Connecting to FAS via the CLI
- Navigate to the FAS's bin directory e.g. cd <FAS_INSTALL_DIR>/bin
- Start the JBoss CLI e.g. ./jboss-cli.sh
- Using the 'connect' command, connect to the master host of the required FAS cluster, specifying its address and the management port e.g. connect <ADDRESS>:9999
- When prompted for credentials, enter the appropriate username and password
- To terminate a CLI session type: quit
NOTE: Once connected use 'ctrl + backspace' to delete a command
Generate CSR (This is example is based on securing https, change to sips for SIP signalling)
Following command can be used to generate CSR for https in main-loadbalancer-group
/profile=management/subsystem=trustmgmt/identity-certificate-group=main-loadbalancer-group/identity-certificate=https/:generate-csr(password=changeit,subject-dn=CN=ngupta-la.cli.test,challenge-password=mypassword)
You can use exact same command to generate CSR for sips just replace https with sips
Import Signed Certficate
Once you receive signed certificate from your CA, you can import it using following command:
/profile=management/subsystem=trustmgmt/identity-certificate-group=main-loadbalancer-group/:import-certificate(name=https,password=changeit,cert-encoded=-----BEGIN CERTIFICATE----- encoded cert -----END CERTIFICATE-----)
NOTE the certificate has to be all on one line, no carriage returns e.g.
/profile=management/subsystem=trustmgmt/identity-certificate-group=main-loadbalancer-group/:import-certificate(name=https,password=changeit,cert-encoded=-----BEGIN CERTIFICATE-----MIIDojCCAoqgAwIBAgIBFDANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCVUsxDjAMBgNVBAgMBVdhbGVzMRAwDgYDVQQHDAdDYXJkaWZmMQ4wDAYDVQQKDAVDYWZlWDEQMA4GA1UECwwHc3VwcG9ydDEVMBMGA1UEAwwMU3RldmVzU2VydmVyMSEwHwYJKoZIhvcNAQkBFhJzcGFyZml0dEBjYWZleC5jb20wHhcNMTUwMjA2MTEyMjAzWhcNMTYwMjA2MTEyMjAzWjAgMR4wHAYDVQQDExVjcy1yZGF2aWVzMi5jYWZleC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu4XX9eKOPwrnn2U1wrybKSiCP9eTmh96sVJXVpjwDRhQYZ3tqYFMccyGp/k53zKUX1SKrhWAlqMlokpS9z3uZoiA9Gu9upuIpP9eqn+bkonui/526/EL/uWisY98Ik1ybhSr4jFZE2tv+U4ls0WZRH1KoCfGcxiI+n5Pz3eWG3iN6K9VZqJXDQIZrslV2CNvmPW6XnnADlJ44VLaSsjbOlXZLBuxl3sAWMSasfeSr0MY2t9obgr97eKtshmjTuWRuxTEPBV3Sslqy/SGDeJgqp52VQ+4rWng9uHTlXlky+/x3Xl4XyuaNDaeLEIgmEXaPidx7HctR/cfzTAKZ7vpRAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQSaQJQBxJairgZXEVFaVEXWCLv/TAfBgNVHSMEGDAWgBR2lRqn04KWX34/ERbooOC6gZxS+DANBgkqhkiG9w0BAQsFAAOCAQEArtv9qYA0vENQ0t1VOf7Rcr3w+Ox6Ofk51we6nHEojRcmE4Zk5ZVgcZKVha+e7rXghFyqj8gYNlD6TP/VtZzJkKI/xyiShH1IOaDQ94zmgQWnRvEOVfqU3rmgju5Xu4hqCzbdPcthS8b1zoWWNQfNLF6wYO/v8buUr0XLN9XOrRJLN1OJMbm1cn6Ow3hozKV4I3z8DtXx3ZhqIHSzhsgZD90LpLexpZMcGY/dvDy0WlRZCAfDrrZWixNbFo9S6wk5G2bMTKuloeI9AoON7/Fx1WCpq0QvPSUUfX7yPiShRWrX9K46UnX7KUm9QDCrwrt3Ad3Ip38LQJBPQUHJQq+uAg==-----END CERTIFICATE-----)
You can use exact same command to import certificate for sips just replace https with sips
Generate Key Pair
If you need to generate new key pair, you may do so using following command, change input values in bold:
/profile=management/subsystem=trustmgmt/identity-certificate-group=main-loadbalancer-group/:generate-keypair(expiry-date=2024-10-10,subject-dn=cn=192.168.8.99)
Delete an existing Key Pair
/profile=management/subsystem=trustmgmt/identity-certificate-group=main-loadbalancer-group/identity-certificate=https/:remove(password=changeit)
{
"outcome" => "success",
"result" => undefined,
"server-groups" => {"mgmt-server-group" => {"host" => {"master-cs-fcsdk" => {"management" => {"response" => {"outcome" => "success"}}}}}}
View an installed certificate
If you need to view an imported cert, you can do so with the following command (this is based on https cert swap to sips for signalling cert)
/profile=management/subsystem=trustmgmt/identity-certificate-group=main-loadbalancer-group/identity-certificate=https/:get-certificate-details(password=changeit)
Comments
0 comments
Please sign in to leave a comment.