Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Basic Security

Abstract

This chapter describes the basic steps to configure security before you start Red Hat JBoss Fuse for the first time. By default, JBoss Fuse is secure, but none of its services are remotely accessible. This chapter explains how to enable secure access to the ports exposed by JBoss Fuse.

3.1. Configuring Basic Security
Copy link

Overview
Copy link

The Red Hat JBoss Fuse runtime is secured against network attack by default, because all of its exposed ports require user authentication and no users are defined initially. In other words, the Red Hat JBoss Fuse runtime is remotely inaccessible by default.
If you want to access the runtime remotely, you must first customize the security configuration, as described here.

Before you start the container
Copy link

If you want to enable remote access to the JBoss Fuse container, perform the following configuration steps before starting the container:
  1. Create a secure JAAS user.
  2. Configure the Apache ActiveMQ Web console (optional).

Create a secure JAAS user
Copy link

By default, no JAAS users are defined for the container, which effectively disables remote access (it is impossible to log on).
To create a secure JAAS user, edit the InstallDir/etc/users.properties file and add a new user field, as follows: 
Username=Password,admin
Copy to Clipboard Toggle word wrap
Where Username and Password are the new user credentials. The admin role gives this user the privileges to access all administration and management functions of the container. For more details about JAAS, see Chapter 15, Configuring JAAS Security.
Warning
It is strongly recommended that you define custom user credentials with a strong password.
If you want to access the Apache ActiveMQ Web console (for remote administration of JMS messaging), you must provide the Web console servlet with the credentials it needs to login to the JMS broker.
Edit the InstallDir/etc/system.properties file. Search for the activemq.jmx.user and activemq.jmx.password settings (which are commented out by default), and modify them as follows: 
#
# Authentication - must match an entry in user.properties with the admin privilege
#
activemq.jmx.user=Username
activemq.jmx.password=Password
Copy to Clipboard Toggle word wrap
Where the Username and Password are the credentials of a JAAS user with admin privileges.
Note
Indirectly, these properties are used to set the webconsole.jmx.* and webconsole.jms.* properties (in the InstallDir/etc/system.properties file).

Ports exposed by the Red Hat JBoss Fuse container
Copy link

Figure 3.1, “Ports Exposed by the Red Hat JBoss Fuse Container” shows the ports exposed by the JBoss Fuse container by default.

Figure 3.1. Ports Exposed by the Red Hat JBoss Fuse Container

The following ports are exposed by the container:
  • Console port—enables remote control of a container instance, through Apache Karaf shell commands. This port is enabled by default and is secured both by JAAS authentication and by SSL.
  • JMX port—enables management of the container through the JMX protocol. This port is enabled by default and is secured by JAAS authentication.
  • Web console port—provides access to an embedded Jetty container that can host Web console servlets. By default, the Web consoles are not installed in the container.

Enabling the remote console port
Copy link

You can access the remote console port whenever both of the following conditions are true:
  • JAAS is configured with at least one set of login credentials.
  • The JBoss Fuse runtime has not been started in client mode (client mode disables the remote console port completely).
For example, to log on to the remote console port from the same machine where the container is running, enter the following command: 
./client -u Username -p Password
Copy to Clipboard Toggle word wrap
Where the Username and Password are the credentials of a JAAS user with admin privileges. For more details, see Chapter 9, Using Remote Connections to Manage a Container.

Strengthening security on the remote console port
Copy link

You can employ the following measures to strengthen security on the remote console port:
  • Make sure that the JAAS user credentials have strong passwords.
  • Customize the X.509 certificate (replace the Java keystore file, InstallDir/etc/host.key, with a custom key pair).

Enabling the JMX port
Copy link

The JMX port is enabled by default and secured by JAAS authentication. In order to access the JMX port, you must have configured JAAS with at least one set of login credentials. To connect to the JMX port, open a JMX client (for example, jconsole) and connect to the following JMX URI: 
service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root
Copy to Clipboard Toggle word wrap
You must also provide valid JAAS credentials to the JMX client in order to connect.
Note
In general, the tail of the JMX URI has the format /karaf-ContainerName. If you change the container name from root to some other name, you must modify the JMX URI accordingly.

Enabling the Web console port
Copy link

All of the Web consoles are installed as servlets in the container's embedded Jetty container. The Web consoles share the same HTTP server port, which is powered by Jetty. You can optionally enable the following Web consoles in JBoss Fuse:
  • Karaf Web console—is not installed by default. To enable the Karaf Web console, perform the following steps:
    1. In a running JBoss Fuse instance (see Section 4.1, “Starting Red Hat JBoss Fuse”), enter the following console command: 
      JBossFuse:karaf@root> features:install webconsole
      Copy to Clipboard Toggle word wrap
    2. In a Web browser, navigate to the following URL: 
      http://localhost:8181/system/console
      Copy to Clipboard Toggle word wrap
    3. The browser will prompt you to log on. Enter valid JAAS user credentials to access the console.
  • Apache ActiveMQ Web console—is not installed by default. To enable the Apache ActiveMQ Web console, perform the following steps:
    1. Make sure that you have already configured the container's Java system properties, as described in the section called “Configure the Apache ActiveMQ Web console (optional)”.
      Note
      The Apache ActiveMQ Web console has a three tier architecture, as shown in Figure 3.1, “Ports Exposed by the Red Hat JBoss Fuse Container”. The credentials provided in this step enable the middle tier (the Web console servlet) to log on to the back-end tier (the Apache ActiveMQ broker).
    2. In a running JBoss Fuse instance, enter the following console command: 
      JBossFuse:karaf@root> features:install mq-web-console
      Copy to Clipboard Toggle word wrap
    3. In a Web browser, navigate to the following URL: 
      http://localhost:8181/activemqweb
      Copy to Clipboard Toggle word wrap
    4. The browser will prompt you to log on. Enter valid JAAS user credentials to access the console.

Strengthening security on the Web console port
Copy link

The Karaf Web console is already secured by JAAS authentication. To add SSL security, see chapter "Securing the Web Console" in "Security Guide".
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top