Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

Chapter 5. Basic Configuration Changes

5.1. Security Configuration
リンクのコピー

When installed from the zip archive, authentication is required to access the majority of JBoss services, including administrative services. Consoles are secured by the JAAS security domain "jmx-console". At installation, this security domain has no user accounts. This is to eliminate the possibility of default username/password based attacks. Refer to Procedure 5.1, “Create jmx-console, admin-console, and http invoker user account” to create a user account to access the consoles.
When installed via the graphical installer, a JAAS security domain and a user account is created as part of the install process. Even if you change the name of the JAAS security domain during installation, the users are stored in the same place. Follow the instructions in Procedure 5.1, “Create jmx-console, admin-console, and http invoker user account” to edit your user account, or create a new one.

Important

This section describes only basic security configuration. This configuration is not sufficient for use in production environment. Refer to the Security Guide for comprehensive information on how to configure security in JBoss Enterprise Application Platform 5.

Important

The authentication system applied to the JMX Console, Admin Console and Web Console does not block brute-force password attacks. It is recommended that in production environments, JBoss servers are protected by firewalls or reverse proxies that include measures to mitigate brute force attacks.

5.1.1. Security Configuration: JMX Console, Admin Console, HttpInvoker
リンクのコピー

Procedure 5.1. Create jmx-console, admin-console, and http invoker user account

This procedure creates user with access permissions to the admin and jmx consoles, and the http invoker

  1. Create a user in the default JAAS security domain

    1. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties.
    2. Create a username = password pair.

      Important

      The commented admin=admin username and password pair is an example of the username/password definition syntax. Do not use this for your user account.

  2. Grant permissions to user

    1. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties.
    2. Create an entry for the user of the form: 
      username=JBossAdmin,HttpInvoker
      Copy to Clipboard Toggle word wrap
      JBossAdmin
      Grant the user permission to access the JMX Console and Admin Console.
      HttpInvoker
      Grant the user permission to access the httpinvoker

5.1.2. Securing the HTTPInvoker
リンクのコピー

The HTTP Invoker is a service that provides HTTP and Remote Method Invocation (RMI) access for EJBs and the JNDI Naming service. Secure this service to prevent unauthorized access.

Procedure 5.2. Secure the HTTP Invoker

  1. Edit the <JBOSS_HOME>/server/<PROFILE>/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml file.
  2. Add the hostName and fixedHostName properties to the deploy/legacy-invokers-service.xml section: 
    <!-- ************ deploy/legacy-invokers-service.xml ************ -->

<!-- RMI/JRMP invoker -->
<bean class="org.jboss.services.binding.ServiceBindingMetadata">
<property name="serviceName">jboss:service=invoker,type=jrmp</property>
<property name="port">4444</property>
<property name="description">Socket for the legacy RMI/JRMP invoker</property>
<property name="hostName">localhost</property>
<property name="fixedHostName">true</property>
</bean>

<!-- Pooled invoker -->
<bean class="org.jboss.services.binding.ServiceBindingMetadata">
<property name="serviceName">jboss:service=invoker,type=pooled</property>
<property name="port">4445</property>
<property name="description">Socket for the legacy Pooled invoker</property>
<property name="hostName">localhost</property>
<property name="fixedHostName">true</property>
</bean>
    Copy to Clipboard Toggle word wrap

5.1.3. Security Configuration: Web Console
リンクのコピー

Procedure 5.3. Creating Web Console User Account

This procedure creates a user with access permissions to the web console

  1. Create a user in the web-console JAAS security domain.

    1. Edit the file web-console-users.properties in jboss-as/server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/.
    2. Create a username = password pair.

      Important

      The commented admin=admin username and password is an example of the username/password definition syntax. Do not use this for your user account.

  2. Grant permissions to the user.

    1. Edit the file web-console-roles.properties in jboss-as/server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/.
    2. Create an entry for the user of the form: 
      username=JBossAdmin,HttpInvoker
      Copy to Clipboard Toggle word wrap
      JBossAdmin
      Grant the user permission to access the Web-Console
      HttpInvoker
      Grant the user permission to access the HTTP Invoker

5.1.4. Security Configuration of JBoss Messaging
リンクのコピー

JBoss Messaging makes internal connections between nodes in order to redistribute messages between clustered destinations. These connections are made with the user name of a special reserved user whose password is specified in the property suckerPassword in the messaging and server configuration files.
The suckerPassword used by JBoss Messaging in a clustered environment is contained in the jboss-as/server/$PROFILE/deploy/messaging/messaging-jboss-beans.xml file and the messaging-service.xml file. These files contain directives that specify the encrypted suckerPassword.

Changing the Password in messaging-jboss-beans.xml

Complete this task to change the distribution placeholder password in messaging-jboss-beans.xml.

Procedure 5.4. Setting suckerPassword for JBoss Messaging

  1. Navigate to the <JBOSS_HOME>/server/<PROFILE>/deploy/messaging/ directory.
  2. Open the messaging-jboss-beans.xml file in your preferred text editor.
  3. Change the suckerPassword placeholder value from "CHANGE ME!!" to a plain text password: 
    <property name="suckerPassword">CHANGE ME!!</property>
    Copy to Clipboard Toggle word wrap
    Make note of the new password; it will be used in the next task.
  4. Save the file.

Creating the encrypted JBoss Messaging suckerPassword

Complete this task to create an encrypted suckerPassword using the JBoss Messaging SecurityUtil tool.
  1. In a terminal, change to <JBOSS_HOME>/server/<PROFILE>/deploy/messaging/.
  2. Run the following command: 
    /path/to/java/executable -cp JBOSS_HOME/client/jboss-messaging-client.jar org.jboss.messaging.util.SecurityUtil PLAIN_TEXT_PASSWORD
    Copy to Clipboard Toggle word wrap
  3. PLAIN_TEXT_PASSWORD is the password you set in messaging-jboss-beans.xml in the previous task.
    As an example:

    Example 5.1. Test Encrypted Password

    Running the following command (from the JBOSS_HOME/jboss-as/server/$PROFILE/deploy/messaging/ directory) ... 
    /usr/bin/java -cp ../../../../client/jboss-messaging-client.jar org.jboss.messaging.util.SecurityUtil test
    Copy to Clipboard Toggle word wrap
    ...produced the following encrypted password: 
    key len: 14 length max: 2147483647
Encoded password: 5e2c1ae5a618317
    Copy to Clipboard Toggle word wrap
  4. Make note of the encrypted password output; it will be used in the next task.

Specifying an encrypted suckerPassword for JBoss Messaging

Complete this task to add an encrypted suckerPassword value to JBoss Messaging configuration files.

Prerequisites

  1. In a text editor, open the messaging-service.xml file.
  2. Paste the encrypted password from the previous procedure into the SuckerPassword attribute: 
    <attribute name="SuckerPassword">ENCRYPTED_PASSWORD</attribute>
    Copy to Clipboard Toggle word wrap
  3. Save the messaging-service.xml file.
トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat