In the docs re: securing jboss cli,
 
    Chapter 1. Securing the Server and Its Interfaces
        https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html/how_to_configure_server_security/securing_the_server_and_its_interfaces#update_the_jboss_cli_xml
 
instruct
 
    Define a CertificateRealm.
 
        Define a CertificateRealm in the configuration for the server (host.xml or standalone.xml) and point the interface to it. This can be done using the following commands:
 
            /core-service=management/security-realm=CertificateRealm:add()
            /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks, keystore-password=secret,alias=HOST1_alias)
            /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path=/path/to/HOST1.truststore.jks,keystore-password=secret)
 
        Change the security-realm of the http-interface to the new CertificateRealm.
 
            /core-service=management/management-interface=http-interface:write-attribute(name=security-realm,value=CertificateRealm)
 
and provide,
 
    Example: jboss-cli.xml Storing Keystore and Truststore Passwords in a Password Vault
 
        <ssl>
          <vault>
            <vault-option name="KEYSTORE_URL" value="path-to/vault/vault.keystore"/>
            <vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/>
            <vault-option name="KEYSTORE_ALIAS" value="vault"/>
            <vault-option name="SALT" value="12345678"/>
            <vault-option name="ITERATION_COUNT" value="50"/>
            <vault-option name="ENC_FILE_DIR" value="EAP_HOME/vault/"/>
          </vault>
          <alias>HOST2_alias</alias>
          <key-store>/path/to/HOST2.keystore.jks</key-store>
          <key-store-password>VAULT::VB::cli_pass::1</key-store-password>
          <key-password>VAULT::VB::cli_pass::1</key-password>
          <trust-store>/path/to/HOST2.truststore.jks</trust-store>
          <trust-store-password>VAULT::VB::cli_pass::1</trust-store-password>
          <modify-trust-store>true</modify-trust-store>
        </ssl>
 
Instead of legacy security-realm + Vault usage, I've enabled Elytron, removing the security-realm, replacing with an ssl-context
 
    /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
 
    /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
    /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC)
    /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
 
and replacing VAULT usage with an Elytron credential-store, protected with a  masked pass,
 
    /subsystem=elytron/credential-store=master-cs:add(create=true,modifiable=true,relative-to=elytron.project,location="credstore.pkcs12",implementation-properties={"keyStoreType"=>"pkcs12"},credential-reference={clear-text="MASK-...MYg;12345678;230"})
 
and added the "key-password" to it,
 
    /subsystem=elytron/credential-store=master-cs:add-alias(alias=keypass-alias, secret-value="keypass")
    /subsystem=elytron/credential-store=master-cs:read-aliases
 
With the more-current Elytron context setup, what's the correct usage to:
 
(1)    inform the elytron ssl-context about the trust/key-store path & pass?
(2)    *add* password authentication as a stacked auth method to the in-place client cert authentication?
(3)    specify the credential-store/masked-pass in 'jboss-cli.xml'?
 
In effect, looking for a complete example, but for the Elytron ssl-context + credential-store case.