使用SSL无法正常运行JBoss管理控制台

时间:2012-09-12 14:19:47

标签: ssl https console jboss7.x

我在域模式下运行JBosss AS 7。当我将更改应用到host.xml时,我收到以下错误。

[Host Controller]消息:JBAS014789:遇到意外元素'{urn:jboss:domain:1.2} socket-binding'

我遵循了这个参考指南。

https://community.jboss.org/wiki/SecuringAdministrationConsoleWithHttps

host.xml

<management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
<server-identities>
<ssl>
<keystore path=".keystore" relative-to="jboss.home.dir" password="changeit"/>
</ssl>
</server-identities>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
                </authentication>
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.http.port:9990}"/>
                <socket-binding https="management-https"/>
            </http-interface>
        </management-interfaces>
    </management>

谢谢!

2 个答案:

答案 0 :(得分:0)

在特定行和列上的配置文件中进行正确更改,如[row,col]:[x,y]处的堆栈跟踪ParseError所示

答案 1 :(得分:0)

我一直在处理同样的问题,但由于种种原因这很棘手。我已经将对 standalone.xml 的更改列入了我的目标。不言而喻,您需要构建一个密钥库来引用。

此配置中最棘手的部分是 management.security-realms.security-realm 中的<ssl>元素使用的语法与配置<ssl>元素时的语法不同在<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">。我在这里列出了两个元素以显示对比度。您实际上不需要为Web服务配置SSL以确保您的控制台安全。我添加了额外的细节,以显示它们的不同之处。


    <management>
    <security-realms>
        <security-realm name="ManagementRealm">
            <server-identities>
                <ssl protocol="TLS">
                  <keystore path="/my/path/to/certs/my_cert.jks" keystore-password="mypass"/>
                </ssl>
            </server-identities>
            <authentication>
                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
            </authentication>
        </security-realm>
    </security-realms>
    <management-interfaces>
        <native-interface security-realm="ManagementRealm">
            <socket-binding native="management-native"/>
        </native-interface>
        <http-interface security-realm="ManagementRealm">
            <socket-binding http="management-console-https"/>
        </http-interface>
    </management-interfaces>
</management>
.
.
.
<profile>
.
.
.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
        <ssl password="mypass" certificate-key-file="/my/path/to/certs/my_cert.jks" protocol="TLSv1" verify-client="false" certificate-file="/my/path/to/certs/my_cert.jks"/>
    </connector>
    <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <alias name="example.com"/>
    </virtual-server>
</subsystem>
.
.
.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <socket-binding name="http" port="8080"/>
    <socket-binding name="https" port="8443"/>
.
.
.
    <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
    <socket-binding name="management-console-https" interface="management" port="${jboss.management.console.https.port:9991}"/>


此外,由于您不会使用它,请删除旧的套接字绑定:


<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>



我希望这会有所帮助。