Chapter 10. Post Installation Configuration
10.1. Post Installation Security Configuration
When installed from the zip archive, authentication is required to access the majority of JBoss services, including administrative services. Consoles are secured by the JAAS security domain "jmx-console". At installation this security domain has no user accounts. This is to eliminate the possibility of default username/password based attacks. Refer to Procedure 10.1, “Create jmx-console, admin-console, and http invoker user account” to create a user account to access the consoles.
To disable authentication (useful for development, but not recommended for production), refer to Appendix A, Disabling Authentication.
When installed via the graphical installer, a JAAS security domain and a user account is created as part of the install process. Even if you change the name of the JAAS security domain during installation, the users are stored in the same place. Follow the instructions in Procedure 10.1, “Create jmx-console, admin-console, and http invoker user account” to edit your user account, or create a new one.
10.1.1. Security Configuration: JMX Console, Admin Console, HttpInvoker
Procedure 10.1. Create jmx-console, admin-console, and http invoker user account
This procedure creates user with access permissions to the admin and jmx consoles, and the http invoker
Create a user in the default JAAS security domain
- Edit the file
$JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties. - Create a username = password pair.
Important
The commentedadmin=adminusername and password pair is an example of the username/password definition syntax. Do not use this for your user account.
Grant permissions to user
- Edit the file
$JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties. - Create an entry for the user of the form:
username=JBossAdmin,HttpInvoker
- JBossAdmin
- Grant the user permission to access the JMX Console and Admin Console.
- HttpInvoker
- Grant the user permission to access the httpinvoker
10.1.2. Security Configuration: Web Console
Procedure 10.2. Create web console user account
This procedure creates a user with access permissions to the web console
Create a user in the web-console JAAS security domain
- Edit the file
web-console-users.propertiesinjboss-as/server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/. - Create a username = password pair.
Important
The commentedadmin=adminusername and password is an example of the username/password definition syntax. Do not use this for your user account.
Grant permissions to user
- Edit the file
web-console-roles.propertiesinjboss-as/server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/. - Create an entry for the user of the form:
username=JBossAdmin,HttpInvoker
- JBossAdmin
- Grant the user permission to access the Web-Console
- HttpInvoker
- Grant the user permission to access the HTTP Invoker
10.1.3. Security Configuration: JBoss Messaging
JBoss Messaging makes internal connections between nodes in order to redistribute messages between clustered destinations. These connections are made with the user name of a special reserved user whose password is specified in the property
suckerPassword in the configuration file:
Procedure 10.3. Set suckerPassword for JBoss Messaging:
This procedure sets the password used by JBoss Messaging in a clustered environment
- Edit the file
jboss-as/server/$PROFILE/deploy/messaging/messaging-jboss-beans.xml. - Change the
suckerPasswordvalue.
