NO-JIRA clarify console access using certs

Co-authored-by: Paul Wright <5154224+pwright@users.noreply.github.com>
This commit is contained in:
Domenico Francesco Bruscino 2021-09-24 14:29:39 +02:00 committed by Bruscino Domenico Francesco
parent 6ed3b1d78c
commit 371a7099a6
1 changed files with 44 additions and 0 deletions

View File

@ -1403,6 +1403,50 @@ extra properties described as below.
- `trustStorePassword` - The trust store's password.
### Config access using client certificates
The web console supports authentication with client certificates, see the following steps:
- Add the [certificate login module](#certificateloginmodule) to the `login.config` file, i.e.
```
activemq-cert {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
```
- Change the hawtio realm to match the realm defined in the `login.config` file
for the [certificate login module](#certificateloginmodule). This is configured in the `artemis.profile` via the system property `-Dhawtio.role=activemq-cert`.
- Create a key pair for the client and import the public key in a truststore file.
```
keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass securepass -keypass securepass -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -ext bc=ca:false -ext eku=cA
keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass securepass -alias client -exportcert -rfc > client.crt
keytool -storetype pkcs12 -keystore client-truststore.p12 -storepass securepass -keypass securepass -importcert -alias client-ca -file client.crt -noprompt
```
- Enable secure access using HTTPS protocol with client authentication,
use the truststore file created in the previous step to set the trustStorePath and trustStorePassword:
```xml
<web bind="https://localhost:8443"
path="web"
keyStorePath="${artemis.instance}/etc/server-keystore.p12"
keyStorePassword="password"
clientAuth="true"
trustStorePath="${artemis.instance}/etc/client-truststore.p12"
trustStorePassword="password">
<app url="jolokia" war="jolokia-war-1.3.5.war"/>
</web>
```
- Use the private key created in the previous step to set up your client,
i.e. if the client app is a browser install the private key in the browser.
## Controlling JMS ObjectMessage deserialization
Artemis provides a simple class filtering mechanism with which a user can