attribute(name=secure-port, value="${jboss.management.https.port:9993}") [domain@localhost:9990 /] reload --host=master
The above will probably automatically disconnect the CLI. If it doesn’t disconnect manually. Next, reconnect and verify that the certificate is being used:
$ ./bin/ispn-cli.sh [disconnected /] connect Unable to connect due to unrecognised server certificate Subject - CN=InfinispanServer,OU=JBoss,DC=RedHat,DC=COM Issuer - CN=InfinispanServer, OU=JBoss, DC=RedHat, DC=COM Valid From - Wed Mar 09 13:36:17 CET 2016 Valid To - Sat Mar 07 13:36:17 CET 2026 MD5 : 97:72:9c:00:44:2b:b8:93:d4:48:84:09:92:0b:6a:1d SHA1 : 3b:d8:fd:68:1e:40:f7:1a:df:57:fa:2e:9b:c2:df:b5:7a:54:87:cd Accept certificate? [N]o, [T]emporarily, [P]ermenantly : p [domain@localhost:9993 /]
-
2. Re: How to configure infinispan web administration to run on https?
udit-mishra-5113a21a Mar 10, 2016 3:30 AM (in response to nadirx)Thank you so much nadirx , it worked like charm
-
3. Re: How to configure infinispan web administration to run on https?
udit-mishra-5113a21a Mar 10, 2016 4:48 AM (in response to udit-mishra-5113a21a)Just a small query, I secured hotrod client to server communication.
I also enabled https by using the above reference, which means the management users will be logged in to server management console securely.
But, what about the inter cluster communication, like cluster re balancing (which uses jgroups), data transfer to owners etc, can I assume that too is secured, or do I need to work for that too??
-
4. Re: How to configure infinispan web administration to run on https?
nadirx Mar 10, 2016 5:01 AM (in response to udit-mishra-5113a21a)Yes, you need to enable jgroups' encrypt protocol: http://jgroups.org/manual/index.html#Security
-
5. Re: How to configure infinispan web administration to run on https?
udit-mishra-5113a21a Mar 10, 2016 6:10 AM (in response to nadirx)I studied the reference you provided. But, it does not mention any file, it just mentions the tag. In which file do I have to write the <ENCRYPT> tag?? I searched everywhere. I can see only infinispan-server-jgroups-8.2.0.Final.jar deep down inside my installation directory D:\Infinispan\infinispan-server-8.2.0.Final-bin\infinispan-server-8.2.0.Final\modules\system\layers\base\org\jgroups\extension\main
-
6. Re: How to configure infinispan web administration to run on https?
nadirx Mar 10, 2016 7:34 AM (in response to udit-mishra-5113a21a)You need to add it to the protocol stack in the jgroups subsystem in domain.xml:
<protocol type="ENCRYPT"> <property name="key_store_name">${jboss.server.config.dir}/cluster.keystore</property> <property name="store_password">mysecretpassword</property> <property name="alias">InfinispanCluster</property> </protocol>
-
7. Re: How to configure infinispan web administration to run on https?
udit-mishra-5113a21a Mar 10, 2016 7:58 AM (in response to nadirx)Thank you. I added this tag in udp and tcp stacks, copied the keystore file to HC as well. But when I start HC, it gives something like this -
Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://192.168.156.111:9999 -- java.lang.IllegalStateException: WFLYHC0110: Unable to connect due to SSL failure.
-
8. Re: How to configure infinispan web administration to run on https?
udit-mishra-5113a21a Mar 14, 2016 4:30 AM (in response to udit-mishra-5113a21a)It worked. The file needs to present in the jboss.domain.config.dir in both DC and HC. Thanks nadirx