Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 13. Managing User Accounts

13.1. Adding a New User for the Management Interfaces
Link kopieren

Overview

The management interfaces in JBoss Fuse Service Works are secured by default as there are no user accounts initially available, unless you have installed the platform using the graphical installer. This is a security precaution to prevent security breaches from remote systems due to simple configuration errors. Local non-HTTP access is protected by a SASL mechanism, with a negotiation happening between the client and server each time the client connects for the first time from the localhost.

This task describes how to create the initial administrative user, which can use the web-based Management Console and remote instances of the Management Command Line Interface.

Note

HTTP communication with JBoss EAP 6 is considered to be remote access, even if the traffic originates on the localhost. Therefore, you must create at least one user in order to be able to use the management console. If you attempt to access the management console before adding a user, you will receive an error because it does not even deploy until the user is added.

Procedure 13.1. Create the Initial Administrative User for the Remote Management Interfaces

  1. Invoke the add-user.sh or add-user.bat script.

    Change to the EAP_HOME/bin/ directory. Invoke the appropriate script for your operating system.
    Red Hat Enterprise Linux
    [user@host bin]$ ./add-user.sh

  2. Choose to add a Management user.

    Hit ENTER to select the default option a to add a Management user. This user is added to the ManagementRealm and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. The other choice, b, adds a user to the ApplicationRealm, and provides no particular permissions. That realm is provided for use with applications.

  3. Enter the desired username and password.

    When prompted, enter the username and password. You will be prompted to confirm the password.

  4. Review the information and confirm.

    You are prompted to confirm the information. If you are satisfied, type yes.

  5. Choose whether the user represents a remote JBoss EAP 6 server instance.

    Besides administrators, the other type of user which occasionally needs to be added to JBoss EAP 6 in the ManagementRealm is a user representing another instance of JBoss EAP 6, which must be able to authenticate to join a cluster as a member. The next prompt allows you to designate your added user for this purpose. If you select yes, you will be given a hashed secret value, representing the user's password, which would need to be added to a different configuration file. For the purposes of this task, answer no to this question.

  6. Enter additional users.

    You can enter additional users if desired by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations.

  7. Create users non-interactively.

    You can create users non-interactively, by passing in each parameter at the command line. This approach is not recommended on shared systems, because the passwords will be visible in log and history files. The syntax for the command, using the management realm, is: 
    [user@host bin]$ ./add-user.sh username password
    To use the application realm, use the -a parameter. 
    [user@host bin]$ ./add-user.sh -a username password
  8. You can suppress the normal output of the add-user script by passing the --silent parameter. This applies only if the minimum parameters username and password have been specified. Error messages will still be shown.
Result

Any users you add are activated within the security realms you have specified. Users active within the ManagementRealm realm are able to manage JBoss EAP 6 from remote systems.

Report a bug

13.2. Add-user Command Arguments
Link kopieren

The following table describes the arguments available for the add-user.sh or add-user.bat command.
Expand
Table 13.1. Add-user Command Arguments
Command Line Argument Argument Value Description
-a
N/A
This argument specifies to create a user in the application realm. If omitted, the default is to create a user in the management realm.
-dc
DOMAIN_CONFIGURATION_DIRECTORY
This argument specifies the domain configuration directory that will contain the properties files. If it is omitted, the default directory is EAP_HOME/domain/configuration/.
-sc
SERVER_CONFIGURATION_DIRECTORY
This argument specifies an alternate standalone server configuration directory that will contain the properties files. If it is omitted, the default directory is EAP_HOME/standalone/configuration/.
-up
--user-properties
USER_PROPERTIES_FILE
This argument specifies the name of the alternate user properties file. It can an absolute path or it can be a file name used in conjunction with the -sc or -dc argument that specifies the alternate configuration directory.
-g
--group
GROUP_LIST
A comma-separated list of groups to assign to this user.
-gp
--group-properties
GROUP_PROPERTIES_FILE
This argument specifies the name of the alternate group properties file. It can an absolute path or it can be a file name used in conjunction with the -sc or -dc argument that specifies the alternate configuration directory.
-p
--password
PASSWORD
The password of the user. The password must satisfy the following requirements:
  • It can not be the same as the user name.
  • It must contain at least 8 characters.
  • It must contain at least one alphanumeric character.
  • It must contain at least one digit.
  • It must contain at least one non-alphanumeric symbol
-u
--user
USER_NAME
The name of the user.
-r
--realm
REALM_NAME
The name of the realm used to secure the management interfaces. If omitted, the default is "ManagementRealm".
-s
--silent
N/A
Run the add-user script with no output to the console.
-h
--help
N/A
Display usage information for the add-user script.
Report a bug

13.3. Alternative Properties Files for User Management Information
Link kopieren

Overview

By default, user and role information created using the add-user.sh script is stored in properties files located in the server configuration directory. The server configuration information is stored in the EAP_HOME/standalone/configuration/ directory and the domain configuration information is stored in the EAP_HOME/domain/configuration/ directory. This topic describes how to override the default file names and locations.

Procedure 13.2. Alternative Properties Files

    • To specify an alternative directory for the server configuration, use the -sc argument. This argument specifies an alternative directory that will contain the server configuration properties files.
    • To specify an alternative directory for the domain configuration, use the -dc argument. This argument specifies an alternative directory that will contain the domain configuration properties files.
    • To specify an alternative user configuration properties file, use the -up or --user-properties argument. It can an absolute path or it can be a file name used in conjunction with the -sc or -dc argument that specifies the alternative configuration directory.
    • To specify an alternative group configuration properties file, use the -gp or --group-properties argument. It can an absolute path or it can be a file name used in conjunction with the -sc or -dc argument that specifies the alternative configuration directory.

Note

The add-user command is intended to operate on existing properties files. Any alternative properties files specified in command line arguments must exist or you will see the following error: 
JBAS015234: No appusers.properties files found
Report a bug

13.4. Governance
Link kopieren

13.4.1. S-RAMP User Management
Link kopieren

By default S-RAMP uses the standard EAP Application Realm configuration as its authentication source. This means that adding users is a simple matter of using the existing EAP add-user script. If you are running on Windows you can use the add-user.bat script. Otherwise run the add-user.sh script. Both of these scripts can be found in EAP's bin directory.
Here is an example of how to add an S-RAMP user using the add-user.sh script: 
[user@host jboss-eap-6.1]$ pwd
/home/user/FSW6/jboss-eap-6.1
[user@host jboss-eap-6.1]$ ./bin/add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) : ApplicationRealm
Username : fitzuser
Password : P4SSW0RD!
Re-enter Password : P4SSW0RD!
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: overlorduser,admin.sramp
About to add user 'fitzuser' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'fitzuser' to file '/home/user/FSW6/jboss-eap-6.1/standalone/configuration/application-users.properties'
Added user 'fitzuser' to file '/home/user/FSW6/jboss-eap-6.1/domain/configuration/application-users.properties'
Added user 'fitzuser' with roles overlorduser,admin.sramp to file '/home/user/FSW6/jboss-eap-6.1/standalone/configuration/application-roles.properties'
Added user 'fitzuser' with roles overlorduser,admin.sramp to file '/home/user/FSW6/jboss-eap-6.1/domain/configuration/application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no
Required Roles

There are several roles that the user must have in order to interact with the S-RAMP repository. These roles are as follows:

  • overlorduser : users must have this role in order to access the S-RAMP user interface (browser)
  • admin.sramp : users must have this role in order to access the S-RAMP repository (both read and write)

Note

If you change the S-RAMP repository name in the standalone.xml file and set the new repository name in standalone/configuration/sramp.properties (under sramp.config.jcr.repository.jndi-path), make sure you modify the user's roles. If the role that grants users access to the ModeShape repository is admin.sramp, where the ModeShape role is admin on repository named sramp, ensure you change this value to admin.<new repository name> in the application-roles.properties file.
Report a bug

13.4.2. Design-Time Governance User Management
Link kopieren

By default Design-Time Governance uses the standard EAP Application Realm configuration as its authentication source. This means that adding users is a simple matter of using the existing EAP add-user script. If you are running on Windows you can use the add-user.bat script. Otherwise run the add-user.sh script. Both of these scripts can be found in EAP's bin directory.
This example creates a user who can view and complete Development and Test environment human tasks. Any other human tasks is not visible.
Required Roles

There are several roles that the user must have in order to interact with Design-Time Governance. These roles are as follows:

  • overlorduser : users must have this role in order to access the DTGov user interface
  • admin.sramp : users must have this role in order to access the S-RAMP repository (both read and write)
  • dev : users with this role will be able to view and complete Dev environment and developer human tasks
  • test : users with this role will be able to view and complete Test environment human tasks
  • stage : users with this role will be able to view and complete Staging environment human tasks
  • prod : users with this role will be able to view and complete Production environment human tasks
  • ba : users with this role will be able to view and complete business analyst human tasks
  • arch : users with this role will be able to view and complete architect human tasks
Report a bug
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben