[Hawkular-dev] how to configure Hawkular Kettle for SSL/HTTPS

John Mazzitelli mazz at redhat.com
Mon Oct 12 17:28:19 EDT 2015 

Here are some basic instructions on how to get SSL configured and working in Hawkular Kettle. I still have to verify that everything works wrt inventory, but this should be what needs to get done to get SSL/https working. Note that the securityRealm agent attribute is a new attribute that will be added to the agent shortly - it is not available in the latest agent release.

You should run these commands from within kettle's standalone/configuration directory.

1) If you do not have a keystore with your own private key/certificate, you can generate a self-signed cert. We will assume this is for testing purposes only so this will be a valid certificate for your localhost only (see "CN=localhost" and the Subject Alternative Name of 127.0.0.1):

keytool -genkey -keystore hawkular.keystore -alias hawkular -dname "CN=localhost" -keyalg RSA -storepass hawkular -keypass hawkular -validity 36500 -ext san=ip:127.0.0.1

Again, make sure your new "hawkular.keystore" is in kettle's standalone/configuration directory.

2) If you did create your own self-signed certificate, you will need to tell your Java VM that it can trust it. You do this by adding your self-signed cert to the cacerts file.

2.a) First, export your certificate from your keystore file (hawkular.keystore if you followed instructions in step 1) into a file called hawkular.cert:

keytool -export -alias hawkular -file hawkular.cert -storepass hawkular -keystore hawkular.keystore

2.b) Now import your self-signed certificate into your Java's CA certificates file - this makes your certificate trusted by your Java apps:

keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias hawkular -storepass changeit -file hawkular.cert 

You can examine your certificate and answer the prompt to indicate you do trust that certificate. If you want to automate this, you can pass in the -noprompt command line argument and it will automatically add the certificate without asking you for confirmation.

3) Now that your keystore is generated and trusted, you have to tell Hawkular Kettle to use your keystore when using SSL. Add a security-realm first:

    <management>
        <security-realms>
            <security-realm name="UndertowRealm">
                <server-identities>
                    <ssl>
                        <keystore path="hawkular.keystore" relative-to="jboss.server.config.dir" keystore-password="hawkular" key-password="hawkular" alias="hawkular" />
                    </ssl>
                </server-identities>
            </security-realm>

4) Now add an HTTPS listener, using your new security-realm that is configured with your new keystore:

   <server name="default-server">
       <https-listener name="https" security-realm="UndertowRealm" socket-binding="https"/>

5) Turn on SSL in the agent by adding these two attributes to the <storage-adapter> element:

  * useSSL="true"
  * securityRealm="UndertowRealm"

More information about the hawkular-dev mailing list