You are viewing a plain text version of this content. The canonical link for it is here.

Posted to gitbox@activemq.apache.org by GitBox <gi...@apache.org> on 2021/09/24 13:07:27 UTC

[GitHub] [activemq-artemis] brusdev commented on a change in pull request #3772: NO-JIRA clarify console access using certs

brusdev commented on a change in pull request #3772:
URL: https://github.com/apache/activemq-artemis/pull/3772#discussion_r715596912



##########
File path: docs/user-manual/en/security.md
##########
@@ -1323,6 +1323,32 @@ extra properties described as below.
 
 - `trustStorePassword` - The trust store's password.
 
+### Config access using client certificates
+The web console supports the authentication with client certificates, see the following steps:  
+- Add the [certificate login module](#certificateloginmodule) to the `login.config` file, i.e.
+```
+activemq-cert {
+   org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+       debug=true
+       org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
+       org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
+};
+```
+- Change the hawtio realm to match the realm defined in the `login.config` file
+for the [certificate login module](#certificateloginmodule). This is configured in the `artemis.profile` via the system property `-Dhawtio.role=activemq-cert`.
+- Enable secure access using HTTPS protocol with the client authentication:
+```xml
+<web bind="https://localhost:8443"
+    path="web"
+    keyStorePath="${artemis.instance}/etc/keystore.jks"
+    keyStorePassword="password"
+    clientAuth="true"
+    trustStorePath="${artemis.instance}/etc/truststore.jks"
+    trustStorePassword="password">
+    <app url="jolokia" war="jolokia-war-1.3.5.war"/>
+</web>
+```
+

Review comment:
       the client cert with the public key should be included in the `${artemis.instance}/etc/truststore.jks` (trustStorePath) while the client cert with the private key should be used by the client to set up the secure channel, i.e. if the client app is a browser the user should install the client cert with the private key in the browser, let me clarify it




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org