Secure JBoss for Core-Service and solution

Admin,MPDL

=Secure JBoss 4.x JMX and Web Consoles=

JBoss 4.x JMX and Web Consoles default to security disabled. See here for details on how to enable security. Secure JMX Console

Security JMX-Console
Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml   HtmlAdaptor An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application /*   JBossAdmin    BASIC JBoss JMX Console</realm-name> </login-config> <security-role> JBossAdmin</role-name> </security-role>
 * Uncomment the security-constraint block;

Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
 * Uncomment the security-domain block;
 * Make sure the JNDI name maps to the realm name (i.e. jmx-console)

<security-domain>java:/jaas/jmx-console</security-domain>


 * jmx-console realm is defined in $JBOSS_HOME/server/default/conf/login-config.xml file:

<application-policy name = "jmx-console"> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </application-policy>

Edit $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
 * Change the password for admin

admin=secret

Enable JMX Console HTTPS

 * Add to $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml as last element of secrity-constraint:

<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>


 * Generate a self signed Java key store in the $JBOSS_HOME/server/default/conf directory:

keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname "cn=localhost" -keystore tomcat.keystore


 * Modify $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file as shown below:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${jboss.server.home.dir}/conf/tomcat.keystore" keystorePass="changeit" />


 * Use https://localhost:8443/jmx-console/

Restart JBoss

Security Web Console
Securing JBoss web console is similar to securing JMX console. You need to edit web.xml and jboss-web.xml files in the $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF directory.

Edit $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
 * Uncomment the security-constraint block;

  HtmlAdaptor</web-resource-name> An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application /*</url-pattern> </web-resource-collection>  JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> BASIC</auth-method> <realm-name>JBoss WEB Console</realm-name> </login-config> <security-role> JBossAdmin</role-name> </security-role>

Edit JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
 * Uncomment the security-domain block;
 * Make sure the JNDI name maps to the realm name (i.e. web-console):

<security-domain>java:/jaas/web-console</security-domain>


 * Use jmx-console realm if you want both the web console and jmx console use the same security realm:

<security-domain>java:/jaas/jmx-console</security-domain>


 * web-console realm is defined in $JBOSS_HOME/server/default/conf/login-config.xml file. Edit login-config.xml and adjust the path for usersProperties and rolesProperties prefixing values with props/ path.

<application-policy name = "web-console"> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module> </application-policy>

If using web-console realm
 * Create $JBOSS_HOME/server/default/conf/props/web-console-users.properties file:

admin=secret


 * reate $JBOSS_HOME/server/default/conf/props/web-console-roles.properties file:

admin=JBossAdmin,HttpInvoker

Enable Web Console HTTPS

 * Add to $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml as last element of secrity-constraint:

<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>


 * If not done, generate a self signed Java key store in the $JBOSS_HOME/server/default/conf directory:

keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname "cn=localhost" -keystore tomcat.keystore


 * If not done, Modify $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file as shown below:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${jboss.server.home.dir}/conf/tomcat.keystore" keystorePass="changeit" />


 * Use https://localhost:8443/web-console/

Deactivate Auto-Deploy on Jboss
<attribute name="ScanEnabled">false
 * Disable Scan for Auto-Deploy in $JBOSS_HOME/server/default/conf/jboss-service.xml

Restart JBoss

=Deactivate the Invoker=

Delete the http-invoker.sar.

rm -rf $JBOSS_HOME/server/default/deploy/http-invoker.sar

Edit the $JBOSS_HOME/server/default/deploy/jmx-invoker-service.xml


 * Add this line on the end of the file

<mbean code="org.jboss.invocation.pooled.server.PooledInvoker" name="jboss:service=invoker,type=pooled,host=localhost"> <attribute name="NumAcceptThreads">1 <attribute name="MaxPoolSize">300 <attribute name="ClientMaxPoolSize">300 <attribute name="SocketTimeout">60000 <attribute name="ServerBindAddress">localhost <attribute name="ServerBindPort">4443 <attribute name="ClientConnectAddress">localhost <attribute name="ClientConnectPort">0 <attribute name="ClientRetryCount">1 <attribute name="EnableTcpNoDelay">false <depends optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager


 * Modify the depends of the following mbean "org.jboss.invocation.jrmp.server.JRMPProxyFactory"

<depends optional-attribute-name="InvokerName">jboss:service=invoker,type=pooled,host=localhost

Open the $JBOSS_HOME/server/default/conf/jboss-service.xml and search the


 * Change the server address to localhost

<attribute name="ServerAddress">localhost

disable DeploymentFileRepository
Shutdown jboss


 * Comment out the following part in $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/META-INF/jboss-service.xml

<mbean code="org.jboss.console.manager.DeploymentFileRepository" name="jboss.admin:service=DeploymentFileRepository"> <attribute name="BaseDir">./deploy/management

Start jboss