Configuration for securing jboss-cli.xml in Elytron ssl-context/credential-store case?
pgnd42 Sep 7, 2019 12:38 PMIn the docs re: securing jboss cli,
Chapter 1. Securing the Server and Its Interfaces
instruct
Define a CertificateRealm.
Define a CertificateRealm in the configuration for the server (host.xml or standalone.xml) and point the interface to it. This can be done using the following commands:
/core-service=management/security-realm=CertificateRealm:add()
/core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks, keystore-password=secret,alias=HOST1_alias)
/core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path=/path/to/HOST1.truststore.jks,keystore-password=secret)
Change the security-realm of the http-interface to the new CertificateRealm.
/core-service=management/management-interface=http-interface:write-attribute(name=security-realm,value=CertificateRealm)
and provide,
Example: jboss-cli.xml Storing Keystore and Truststore Passwords in a Password Vault
<ssl>
<vault>
<vault-option name="KEYSTORE_URL" value="path-to/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="EAP_HOME/vault/"/>
</vault>
<alias>HOST2_alias</alias>
<key-store>/path/to/HOST2.keystore.jks</key-store>
<key-store-password>VAULT::VB::cli_pass::1</key-store-password>
<key-password>VAULT::VB::cli_pass::1</key-password>
<trust-store>/path/to/HOST2.truststore.jks</trust-store>
<trust-store-password>VAULT::VB::cli_pass::1</trust-store-password>
<modify-trust-store>true</modify-trust-store>
</ssl>
Instead of legacy security-realm + Vault usage, I've enabled Elytron, removing the security-realm, replacing with an ssl-context
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC)
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
and replacing VAULT usage with an Elytron credential-store, protected with a masked pass,
/subsystem=elytron/credential-store=master-cs:add(create=true,modifiable=true,relative-to=elytron.project,location="credstore.pkcs12",implementation-properties={"keyStoreType"=>"pkcs12"},credential-reference={clear-text="MASK-...MYg;12345678;230"})
and added the "key-password" to it,
/subsystem=elytron/credential-store=master-cs:add-alias(alias=keypass-alias, secret-value="keypass")
/subsystem=elytron/credential-store=master-cs:read-aliases
With the more-current Elytron context setup, what's the correct usage to:
(1) inform the elytron ssl-context about the trust/key-store path & pass?
(2) *add* password authentication as a stacked auth method to the in-place client cert authentication?
(3) specify the credential-store/masked-pass in 'jboss-cli.xml'?
In effect, looking for a complete example, but for the Elytron ssl-context + credential-store case.