[Hawkular-dev] SSL by default

Juraci Paixão Kröhling jpkroehling at redhat.com
Wed May 25 09:46:40 EDT 2016 

On 25.05.2016 15:16, John Mazzitelli wrote:
>> My next step is to change the agent to accept certs on our keystore.
>
> If everything works as I am expecting it to work, you should just need to configure the agent's storage adapter to use the WildFly security realm where the keystore is defined, and it should "just work." But then again, its been a while since I tested the agent using secure comm to the server, but that is how I got it to work last time.
>
> See http://www.hawkular.org/docs/user/secure-comm.html

Cool ! That would work for the local agent, which is the scenario I was 
planning on working on. For remote agents, we should *not* do this, as 
the keystore includes the private key for the cert, which should be 
known only to the server. But for the remote agent, I expect the server 
to use a proper certificate chain.

>> Related question: are we even allowed to ship such keystores?
>
> It is how RHQ does it :-)

That's good to know, thanks!

>> - As mentioned in the previous point, the cert is self-signed. So, you
>> might need to add "-k" to curl to bypass the cert verification.
>> - Authentication with client cert is not yet available.
>
>
> I do not know how to tell WildFly in its security-realm to do this same kind of bypass... did you look into that? Because the agent will need to be told about doing this bypass, too. The way I worked around it was I actually put my self-signed cert into my JVM's truststore (which isn't something I think we want to ask people to do).

It depends on the HTTP client you are using. In the "production" 
scenarios, no change is needed, as the cert would probably have a valid 
chain.

For dev scenarios, or scenarios where the cert is issued by an unknown 
root CA (like internal certificates), the common practice is to add the 
root CA to the JVM's keystore, similar to what you did. The reason is 
that this cert is not trusted by any known Certificate Authority, so, an 
admin would have to explicitly tell that this cert is known and is to be 
trusted. The cert we will be shipping on the keystore is *not* trusted 
and is intended to be used only on dev scenarios.

Another practice is to do a certificate pinning, ie, tell your HTTP 
client that you know about this specific cert. The disadvantage of this 
is that we'd have to keep the server and client in sync. Looking at your 
instructions on secure-comm.html , this is probably what you are doing 
on the agent side.

Unfortunately, there's no secure solution that I know of that would 
allow us to ship something usable for our production distribution.

There was a thread some time ago on wildfly-dev about auto generating 
certificates on the first boot. I believe this was part of Elytron and 
we might be able to benefit from this in the future.

- Juca.

More information about the hawkular-dev mailing list