Fuse ESB - Security Guide - Chapter 3. Securing the Web Console

Chapter 3. Securing the Web Console

You can configure the Fuse ESB Web console to use SSL/TLS security by adding the relevant configuration properties to the etc/org.ops4j.pax.web.cfg configuration file.

Prerequisites

The Fuse ESB Web console is not enabled by default. You can install the web console feature into OSGi by entering the following console command:

karaf@root> features:install webconsole

Create X.509 certificate and private key

Before you can enable SSL, you must create an X.509 certificate and private key for the Web console. The certificate and private key must be in Java keystore format. For details of how to create a signed certificate and private key, see Creating Your Own Certificates in Web Services Security Guide and Special Requirements on HTTPS Certificates in Web Services Security Guide.

If you want to run a quick demonstration of SSL/TLS security, you could use a demonstration certificate from one of the examples (see Install sample keystore files).

Sample SSL/TLS configuration

Assuming you have created an X.509 certificate and private key in the keystore, cherry.jks, having store password, password, and key password, password, you can configure SSL/TLS security by adding the following configuration properties to the org.ops4j.pax.web.cfg file:

# Configures the SMX Web Console to use SSL
org.osgi.service.http.enabled=false
org.osgi.service.http.port=8181

org.osgi.service.http.secure.enabled=true
org.osgi.service.http.port.secure=8183

org.ops4j.pax.web.ssl.keystore=etc/certs/cherry.jks
org.ops4j.pax.web.ssl.keystore.type=JKS
org.ops4j.pax.web.ssl.password=password
org.ops4j.pax.web.ssl.keypassword=password
org.ops4j.pax.web.ssl.clientauthwanted=false
org.ops4j.pax.web.ssl.clientauthneeded=false

SSL configuration properties

The following configuration properties are used to configure SSL/TLS:

org.ops4j.pax.web.ssl.keystore: The location of the Java keystore file on the file system. Relative paths are resolved relative to the KARAF_HOME environment variable (by default, the install directory).
org.ops4j.pax.web.ssl.keystore.type: The implementation of the keystore, which is normally JKS. (In principle, the JDK allows you to plug in a custom keystore implementation.)
org.ops4j.pax.web.ssl.password: The store password that unlocks the Java keystore file.
org.ops4j.pax.web.ssl.keypassword: The key password that decrypts the private key stored in the keystore (usually the same as the store password).
org.ops4j.pax.web.ssl.clientauthwanted: When true, during the SSL handshake, the secure socket requests the client to send an X.509 certificate. The client is not necessarily obliged to send the certificate, however.
org.ops4j.pax.web.ssl.clientauthneeded: When true, the SSL protocol throws an exception, if the client does not present a valid certificate during the SSL handshake.

Configuration reference

For the complete list of configuration properties supported by the Web console endpoint, see WebContainerConstants.

Connect to the secure Web console

After configuring the Web console and installing the webconsole feature, you should be able to open the Web console by browsing to the following URL:

https://localhost:8183/system/console

	Tip
	Remember to type the `https:` scheme, instead of `http:`, in this URL.

Initially, the browser will warn you that you are using an untrusted certificate. Skip this warning and you will be prompted to enter a username and a password. Log in with the username smx and the password smx.

Comments powered by Disqus

Contents
Search