이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 2. Securing the Red Hat JBoss A-MQ Container
Abstract
					The Red Hat JBoss A-MQ container is secured using JAAS. By defining JAAS realms, you can configure the mechanism used to retrieve user credentials. You can also refine access to the container's administrative interfaces by changing the default roles.
				
2.1. JAAS Authentication
링크 복사링크가 클립보드에 복사되었습니다!
Abstract
						The Java Authentication and Authorization Service (JAAS) provides a general framework for implementing authentication in a Java application. The implementation of authentication is modular, with individual JAAS modules (or plug-ins) providing the authentication implementations.
					
						For background information about JAAS, see the JAAS Reference Guide.
					
2.1.1. Default JAAS Realm
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					This section describes how to manage user data in a for the default JAAS realm in a standalone container.
				
Default JAAS realm
링크 복사링크가 클립보드에 복사되었습니다!
					The Red Hat JBoss A-MQ container has a predefined JAAS realm, the 
karaf realm, which is used by default to secure all aspects of the container.
				How to integrate an application with JAAS
링크 복사링크가 클립보드에 복사되었습니다!
					You can use the 
karaf realm in your own applications. Simply configure karaf as the name of the JAAS realm that you want to use.
				Default JAAS login modules
링크 복사링크가 클립보드에 복사되었습니다!
					When you start JBoss A-MQ for the first time, the container is configured as a standalone container and uses the 
karaf default realm. In this default configuration, the karaf realm deploys two JAAS login modules, which are enabled simultaneously. To see the deployed login modules, enter the jaas:realms console command, as follows:
				JBossFuse:karaf@root> jaas:realms
Index Realm                Module Class                                                                    
    1 karaf                org.apache.karaf.jaas.modules.properties.PropertiesLoginModule                  
    2 karaf                org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule
JBossFuse:karaf@root> jaas:realms
Index Realm                Module Class                                                                    
    1 karaf                org.apache.karaf.jaas.modules.properties.PropertiesLoginModule                  
    2 karaf                org.apache.karaf.jaas.modules.publickey.PublickeyLoginModuleImportant
						In a standalone container, both the properties login module and the public key login module are enabled. When JAAS authenticates a user, it tries first of all to authenticate the user with the properties login module. If that fails, it then tries to authenticate the user with the public key login module. If that module also fails, an error is raised.
					
Configuring the properties login module
링크 복사링크가 클립보드에 복사되었습니다!
					The properties login module is used to store username/password credentials in a flat file format. To create a new user in the properties login module, open the 
InstallDir/etc/users.properties file using a text editor and add a line with the following syntax:
				Username=Password[,Role1][,Role2]...
Username=Password[,Role1][,Role2]...
					For example, to create the 
jdoe user with password, topsecret, and role, admin, you could create an entry like the following:
				jdoe=topsecret,admin
jdoe=topsecret,admin
					Where the 
admin role gives full administrative privileges to the jdoe user.
				Configuring the public key login module
링크 복사링크가 클립보드에 복사되었습니다!
					The public key login module is used to store SSH public key credentials in a flat file format. To create a new user in the public key login module, open the 
InstallDir/etc/keys.properties file using a text editor and add a line with the following syntax:
				Username=PublicKey,Role1,Role2,...
Username=PublicKey,Role1,Role2,...
					For example, you can create the 
jdoe user with the admin role by adding the following entry to the InstallDir/etc/keys.properties file (on a single line):
				Important
						Do not insert the entire contents of an 
id_rsa.pub file here. Insert just the block of symbols which represents the public key itself.
					Encrypting the stored passwords
링크 복사링크가 클립보드에 복사되었습니다!
					By default, passwords are stored in the 
InstallDir/etc/users.properties file in plaintext format. To protect the passwords in this file, you must set the file permissions of the users.properties file so that it can be read only by administrators. To provide additional protection, you can optionally encrypt the stored passwords using a message digest algorithm.
				
					To enable the password encryption feature, edit the 
InstallDir/etc/org.apache.karaf.jaas.cfg file and set the encryption properties as described in the comments. For example, the following settings would enable basic encryption using the MD5 message digest algorithm:
				Note
						The encryption settings in the 
org.apache.karaf.jaas.cfg file are applied only to the default karaf realm in a standalone container. The have no effect on a fabric container and no effect on a custom realm.
					
					For more details about password encryption, see Section 2.1.8, “Encrypting Stored Passwords”.
				
Overriding the default realm
링크 복사링크가 클립보드에 복사되었습니다!
					If you want to customise the JAAS realm, the most convenient approach to take is to override the default 
karaf realm by defining a higher ranking karaf realm. This ensures that all of the Red Hat JBoss A-MQ security components switch to use your custom realm. For details of how to define and deploy custom JAAS realms, see Section 2.1.2, “Defining JAAS Realms”.
				2.1.2. Defining JAAS Realms
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					When defining a JAAS realm in the OSGi container, you cannot put the definitions in a conventional JAAS login configuration file. Instead, the OSGi container uses a special 
jaas:config element for defining JAAS realms in a blueprint configuration file. The JAAS realms defined in this way are made available to all of the application bundles deployed in the container, making it possible to share the JAAS security infrastructure across the whole container.
				Namespace
링크 복사링크가 클립보드에 복사되었습니다!
					The 
jaas:config element is defined in the http://karaf.apache.org/xmlns/jaas/v1.0.0 namespace. When defining a JAAS realm you will need to include the line shown in Example 2.1, “JAAS Blueprint Namespace”.
				Example 2.1. JAAS Blueprint Namespace
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"Configuring a JAAS realm
링크 복사링크가 클립보드에 복사되었습니다!
					The syntax for the 
jaas:config element is shown in Example 2.2, “Defining a JAAS Realm in Blueprint XML”.
				Example 2.2. Defining a JAAS Realm in Blueprint XML
					The elements are used as follows:
				
- jaas:config
- Defines the JAAS realm. It has the following attributes:- name—specifies the name of the JAAS realm.
- rank—specifies an optional rank for resolving naming conflicts between JAAS realms . When two or more JAAS realms are registered under the same name, the OSGi container always picks the realm instance with the highest rank.
 
- jaas:module
- Defines a JAAS login module in the current realm.jaas:modulehas the following attributes:- className—the fully-qualified class name of a JAAS login module. The specified class must be available from the bundle classloader.
- flags—determines what happens upon success or failure of the login operation. Table 2.1, “Flags for Defining a JAAS Module” describes the valid values.- Expand - Table 2.1. Flags for Defining a JAAS Module - Value - Description - required- Authentication of this login module must succeed. Always proceed to the next login module in this entry, irrespective of success or failure. - requisite- Authentication of this login module must succeed. If success, proceed to the next login module; if failure, return immediately without processing the remaining login modules. - sufficient- Authentication of this login module is not required to succeed. If success, return immediately without processing the remaining login modules; if failure, proceed to the next login module. - optional- Authentication of this login module is not required to succeed. Always proceed to the next login module in this entry, irrespective of success or failure. 
 The contents of ajaas:moduleelement is a space separated list of property settings, which are used to initialize the JAAS login module instance. The specific properties are determined by the JAAS login module and must be put into the proper format.NoteYou can define multiple login modules in a realm.
Converting standard JAAS login properties to XML
링크 복사링크가 클립보드에 복사되었습니다!
					Red Hat JBoss A-MQ uses the same properties as a standard Java login configuration file, however JBoss A-MQ requires that they are specified slightly differently. To see how the JBoss A-MQ approach to defining JAAS realms compares with the standard Java login configuration file approach, consider how to convert the login configuration shown in Example 2.3, “Standard JAAS Properties”, which defines the 
PropertiesLogin realm using the Apache ActiveMQ properties login module class, PropertiesLoginModule:
				Example 2.3. Standard JAAS Properties
PropertiesLogin {
    org.apache.activemq.jaas.PropertiesLoginModule required
        org.apache.activemq.jaas.properties.user="users.properties"
        org.apache.activemq.jaas.properties.group="groups.properties";
};
PropertiesLogin {
    org.apache.activemq.jaas.PropertiesLoginModule required
        org.apache.activemq.jaas.properties.user="users.properties"
        org.apache.activemq.jaas.properties.group="groups.properties";
};
					The equivalent JAAS realm definition, using the 
jaas:config element in a blueprint file, is shown in Example 2.4, “Blueprint JAAS Properties”.
				Example 2.4. Blueprint JAAS Properties
Important
						You do not use double quotes for JAAS properties in the blueprint configuration.
					
Example
링크 복사링크가 클립보드에 복사되었습니다!
					Red Hat JBoss A-MQ also provides an adapter that enables you to store JAAS authentication data in an X.500 server. Example 2.5, “Configuring a JAAS Realm” defines the 
LDAPLogin realm to use JBoss A-MQ's LDAPLoginModule class, which connects to the LDAP server located at ldap://localhost:10389.
				Example 2.5. Configuring a JAAS Realm
					For a detailed description and example of using the LDAP login module, see Section 2.2, “Enabling LDAP Authentication”.
				
2.1.3. JAAS Properties Login Module
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS properties login module stores user data in a flat file format (where the stored passwords can optionally be encrypted using a message digest algorithm). The user data can either be edited directly, using a simple text editor, or managed using the 
jaas:* console commands.
				
					For example, a standalone container uses the JAAS properties login module by default and stores the associated user data in the 
InstallDir/etc/users.properties file.
				Supported credentials
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS properties login module authenticates username/password credentials, returning the list of roles associated with the authenticated user.
				
Implementation classes
링크 복사링크가 클립보드에 복사되었습니다!
					The following classes implement the JAAS properties login module:
				
- org.apache.karaf.jaas.modules.properties.PropertiesLoginModule
- Implements the JAAS login module.
- org.apache.karaf.jaas.modules.properties.PropertiesBackingEngineFactory
- Must be exposed as an OSGi service. This service makes it possible for you to manage the user data using thejaas:*console commands from the Apache Karaf shell (see chapter "JAAS Console Commands" in "Console Reference").
Options
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS properties login module supports the following options:
				
- users
- Location of the user properties file.
Format of the user properties file
링크 복사링크가 클립보드에 복사되었습니다!
					The user properties file is used to store username, password, and role data for the properties login module. Each user is represented by a single line in the user properties file, where a line has the following form:
				
Username=Password[,Role][,Role]...
Username=Password[,Role][,Role]...Sample Blueprint configuration
링크 복사링크가 클립보드에 복사되었습니다!
					The following Blueprint configuration shows how to define a new 
karaf realm using the properties login module, where the default karaf realm is overridden by setting the rank attribute to 2:
				
					Remember to export the 
BackingEngineFactory bean as an OSGi service, so that the jaas:* console commands can manage the user data.
				2.1.4. JAAS OSGi Config Login Module
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS OSGi config login modules leverages the OSGi Config Admin Service to store user data. This login module is fairly similar to the JAAS properties login module (for example, the syntax of the user entries is the same), but the mechanism for retrieving user data is based on the OSGi Config Admin Service.
				
					The user data can be edited directly by creating a corresponding OSGi configuration file, 
etc/PersistentID.cfg or using any method of configuration that is supported by the OSGi Config Admin Service. The jaas:* console commands are not supported, however.
				Supported credentials
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS OSGi config login module authenticates username/password credentials, returning the list of roles associated with the authenticated user.
				
Implementation classes
링크 복사링크가 클립보드에 복사되었습니다!
					The following classes implement the JAAS OSGi config login module:
				
- org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule
- Implements the JAAS login module.
Note
						There is no backing engine factory for the OSGi config login module, which means that this module cannot be managed using the 
jaas:* console commands.
					Options
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS OSGi config login module supports the following options:
				
- pid
- The persistent ID of the OSGi configuration containing the user data. In the OSGi Config Admin standard, a persistent ID references a set of related configuration properties.
Location of the configuration file
링크 복사링크가 클립보드에 복사되었습니다!
					The location of the configuration file follows the usual convention where the configuration for the persistent ID, 
PersistentID, is stored in the following file:
				InstallDir/etc/PersistentID.cfg
InstallDir/etc/PersistentID.cfgFormat of the configuration file
링크 복사링크가 클립보드에 복사되었습니다!
					The 
PersistentID.cfg configuration file is used to store username, password, and role data for the OSGi config login module. Each user is represented by a single line in the configuration file, where a line has the following form:
				Username=Password[,Role][,Role]...
Username=Password[,Role][,Role]...
					This is the same format that is used in a users property file.
				
Sample Blueprint configuration
링크 복사링크가 클립보드에 복사되었습니다!
					The following Blueprint configuration shows how to define a new 
karaf realm using the OSGi config login module, where the default karaf realm is overridden by setting the rank attribute to 2:
				
					In this example, the user data will be stored in the file, 
InstallDir/etc/org.jboss.example.osgiconfigloginmodule.cfg, and it is not possible to edit the configuration using the jaas:* console commands.
				2.1.5. JAAS Public Key Login Module
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS public key login module stores user data in a flat file format, which can be edited directly using a simple text editor. The 
jaas:* console commands are not supported, however.
				
					For example, a standalone container uses the JAAS public key login module by default and stores the associated user data in the 
InstallDir/etc/keys.properties file.
				Supported credentials
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS public key login module authenticates SSH key credentials. When a user tries to log in, the SSH protocol uses the stored public key to challenge the user. The user must possess the corresponding private key in order to answer the challenge. If login is successful, the login module returns the list of roles associated with the user.
				
Implementation classes
링크 복사링크가 클립보드에 복사되었습니다!
					The following classes implement the JAAS public key login module:
				
- org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule
- Implements the JAAS login module.
Note
						There is no backing engine factory for the public key login module, which means that this module cannot be managed using the 
jaas:* console commands.
					Options
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS public key login module supports the following options:
				
- users
- Location of the user properties file for the public key login module.
Format of the user properties file
링크 복사링크가 클립보드에 복사되었습니다!
					The user properties file is used to store username, public key, and role data for the public key login module. Each user is represented by a single line in the user properties file, where a line has the following form:
				
Username=PublicKey[,Role][,Role]...
Username=PublicKey[,Role][,Role]...
					Where the PublicKey is the public key part of an SSH key pair (typically found in a user's home directory in 
~/.ssh/id_rsa.pub in a UNIX system).
				
					For example, to create the user 
jdoe with the admin role, you would create an entry like the following:
				Important
						Do not insert the entire contents of the 
id_rsa.pub file here. Insert just the block of symbols which represents the public key itself.
					Sample Blueprint configuration
링크 복사링크가 클립보드에 복사되었습니다!
					The following Blueprint configuration shows how to define a new 
karaf realm using the public key login module, where the default karaf realm is overridden by setting the rank attribute to 2:
				
					In this example, the user data will be stored in the file, 
InstallDir/etc/keys.properties, and it is not possible to edit the configuration using the jaas:* console commands.
				2.1.6. JAAS JDBC Login Module
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS JDBC login module enables you to store user data in a database back-end, using Java Database Connectivity (JDBC) to connect to the database. Hence, you can use any database that supports JDBC to store your user data. To manage the user data, you can use either the native database client tools or the 
jaas:* console commands (where the backing engine uses configured SQL queries to perform the relevant database updates).
				Supported credentials
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS JDBC Login Module authenticates username/password credentials, returning the list of roles associated with the authenticated user.
				
Implementation classes
링크 복사링크가 클립보드에 복사되었습니다!
					The following classes implement the JAAS JDBC Login Module:
				
- org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule
- Implements the JAAS login module.
- org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactory
- Must be exposed as an OSGi service. This service makes it possible for you to manage the user data using thejaas:*console commands from the Apache Karaf shell (see chapter "JAAS Console Commands" in "Console Reference").
Options
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS JDBC login module supports the following options:
				
- datasource
- The JDBC data source, specified either as an OSGi service or as a JNDI name. You can specify a data source's OSGi service using the following syntax:osgi:ServiceInterfaceName[/ServicePropertiesFilter] osgi:ServiceInterfaceName[/ServicePropertiesFilter]Copy to Clipboard Copied! Toggle word wrap Toggle overflow The ServiceInterfaceName is the interface or class that is exported by the data source's OSGi service (usuallyjavax.sql.DataSource).Because multiple data sources can be exported as OSGi services in a container, it is usually necessary to specify a filter, ServicePropertiesFilter, to select the particular data source that you want. Filters on OSGi services are applied to the service property settings and follow a syntax that is borrowed from LDAP filter syntax.
- query.password
- The SQL query that retrieves the user's password. The query can contain a single question mark character,?, which is substituted by the username at run time.
- query.role
- The SQL query that retrieves the user's roles. The query can contain a single question mark character,?, which is substituted by the username at run time.
- insert.user
- The SQL query that creates a new user entry. The query can contain two question marks,?, characters: the first question mark is substituted by the username and the second question mark is substituted by the password at run time.
- insert.role
- The SQL query that adds a role to a user entry. The query can contain two question marks,?, characters: the first question mark is substituted by the username and the second question mark is substituted by the role at run time.
- delete.user
- The SQL query that deletes a user entry. The query can contain a single question mark character,?, which is substituted by the username at run time.
- delete.role
- The SQL query that deletes a role from a user entry. The query can contain two question marks,?, characters: the first question mark is substituted by the username and the second question mark is substituted by the role at run time.
- delete.roles
- The SQL query that deletes multiple roles from a user entry. The query can contain a single question mark character,?, which is substituted by the username at run time.
Example of setting up a JDBC login module
링크 복사링크가 클립보드에 복사되었습니다!
					To set up a JDBC login module, perform the following main steps:
				
Create the database tables
링크 복사링크가 클립보드에 복사되었습니다!
					Before you can set up the JDBC login module, you must set up a users table and a roles table in the backing database to store the user data. For example, the following SQL commands show how to create a suitable 
users table and roles table:
				
					The 
users table stores username/password data and the roles table associates a username with one or more roles.
				Create the data source
링크 복사링크가 클립보드에 복사되었습니다!
					To use a JDBC datasource with the JDBC login module, the correct approach to take is to create a data source instance and export the data source as an OSGi service. The JDBC login module can then access the data source by referencing the exported OSGi service. For example, you could create a MySQL data source instance and expose it as an OSGi service (of 
javax.sql.DataSource type) using code like the following in a Blueprint file:
				
					The preceding Blueprint configuration should be packaged and installed in the container as an OSGi bundle.
				
Specify the data source as an OSGi service
링크 복사링크가 클립보드에 복사되었습니다!
					After the data source has been instantiated and exported as an OSGi service, you are ready to configure the JDBC login module. In particular, the 
datasource option of the JDBC login module can reference the data source's OSGi service using the following syntax:
				osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
					Where 
javax.sql.DataSource is the interface type of the exported OSGi service and the filter, (osgi.jndi.service.name=jdbc/karafdb), selects the particular javax.sql.DataSource instance whose osgi.jndi.service.name service property has the value, jdbc/karafdb.
				
					For example, you can use the following Blueprint configuration to override the 
karaf realm with a JDBC login module that references the sample MySQL data source:
				Note
						The SQL statements shown in the preceding configuration are in fact the default values of these options. Hence, if you create user and role tables consistent with these SQL statements, you could omit the options settings and rely on the defaults.
					
					In addition to creating a JDBCLoginModule, the preceding Blueprint configuration also instantiates and exports a 
JDBCBackingEngineFactory instance, which enables you to manage the user data using the jaas:* console commands.
				2.1.7. JAAS LDAP Login Module
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS LDAP login module enables you to store user data in an LDAP database. To manage the stored user data, use a standard LDAP client tool. The 
jaas:* console commands are not supported.
				
					For more details about using LDAP with Red Hat JBoss A-MQ, see Chapter 8, LDAP Authentication Tutorial.
				
Supported credentials
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS LDAP Login Module authenticates username/password credentials, returning the list of roles associated with the authenticated user.
				
Implementation classes
링크 복사링크가 클립보드에 복사되었습니다!
					The following classes implement the JAAS LDAP Login Module:
				
- org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
- Implements the JAAS login module.
Note
						There is no backing engine factory for the LDAP Login Module, which means that this module cannot be managed using the 
jaas:* console commands.
					Options
링크 복사링크가 클립보드에 복사되었습니다!
					The JAAS LDAP login module supports the following options:
				
- connection.url
- The LDAP connection URL—for example,ldap://hostname.
- connection.username
- Admin username to connect to the LDAP server. This parameter is optional: if it is not provided, the LDAP connection will be anonymous.
- connection.password
- Admin password to connect to the LDAP server. Used only if theconnection.usernameis also specified.
- user.base.dn
- The LDAP base DN used to look up roles—for example,ou=role,dc=apache,dc=org.
- user.filter
- The LDAP filter used to look up a user's role—for example,(member:=uid=%u).
- user.search.subtree
- Iftrue, the user lookup is recursive (SUBTREE). Iffalse, the user lookup is performed only at the first level (ONELEVEL).
- role.base.dn
- The LDAP base DN used to look up roles—for example,ou=role,dc=apache,dc=org.
- role.filter
- The LDAP filter used to look up a user's role—for example,(member:=uid=%u).
- role.name.attribute
- The LDAP role attribute containing the role value used by Apache Karaf—for example,cn.
- role.search.subtree
- Iftrue, the role lookup is recursive (SUBTREE). Iffalse, the role lookup is performed only at the first level (ONELEVEL).
- authentication
- Define the authentication back-end used on the LDAP server. The default issimple.
- initial.context.factory
- Define the initial context factory used to connect to the LDAP server. The default iscom.sun.jndi.ldap.LdapCtxFactory.
- ssl
- Iftrueor if the protocol on theconnection.urlisldaps, an SSL connection will be used.
- ssl.provider
- Specifies the SSL provider.
- ssl.protocol
- The protocol version to use. You must set this property toTLSv1, in order to prevent the SSLv3 protocol from being used (POODLE vulnerability).
- ssl.algorithm
- The algorithm to use for theKeyManagerFactoryand theTrustManagerFactory—for example,PKIX.
- ssl.keystore
- The ID of the keystore that stores the LDAP client's own X.509 certificate (required only if SSL client authentication is enabled on the LDAP server). The keystore must be deployed using ajaas:keystoreelement (see the section called “Sample Blueprint configuration”).
- ssl.keyalias
- The keystore alias of the LDAP client's own X.509 certificate (required only if there is more than one certificate stored in the keystore specified byssl.keystore).
- ssl.truststore
- The ID of the keystore that stores trusted CA certificates, which are used to verify the LDAP server's certificate (the LDAP server's certificate chain must be signed by one of the certificates in the truststore). The keystore must be deployed using ajaas:keystoreelement.
Sample Blueprint configuration
링크 복사링크가 클립보드에 복사되었습니다!
					The following Blueprint configuration shows how to define a new 
karaf realm using the LDAP login module, where the default karaf realm is overridden by setting the rank attribute to 2:
				Important
						You must set 
ssl.protocol to TLSv1, in order to protect against the Poodle vulnerability (CVE-2014-3566)
					2.1.8. Encrypting Stored Passwords
링크 복사링크가 클립보드에 복사되었습니다!
Overview
링크 복사링크가 클립보드에 복사되었습니다!
					By default, the JAAS login modules store passwords in plaintext format. Although you can (and should) protect such data by setting file permissions appropriately, you can provide additional protection to passwords by storing them in an obscured format (using a message digest algorithm).
				
					Red Hat JBoss A-MQ provides a set of options for enabling password encryption, which can be combined with any of the JAAS login modules (except for the public key login module, where it is not needed).
				
Important
						Although message digest algorithms are not easy to crack, they are not invulnerable to attack (for example, see the Wikipedia article on cryptographic hash functions). Always use file permissions to protect files containing passwords, in addition to using password encryption.
					
Options
링크 복사링크가 클립보드에 복사되었습니다!
					Password encryption for JAAS login modules can optionally be enabled by setting the following login module properties:
				
- encryption.enabled
- Set totrue, to enable password encryption.
- encryption.name
- Name of the encryption service, which has been registered as an OSGi service.
- encryption.prefix
- Prefix for encrypted passwords.
- encryption.suffix
- Suffix for encrypted passwords.
- encryption.algorithm
- Specifies the name of the encryption algorithm—for example,MD5orSHA-1. You can specify one of the following encryption algorithms:- MD2
- MD5
- SHA-1
- SHA-256
- SHA-384
- SHA-512
 
- encryption.encoding
- Encrypted passwords encoding:hexadecimalorbase64.
- encryption.providerName(Jasypt only)
- Name of thejava.security.Providerinstance that is to provide the digest algorithm.
- encryption.providerClassName(Jasypt only)
- Class name of the security provider that is to provide the digest algorithm
- encryption.iterations(Jasypt only)
- Number of times to apply the hash function recursively.
- encryption.saltSizeBytes(Jasypt only)
- Size of the salt used to compute the digest.
- encryption.saltGeneratorClassName(Jasypt only)
- Class name of the salt generator.
- role.policy
- Specifies the policy for identifying role principals. Can have the values,prefixorgroup.
- role.discriminator
- Specifies the discriminator value to be used by the role policy.
Encryption services
링크 복사링크가 클립보드에 복사되었습니다!
					An encryption service can be defined by inheriting from the 
org.apache.karaf.jaas.modules.EncryptionService interface and exporting an instance of the encryption service as an OSGi service. Two alternative implementations of the encryption service are provided:
				Basic encryption service
링크 복사링크가 클립보드에 복사되었습니다!
					The basic encryption service is installed in the standalone container by default and you can reference it by setting the 
encryption.name property to the value, basic. In the basic encryption service, the message digest algorithms are provided by the SUN security provider (the default security provider in the Oracle JDK).
				Jasypt encryption
링크 복사링크가 클립보드에 복사되었습니다!
					The Jasypt encryption service can be installed in the standalone container by installing the 
jasypt-encryption feature. For example, you can install Jasypt encryption by entering the following console command:
				JBossFuse:karaf@root> features:install jasypt-encryption
JBossFuse:karaf@root> features:install jasypt-encryption
					This command installs the requisite Jasypt bundles and exports Jasypt encryption as an OSGi service, so that it is available for use by JAAS login modules. To access the Jasypt encryption service, set the 
encryption.name property to the value, jasypt.
				
					For more information about Jasypt encryption, see the Jasypt documentation.
				
Example of a login module with Jasypt encryption
링크 복사링크가 클립보드에 복사되었습니다!
					Assuming that you have already installed the 
jasypt-encryption feature, you could deploy a properties login module with Jasypt encryption using the following Blueprint configuration: