0 Replies Latest reply on Sep 7, 2019 12:38 PM by pgnd _

    Configuration for securing jboss-cli.xml in Elytron ssl-context/credential-store case?

    pgnd _ Newbie

      In the docs re: securing jboss cli,

       

          Chapter 1. Securing the Server and Its Interfaces

              https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html/how_to_configure_server_security/securing_the_server_and_its_interfaces#update_the_jboss_cli_xml

       

      instruct

       

          Define a CertificateRealm.

       

              Define a CertificateRealm in the configuration for the server (host.xml or standalone.xml) and point the interface to it. This can be done using the following commands:

       

                  /core-service=management/security-realm=CertificateRealm:add()

                  /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(keystore-path=/path/to/HOST1.keystore.jks, keystore-password=secret,alias=HOST1_alias)

                  /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-path=/path/to/HOST1.truststore.jks,keystore-password=secret)

       

              Change the security-realm of the http-interface to the new CertificateRealm.

       

                  /core-service=management/management-interface=http-interface:write-attribute(name=security-realm,value=CertificateRealm)

       

      and provide,

       

          Example: jboss-cli.xml Storing Keystore and Truststore Passwords in a Password Vault

       

              <ssl>

                <vault>

                  <vault-option name="KEYSTORE_URL" value="path-to/vault/vault.keystore"/>

                  <vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/>

                  <vault-option name="KEYSTORE_ALIAS" value="vault"/>

                  <vault-option name="SALT" value="12345678"/>

                  <vault-option name="ITERATION_COUNT" value="50"/>

                  <vault-option name="ENC_FILE_DIR" value="EAP_HOME/vault/"/>

                </vault>

                <alias>HOST2_alias</alias>

                <key-store>/path/to/HOST2.keystore.jks</key-store>

                <key-store-password>VAULT::VB::cli_pass::1</key-store-password>

                <key-password>VAULT::VB::cli_pass::1</key-password>

                <trust-store>/path/to/HOST2.truststore.jks</trust-store>

                <trust-store-password>VAULT::VB::cli_pass::1</trust-store-password>

                <modify-trust-store>true</modify-trust-store>

              </ssl>

       

      Instead of legacy security-realm + Vault usage, I've enabled Elytron, removing the security-realm, replacing with an ssl-context

       

          /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)

       

          /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)

          /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC)

          /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)

       

      and replacing VAULT usage with an Elytron credential-store, protected with a  masked pass,

       

          /subsystem=elytron/credential-store=master-cs:add(create=true,modifiable=true,relative-to=elytron.project,location="credstore.pkcs12",implementation-properties={"keyStoreType"=>"pkcs12"},credential-reference={clear-text="MASK-...MYg;12345678;230"})

       

      and added the "key-password" to it,

       

          /subsystem=elytron/credential-store=master-cs:add-alias(alias=keypass-alias, secret-value="keypass")

          /subsystem=elytron/credential-store=master-cs:read-aliases

       

      With the more-current Elytron context setup, what's the correct usage to:

       

      (1)    inform the elytron ssl-context about the trust/key-store path & pass?

      (2)    *add* password authentication as a stacked auth method to the in-place client cert authentication?

      (3)    specify the credential-store/masked-pass in 'jboss-cli.xml'?

       

      In effect, looking for a complete example, but for the Elytron ssl-context + credential-store case.