11:28 p.m.
Here are some basic instructions on how to get SSL configured and working in Hawkular
Kettle. I still have to verify that everything works wrt inventory, but this should be
what needs to get done to get SSL/https working. Note that the securityRealm agent
attribute is a new attribute that will be added to the agent shortly - it is not available
in the latest agent release.
You should run these commands from within kettle's standalone/configuration
directory.
1) If you do not have a keystore with your own private key/certificate, you can generate a
self-signed cert. We will assume this is for testing purposes only so this will be a valid
certificate for your localhost only (see "CN=localhost" and the Subject
Alternative Name of 127.0.0.1):
keytool -genkey -keystore hawkular.keystore -alias hawkular -dname
"CN=localhost" -keyalg RSA -storepass hawkular -keypass hawkular -validity 36500
-ext san=ip:127.0.0.1
Again, make sure your new "hawkular.keystore" is in kettle's
standalone/configuration directory.
2) If you did create your own self-signed certificate, you will need to tell your Java VM
that it can trust it. You do this by adding your self-signed cert to the cacerts file.
2.a) First, export your certificate from your keystore file (hawkular.keystore if you
followed instructions in step 1) into a file called hawkular.cert:
keytool -export -alias hawkular -file hawkular.cert -storepass hawkular -keystore
hawkular.keystore
2.b) Now import your self-signed certificate into your Java's CA certificates file -
this makes your certificate trusted by your Java apps:
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias hawkular -storepass
changeit -file hawkular.cert
You can examine your certificate and answer the prompt to indicate you do trust that
certificate. If you want to automate this, you can pass in the -noprompt command line
argument and it will automatically add the certificate without asking you for
confirmation.
3) Now that your keystore is generated and trusted, you have to tell Hawkular Kettle to
use your keystore when using SSL. Add a security-realm first:
<management>
<security-realms>
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="hawkular.keystore"
relative-to="jboss.server.config.dir" keystore-password="hawkular"
key-password="hawkular" alias="hawkular" />
</ssl>
</server-identities>
</security-realm>
4) Now add an HTTPS listener, using your new security-realm that is configured with your
new keystore:
<server name="default-server">
<https-listener name="https" security-realm="UndertowRealm"
socket-binding="https"/>
5) Turn on SSL in the agent by adding these two attributes to the <storage-adapter>
element:
* useSSL="true"
* securityRealm="UndertowRealm"