Introduction
JBoss Data virtualization (henceforth DV) is a great tool to expose multiple datasource with one platform as REST services, JDBC, odata and etcetera. Out of the box the install is not configured with safety in mind. Default interfaces don’t use any encryption between server and client.
This small blogpost will guide you on how to implement such features. The goal is to implement HTTPS on the webinterface, REST services and SSL encryption on the JDBC connections to the server.
This small blogpost will guide you in how to add HTTPS encryption to the webinterface of Jboss Data Virtualization and to any REST service you might want to expose (henceforth DV).
This tutorial assumes that you have a certificate (JKS format) at hand and your server has it its own dns name; it also assumes you have full access to the server on which you want to install this certificate. This tutorial is meant for a server running in standalone mode. However with some minor adjustments it might be applicable to a server running in domain mode.
If your certificate is in another format; a future blogpost will describe to you how to convert it to JKS (in case it is the PFX format).
Warning: before starting this tutorial it is highly recommenced that you make a backup of your server configuration file (standalone.xml).
Installing a certificate for REST and odata services
To install a given certificate we need to use the jboss-cli, another way is to simply edit your configuration file (e.g. standalone.xml) but that is more prone to errors.
-
- First we need to put the JKS certificate in a folder your server has access to, preferably the servers configuration directory. By default this is $JBOSS_HOME/standalone/configuration/
- Start the jboss-cli, which is found at $JBOSS_HOME/bin/ and connect to the server using the following command. If your server is configured properly you need to input the credentials of an admin user.
connect servername
- Create a new HTTPS socket binding using the following command. Tip: it is for most commands possible to view your current configuration by typing ls in front of it.
/subsystem=web/connector=HTTPS/:add(socket-binding=https,scheme=https,protocol=HTTP/1.1,secure=true)
- Now add the certificate to your newly created HTTPS socketbinding.
/subsystem=web/connector=HTTPS/ssl=configuration:add(name=https,certificate-key-file="${jboss.server.config.dir}/nameofyourcertificate.jks",password=KEYSTOREPASSWORD, key-alias=1)
- Change your socketbinding protocol to TLSv1
/subsystem=web/connector=HTTPS/configuration=ssl/:write-attribute(name=protocol,value=TLSv1)
- In case you wish to proceed with this guide skip this step. If your using a new version of DV it is possible to reload your configuration, in older versions (6.2) it is more prudent to restart your service.
- Your REST services should now be using HTTPS when accessed using port 8443.
Installing a certificate for the management console (webinterface)
For security reasons it is a good idea to encrypt your connection to the management console (webinterface). By default this is not encrypted. In this guide we add a certificate to the management HTTPS interface and remove the old not encrypted management HTTP interface.
-
- In case you didn’t do this before; First we need to put the certificate in a folder your server has access to, preferably the servers configuration directory. By default this is $JBOSS_HOME/standalone/configuration/
- Start the jboss-cli, which is found at $JBOSS_HOME/bin/ and connect to the server using the following command. If your server is configured properly you need to input the credentials of an admin user.
connect servername
- Create a new HTTPS management inteface.
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
- Add the JKS certificate to the managementrealm.
/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=nameofyourcertificate.jks,keystore-relative-to=jboss.server.config.dir, keystore-password=PASSWORD, alias=1)
- Disable the old HTTP management interface.
/core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding)
- In case you wish to proceed with this guide skip this step. If your using a new version of DV it is possible to reload your configuration, in older versions (6.2) it is more prudent to restart your service.
- You should now be able to reach your managementrealm webinterface using https, it might be a nice idea to change the HTTPS port used for this interface to the old HTTP interface as not to confuse users.
Turning on encryption for JDBC
Normally the JDBC datastream when connecting to the DV servers teiid instance is not encrypted. Only the username and password are encrypted. For internal use at least anonymous end to end encryption is recommended. This guide shows you how to do that.
-
- Start the jboss-cli, which is found at $JBOSS_HOME/bin/ and connect to the server using the following command. If your server is configured properly you need to input the credentials of an admin user.
connect servername
- Set the SSL authentication modus to anonymous.
/subsystem=teiid/transport=jdbc:write-attribute(name=ssl-authentication-mode,value=anonymous)
- Change the SSL mode to enabled.
/subsystem=teiid/transport=jdbc:write-attribute(name=ssl-mode,value=enabled)
- If your using a new version of DV it is possible to reload your configuration, in older versions (6.2) it is more prudent to restart your service.
- If you want to test your encrypted JDBC connection, try to connect to a deployed vdb using ssl encryption. e.g. jdbc:teiid:yourvbname@mms://yourservername:31000
- Further information on how to use a certificate for better encryption see the following url: https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.3/html-single/security_guide/index
- Start the jboss-cli, which is found at $JBOSS_HOME/bin/ and connect to the server using the following command. If your server is configured properly you need to input the credentials of an admin user.
Conclusion
This concludes this guide, right now you should have a server that can be connected to using HTTPS or JDBC with SSL.