Enabling SSL/TLS in a Fabric is slightly more complex than securing a jetty in a standalone Karaf container. In the following article, we are providing feedback on the overall process. For clarity and simplification, the article will be divided into two parts.


Part1: The Management Console

Part2: Securing Web Service:including gateway-http


For the purpose of this PoC, the following environment will be used.


  • Host  (,  localhost MacOS
  • Host  (, RHEL 7.2 Virtual Box VM
  • Host  (, RHEL 7.2 Virtual Box VM


With the following components

  • jboss-fuse-6.3.0.redhat-187
  • jdk1.8.0_102


Part1: Put the Management Console in HTTPS in a Fuse Fabric 6.3 Cluster.


STEP1: Prepare/Generate a valid certificate/Keystore

If you setup a fabric with three ensemble servers, each ensemble server should trust the two others; the most practical approach to do this is to create a certificate authority to sign all the individual certificates. For the purpose of this demo we are creating a self signed certificate with  all the  in the Subject Alternative section.


keytool -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore san.demo.jks -storepass Cluster01# -keypass Cluster01# -dname -alias demo



This certificate should be populated on the three hosts in the same folder location, for this demo the file is stored in  /shared/fuse/certs/


STEP2: Edit the EXTRA_JAVA_OPTS on all hosts.

p class="p1">vi $FUSE_HOME/bin/setenv

export EXTRA_JAVA_OPTS=" "

This will make your certs trusted by client code in fuse also. for debugging purpose you can add the options to have all the exception trace if any during the SSL handshake process.

  -Djava.rmi.server.logCalls=true , to get all RMI Exceptions

STEP 3: Start Fuse and create the Fabric


JBossFuse:karaf@fabric1> fabric:create --clean --resolver manualip --global-resolver manualip --manual-ip --force

Waiting for container: fabric1

It may take a couple of seconds for the container to provision...

You can use the --wait-for-provisioning option, if you want this command to block until the container is provisioned.

JBossFuse:karaf@fabric1> fabric:wait-for-provisioning



JBossFuse:karaf@fabric1> fabric:info

Fabric Release:            1.2.0.redhat-630187
Web Console:     
Rest API:
Git URL:         
Jolokia URL:     
ZooKeeper URI:   
Maven Download URI:
Maven Upload URI:

From and, run the fabric join command

JBossFuse:karaf@fabric2>fabric:join --resolver manualip --manual-ip --force
JBossFuse:karaf@fabric3>fabric:join --resolver manualip --manual-ip --force


The --resolver --global-resolver and --manual-ip are very important, if they do not match , certificate validation will failed


JBossFuse:karaf@fabric1> container-resolver-list

[id]     [resolver]  [local hostname]        [local ip]      [public hostname]  [public ip]  [manual ip]
fabric1  manualip                          
fabric2  manualip                        
fabric3  manualip                        


STEP 4: Create the secure SSL profile

Create a secure profile ssl

JBossFuse:karaf@root> profile-create --parent default ssl
profile-edit --pid org.ops4j.pax.web/org.osgi.service.http.enabled=false ssl
profile-edit --pid org.ops4j.pax.web/ ssl
profile-edit --pid org.ops4j.pax.web/'${port:8443,8543}' ssl
profile-edit --pid org.ops4j.pax.web/org.ops4j.pax.web.ssl.keystore='/shared/fuse/certs/san.demo.jks' ssl
profile-edit --pid org.ops4j.pax.web/org.ops4j.pax.web.ssl.password=Cluster01# ssl
profile-edit --pid org.ops4j.pax.web/org.ops4j.pax.web.ssl.keypassword=Cluster01# ssl

Check the created profile
JBossFuse:karaf@fabric1> profile-display ssl

Profile id: ssl

Version   : 1.0


  parents: default


Container settings


Configuration details


PID: org.ops4j.pax.web   org.ops4j.pax.web.ssl.password Cluster01#   org.osgi.service.http.enabled false   org.ops4j.pax.web.ssl.keypassword Cluster01# true ${port:8443,8543}   org.ops4j.pax.web.ssl.keystore /shared/fuse/certs/san.demo.jks

Other resources


STEP 5: Put the fabric in HTTPS

By adding the ssl profile to the fabric1, for example, the fabric turns in https. You can repeat the operation for fabric2 and fabric3.


JBossFuse:karaf@fabric1> container-add-profile fabric1 ssl

JBossFuse:karaf@fabric1> container-add-profile fabric2 ssl

JBossFuse:karaf@fabric1> container-add-profile fabric3 ssl


JBossFuse:karaf@fabric1> log:tail | grep "Pax Web available"

2016-11-15 11:29:59,802 | INFO  | onfig-1-thread-3 | JettyServerImpl                  | 117 - org.ops4j.pax.web.pax-web-jetty - 4.3.0 | Pax Web available at []:[8443]


JBossFuse:karaf@fabric1> fabric:info
Fabric Release:                1.2.0.redhat-630187
Web Console:         
Rest API:
Git URL:             
Jolokia URL:         
ZooKeeper URI:       
Maven Download URI:  
Maven Upload URI:    



STEP 6: Creating Child containers

Connections from child containers also need to be trusted (e.g. Maven proxy, communication with fabric ensemble.) To create a child container with the ssl profile follow the following steps:

  • create the child container with ssl profile  container-create-child --profile ssl fabric1 node1
  • edit the child container JVM Options : pass the trustStore file and password
container-edit-jvm-options node1 ''
  • restart the container 
      container-stop node1

       container-start node1


More Information


Last updated: February 26, 2024