Karaf HTTPS/TLS - Vulnerability

Hi!

Our scan picked up a Vulnerability that there should be https for karaf-shell port 8181 on our minion
Because of “man-in-the-middle”

Is this possible to do?

OpenNMS 26.1.0

Just disable it; add org.osgi.service.http.enabled = false to $MINION_HOME/etc/org.ops4j.pax.web.cfg

You can run it with TLS, if you configure a trust store and key store for the minion’s osgi http(s) interface in $MINION_HOME/etc/org.ops4j.pax.web.cfg


# HTTP port
org.osgi.service.http.port = 8181

# Disable HTTP connections
org.osgi.service.http.enabled = false

# Enable SSL
org.osgi.service.http.secure.enabled = true
org.ops4j.pax.web.ssl.keystore = /tmp/keystore/keystore.jks
org.ops4j.pax.web.ssl.password = store-pwd
org.ops4j.pax.web.ssl.keypassword = key-pwd

# HTTPS port (default to 8443)
org.osgi.service.http.port.secure = 8443

Not providing details on generating the various Java stores, it’s a pain, i try not to do it.

Thanks!

I guess that i just disable it. I don’t think we need it because we connect with 8201.

ssh -p 8201 admin@localhost

Thanks again @dino2gnt :slight_smile:

Right.

8181 on a Minion is a osgi web interface that exposes the Hawtio webapp and allows you to view some JVM statistics and information. It’s handy for troubleshooting, but it probably shouldn’t be exposed on all interfaces.

I thought that was only ever bound to the loopback interface, but checking a minion in my lab, it binds to all. I wonder if that changed at some point.

Thanks!

Is it suppose to be http://localhost:8181/system/console ??

The only thing it provides as far as I know is http://minion:8181/hawtio (but would be better as http://localhost:8181/hawtio)