I am new to jmx and ssl. Now I am trying to implement jmx with ssl.
I have created keystore and truststore as specified in the link http://www.techbrainwave.com/?p=953.
And implemented a simple java application in eclipse as in https://blogs.oracle.com/jmxetc/entry/jmx_connecting_through_firewalls_using. I configured kestore and truststore files like this,
System.setProperty("javax.net.ssl.keyStore", "C:\\Users\\Administrator\\Desktop\\Certificates\\keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
Now I have to run the application with jboss. So I edited properties - services.xml. set the same properties with tag like this,
<attribute name="Properties">
javax.net.ssl.trustStore = C:\\Users\\Administrator\\Desktop\\certificates\\truststore.jks
</attribute>
It is working now. My doubt is is this the correct way of implementing jmx and SSL with jboss? or do I have any other way to implement it? please tell me if I am wrong.
Thanks in advance,
its a right way, you can check this link for more details, if you need to run your application in jboss you can specify the properties in wrapper conf
Related
I have to get all these Headers (mentioned below) green when checked the URL "https://.com" on securityheaders.com.
Headers: "Strict-Transport-Security" "Content-Security-Policy" "X-Frame-Options" "X-Content-Type-Options"
The Web Server running here is IBM WebSphere 9.0.5.13 here.
I know it need to be added in some Web.xml file with a context param but there are so manu web.xml files not sure which one, OR
we also tried from the Server Web Container Settings by adding this which didnt work:
com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP....value=max-age=31536000;includeSubDomains;preload
com.ibm.ws.webcontainer.addStrictTransportSecurityHeader....value=max-age=31536000;includeSubDomains;preload
But neither did work. I need to do this for all the Headers mentioned above.
We know how to do this for Tomcat, but having difficulty with WebSphere guys.
If anybody knows how to do this please help me. Thanking you guys in advance
Regards,
Mainak
You need to use the Servlet API's to set custom response headers, either in your application or in a filter. If you can't do that, you can often do similar if you have a proxy server in front of your application.
WebSphere Liberty has basic support for adding custom response headers via server.xml, but it's not available in the traditional websphere application server.
HSTS is unique as there is support for it at various levels in configuration.
I was following a tutorial for setting up a WebSphere Liberty Server Here and didn't really know what a part of the tutorial did. I completed the tutorial and it works fine.
On step 3 it has me modify the server.xml with these two lines and I dont really know what they do.
<applicationMonitor updateTrigger="mbean" />
<feature>localConnector-1.0</feature>
I Found the documentation for localConnector-1.0 but its a little over my head
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.nd.doc/ae/rwlp_feature_localConnector-1.0.html
I think localConnector allows IntelliJ to run the server somehow but i dont know what updateTrigger="mbean" does.
If anyone has an explanation that would be great. Thanks!
The localConnector-1.0 feature enables the local JMX connector on Liberty so that the JMX Client (IntelliJ) can connect to and administer Liberty.
You can find more documentation on the feature here: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_admin_localconnector.html
updateTrigger="mbean" is setting the application updates to only occur when trigger by an mbean call (whereas the default is to poll for changes).
You can find more documentation here:
https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_setup_dyn_upd.html
I've genrated my application with JHipster. I've changed the authentication way in my project to use LDAPS.
I added configuration in application.yml
Server SSL:
key-store: classpath:keystore.jks
key-store-password: secret
key-password: secret
I didn't add any other code (i.e. java) for this certificate.
When I try to launch my application in a browser, it doesn't work; however if I delete this configuration, it works. Does my application really needs a certificate for the connection to LDAPS?
What is wrong with this code, should I add java code somewhere to complete my configuration?
Thanks for your answers
Not enough information to help you. Which version of JHipster, which authentication did you choose when generating your app?
To make it work with LDAP you must change the SecurityConfiguration class.
I have successfully created MBeans and deployed it. I can also see that my Custom MBean is deployed in MBeans section in JConsole.
How can I deploy it to Tomcat 7?
I found may tutorials online, which are too old. I have not found any tutorial for Tomcat 7 so far. Please help me in finding a tutorial which suits Tomcat Version 7.
I used a tutorial which was based on Tomcat 6. But I could not succeed because, one of the listeners used in the Server.xml file "ServerLifecycleListener" is not used anymore in Tomcat 7.
You need to add mbeans-descriptors.xml as following and it needs to be placed in same package as the class file it describes.
Adding MBean descriptions
<mbean name="LDAPRealm"
className="org.apache.catalina.mbeans.ClassNameMBean"
description="Custom LDAPRealm"
domain="Catalina"
group="Realm"
type="com.myfirm.mypackage.LDAPRealm">
<attribute name="className"
description="Fully qualified class name of the managed object"
type="java.lang.String"
writeable="false"/>
<attribute name="debug"
description="The debugging detail level for this component"
type="int"/>
.
.
You could refer this as well:
Container level Custom JXM MBean in Tomcat 7
I've got jetty 7.x embedded. Basically just creating a SelectChannelConnector to listen on port 80 and WebAppContext to deploy a single WAR directory.
I need to add SSL now (all the keystore stuff is done), and I would have guessed to just add an SslSelectChannelConnector, but all the methods are deprecated without any javadocs to explain why, and what to do instead. And the Jetty/SSL docs only show some XML without describing what to do with it.
Can anyone get me the entry point here to setting up SSL an an embedded instance of Jetty? I don't think this will be complicated, I just don't know what class to start with in the current release.
A response from the Jetty Users Email Group:
David,
You need to create an instance of
SslContextFactory and configure it
with your keystore parameters. After
that you'll need to pass that instance
to the SslSelectChannelConnector's
constructor. Recently modified
configuration file jetty-ssl.xml shows
how it is done in XmlConfiguration,
and could be easily translated into
code. This will be documented in Jetty
Wiki as soon as we get a chance.
-Michael
I've been using this and it works just fine for me thus far:
//Set up SSL keystore
SslContextFactory sslContextFactory = new SslContextFactory("/etc/mykeystore");
sslContextFactory.setKeyStorePassword("yourpassword");
SslSelectChannelConnector selectChannelConnector = new SslSelectChannelConnector(sslContextFactory);
selectChannelConnector.setPort(4567); //your port