My next step is to change the agent to accept certs on our keystore.
If everything works as I am expecting it to work, you should just need to configure the
agent's storage adapter to use the WildFly security realm where the keystore is
defined, and it should "just work." But then again, its been a while since I
tested the agent using secure comm to the server, but that is how I got it to work last
time.
See
http://www.hawkular.org/docs/user/secure-comm.html
A few comments:
- The HTTP port is not redirecting to HTTPS yet. This might require
changes to the individual component's web.xml , which I'll be adding soon.
- The certificate inside the keystore is a self-signed one. Should we
ship it on the main distribution, with instructions telling users to
replace our certificate with a real one? Or should we *not* ship it?
RHQ ships with such a keystore, too. I can't remember if we explicitly told people in
the docs to change it. But that is how we ship it. We should tell people about it.
Related question: are we even allowed to ship such keystores?
It is how RHQ does it :-)
- As mentioned in the previous point, the cert is self-signed. So,
you
might need to add "-k" to curl to bypass the cert verification.
- Authentication with client cert is not yet available.
I do not know how to tell WildFly in its security-realm to do this same kind of bypass...
did you look into that? Because the agent will need to be told about doing this bypass,
too. The way I worked around it was I actually put my self-signed cert into my JVM's
truststore (which isn't something I think we want to ask people to do).