[Hawkular-dev] SSL by default
John Mazzitelli
mazz at redhat.com
Wed May 25 09:16:55 EDT 2016
> My next step is to change the agent to accept certs on our keystore.
If everything works as I am expecting it to work, you should just need to configure the agent's storage adapter to use the WildFly security realm where the keystore is defined, and it should "just work." But then again, its been a while since I tested the agent using secure comm to the server, but that is how I got it to work last time.
See http://www.hawkular.org/docs/user/secure-comm.html
> A few comments:
> - The HTTP port is not redirecting to HTTPS yet. This might require
> changes to the individual component's web.xml , which I'll be adding soon.
> - The certificate inside the keystore is a self-signed one. Should we
> ship it on the main distribution, with instructions telling users to
> replace our certificate with a real one? Or should we *not* ship it?
RHQ ships with such a keystore, too. I can't remember if we explicitly told people in the docs to change it. But that is how we ship it. We should tell people about it.
> Related question: are we even allowed to ship such keystores?
It is how RHQ does it :-)
> - As mentioned in the previous point, the cert is self-signed. So, you
> might need to add "-k" to curl to bypass the cert verification.
> - Authentication with client cert is not yet available.
I do not know how to tell WildFly in its security-realm to do this same kind of bypass... did you look into that? Because the agent will need to be told about doing this bypass, too. The way I worked around it was I actually put my self-signed cert into my JVM's truststore (which isn't something I think we want to ask people to do).
More information about the hawkular-dev
mailing list