Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

第 6 章 安​全​性​

阅​读​本​章​来​学​习​如​何​启​用​和​配​置​ JBoss 企​业​级​ BRMS 平​台​里​的​不​同​安​全​性​系​统​。​这​里​涵​盖​的​内​容​有​:
  • 验​证​
  • 授​权​
  • 规​则​软​件​包​签​名​(Rule Package Signing)

6.1. 验​证​
复制链接

JBoss 企​业​级​ BRMS 平​台​使​用​ Java Authentication and Authorization Service(JAAS) 来​检​验​用​户​凭​证​。​这​个​服​务​通​过​应​用​服​务​器​来​提​供​且​用​于​访​问​单​独​的​验​证​系​统​。​单​独​的​系​统​可​以​是​轻​量​级​目​录​访​问​协​议​(LDAP)、​活​动​目​录​服​务​器​(Active Directory server)或​ JDBC 数​据​库​。​

重要

当​用​户​被​赋​予​访​问​ JBoss 企​业​级​ BRMS 平​台​的​权​限​时​,它​们​被​潜​在​地​给​予​了​影​响​其​他​应​用​程​序​的​商​业​逻​辑​的​能​力​。​使​用​基​于​角​色​的​授​权​来​定​义​每​个​用​户​能​做​和​不​能​做​的​事​情​。​关​于​这​个​主​题​的​更​多​内​容​,请​参​考​『​第 6.2 节 “ 授​权​”』​。​
你​可​以​通​过​ jboss-brms.war/WEB-INF/components.xml 文​件​配​置​使​用​哪​种​验​证​方​法​。​缺​省​的​配​置​会​有​多​个​“​被​注​释​”​的​选​项​,但​实​际​的​设​置​类​似​于​: 
<security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="jmx-console"/> 
<component name="org.jboss.seam.security.roleBasedPermissionResolver">
     <property name="enableRoleBasedAuthorization">false</property>
    </component>
Copy to Clipboard Toggle word wrap

注意

components.xml 文​件​在​ BRMS 5.2 里​进​行​了​修​改​。​在​ 5.1 和​更​早​版​本​里​,这​个​文​件​类​似​于​: 
<security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="jmx-console"/> 
<security:role-based-permission-resolver enable-role-based-authorization="false"/>
Copy to Clipboard Toggle word wrap

重要

这​个​缺​省​配​置​使​用​ jmx-console 验​证​策​略​里​定​义​的​帐​号​名​、​密​码​和​角​色​。​红​帽​推​荐​你​编​辑​这​个​策​略​以​满​足​特​定​环​境​的​需​要​。​
要​配​置​验​证​,请​按​照​下​列​步​骤​:
  1. 编​辑​应​用​服​务​器​的​合​适​的​ JBoss 登​录​模​块​。​
  2. 配​置​ JBoss 企​业​级​ BRMS 平​台​来​使​用​这​个​模​块​。​

注意

许​多​ JBoss 登​录​模​块​都​提​供​为​每​个​用​户​指​定​多​个​角​色​的​方​法​。​JBoss 企​业​级​ BRMS 平​台​有​自​己​的​管​理​用​户​角​色​的​机​制​。​

警告

如​果​禁​用​了​基​于​角​色​的​授​权​(role-based authorization),所​有​用​户​都​事​实​上​具​有​了​ admin 权​限​。​这​使​它​们​具​有​对​ JBoss 企​业​级​ BRMS 平​台​的​完​全​访​问​权​限​。​

重要

红​帽​推​荐​你​启​用​基​于​角​色​的​授​权​。​在​此​之​前​,在​ BRMS Permissions 界​面​里​为​至​少​一​个​用​户​分​配​ admin 角​色​,只​有​具​有​ admin 权​限​的​用​户​可​以​执​行​许​多​管​理​性​的​任​务​,如​管​理​用​户​角​色​(『​第 6.2 节 “ 授​权​”』​里​会​进​一​步​进​行​解​释​)。​

6.1.1. 验​证​示​例​:UserRolesLoginModule
复制链接

这​个​例​子​解​释​了​使​用​ org.jboss.security.auth.spi.UsersRolesLoginModule 登​录​模​块​来​访​问​存​储​在​ props/brms-users.properties 和​ props/brms-roles.properties 文​件​里​的​一​系​列​用​户​帐​号​。​

过程 6.1. 验​证​示​例​:UserRolesLoginModule

  1. 确​保​已​经​正​确​配​置​了​验​证​系​统​

    登​录​模​块​使​用​两​个​文​件​来​存​储​登​录​名​、​密​码​以​及​分​配​给​用​户​的​角​色​。​在​ jboss-as-web/server/PROFILE/conf/props/ 目​录​里​创​建​ brms-users.properties 和​ brms-roles.properties 文​件​并​用​这​个​格​式​在​ brms-users.properties 里​指​定​至​少​一​个​用​户​:username=password。​(brms-roles.properties 可​以​为​空​)

  2. 关​闭​应​用​服​务​器​

    在​进​行​这​些​修​改​前​关​闭​应​用​服​务​器​。​

  3. 配​置​ JBoss 登​录​模​块​

    要​配​置​ JBoss 登​录​模​块​,打​开​ jboss-as-web/server/PROFILE/conf/login-config.xml 文​件​。​它​是​一​个​包​含​ <policy> 元​素​以​及​几​个​ <application-policy> 子​元​素​的​ XML 文​件​。​每​个​ <application-policy> 元​素​都​定​义​了​一​个​不​同​的​验​证​模​式​。​添​加​下​列​ <application-policy> XML 片​段​作​为​ <policy> 元​素​的​新​的​子​元​素​。​ 
    <!--BRMS Platform Security Domain-->
<application-policy name="brms">
   <authentication>
       <login-module
           code="org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag="required">
            <module-option name="usersProperties">
                props/brms-users.properties
            </module-option>
            <module-option name="rolesProperties">
                props/brms-roles.properties
            </module-option>
        </login-module>
    </authentication>
</application-policy>
    Copy to Clipboard Toggle word wrap

  4. 配​置​ BRMS 平​台​以​使​用​登​录​模​块​

    打​开​ jboss-as-web/server/PROFILE/deploy/jboss-brms.war/WEB-INF/components.xml 为​。​它​包​含​一​个​ <components> 元​素​并​带​有​几​个​子​元​素​,其​中​包​括​ <security:identity>。​
    注​释​现​有​的​ <security:identity> 元​素​以​防​止​冲​突​。​添​加​下​列​ <security:identity> 元​素​。​ 
    <security:identity authenticate-
method="#{authenticator.authenticate}" jaas-config-name="brms"/>
    Copy to Clipboard Toggle word wrap
    jaas-config-name 属​性​必​须​和​ application-policy 相​同​。​如​果​在​前​一​步​骤​修​改​了​ application-policy,也​请​修​改​这​里​的​ jaas-config-name 属​性​进​行​匹​配​。​

  5. 重​新​启​动​

    重​启​应​用​服​务​器​

6.1.2. 验​证​示​例​:LDAP
复制链接

LDAP 是​大​型​企​业​的​一​个​流​行​的​选​项​。​基​本​的​配​置​步​骤​和​前​面​例​子​里​的​相​同​,但​配​置​细​节​有​所​不​同​。​

过程 6.2. 验​证​示​例​ 2:LDAP

  1. 确​保​已​经​正​确​配​置​了​ LDAP 服​务​器​

    确​定​防​火​墙​和​网​络​配​置​没​有​阻​断​应​用​服​务​器​和​ LDAP 服​务​器​间​的​通​讯​。​

  2. 关​闭​应​用​服​务​器​

    在​进​行​这​些​修​改​前​关​闭​应​用​服​务​器​。​

  3. 配​置​ JBoss 登​录​模​块​

    要​配​置​ JBoss 登​录​模​块​,打​开​ jboss-as-web/server/PROFILE/conf/login-config.xml 文​件​。​它​是​一​个​包​含​ <policy> 元​素​以​及​几​个​ <application-policy> 子​元​素​的​ XML 文​件​。​每​个​ <application-policy> 元​素​都​定​义​了​一​个​不​同​的​验​证​模​式​。​添​加​下​列​ <application-policy> XML 片​段​作​为​ <policy> 元​素​的​新​的​子​元​素​。​ 
    <application-policy name="brms">
 <authentication>
  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 
      flag="required" >
    <module-option name="java.naming.provider.url">
        ldap://ldap.company.com:389
    </module-option>
    <module-option name="bindDN">DEPARTMENT\someadmin</module-option>
    <module-option name="bindCredential">password</module-option>
    <module-option name="baseCtxDN">cn=Users,dc=company,dc=com
    </module-option>
    <module-option name="baseFilter">(sAMAccountName={0})</module-option>
    <module-option name="rolesCtxDN">cn=Users,dc=company,dc=com
    </module-option>
    <module-option name="roleFilter">(sAMAccountName={0})</module-option>
    <module-option name="roleAttributeID">memberOf</module-option>
    <module-option name="roleAttributeIsDN">true</module-option>
    <module-option name="roleNameAttributeID">cn</module-option>
    <module-option name="roleRecursion">-1</module-option>
    <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
  </login-module>
 </authentication>
</application-policy>
    Copy to Clipboard Toggle word wrap
    用​适​合​你​的​ LDAP 服​务​器​的​值​更​新​这​个​配​置​文​件​。​

  4. 配​置​ BRMS 平​台​以​使​用​登​录​模​块​

    打​开​ jboss-as-web/server/PROFILE/deploy/jboss-brms.war/WEB-INF/components.xml 为​。​它​包​含​一​个​ <components> 元​素​并​带​有​几​个​子​元​素​,其​中​包​括​ <security:identity>。​
    注​释​现​有​的​ <security:identity> 元​素​以​防​止​冲​突​。​添​加​下​列​ <security:identity> 元​素​。​ 
    <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="brms"/>
    Copy to Clipboard Toggle word wrap
    jaas-config-name 属​性​必​须​和​ application-policy 相​同​。​如​果​在​前​一​步​骤​修​改​了​ application-policy,也​请​修​改​这​里​的​ jaas-config-name 属​性​进​行​匹​配​。​

  5. 重​新​启​动​

    重​启​应​用​服​务​器​

注意

要​学​习​不​同​ LDAP 配​置​场​景​的​更​多​细​节​,请​阅​读​这​两​个​网​页​:http://www.jboss.org/community/wiki/LdapLoginModule 和​ http://www.jboss.org/community/wiki/LdapExtLoginModule。​

6.2.  授​权​
复制链接

BRMS 使​用​基​于​据​色​的​授​权​来​为​用​户​分​配​权​限​。​在​缺​省​的​情​况​下​,基​于​角​色​的​授​权​是​被​禁​用​的​,你​必​须​启​用​它​。​类​似​地​,你​必​须​分​配​角​色​给​用​户​。​如​果​没​有​启​用​基​于​角​色​的​授​权​,所​有​用​户​都​会​具​有​管​理​权​限​。​
管​理​用​户​权​限​
View larger image
管​理​用​户​权​限​

图 6.1. 管​理​用​户​权​限​

过程 6.3. 启​用​基​于​角​色​的​授​权​

  1. 分​配​管​理​员​权​限​给​用​户​

    在​启​用​基​于​角​色​的​授​权​之​前​,我​们​有​必​要​为​至​少​一​个​信​任​的​用​户​分​配​管​理​员​角​色​。​
    详​情​请​参​考​『​过程 6.5, “管​理​用​户​权​限​”』​。​

  2. 关​闭​应​用​服​务​器​

    在​进​行​这​些​修​改​前​关​闭​应​用​服​务​器​。​

  3. 打​开​ components.xml

    在​文​本​编​辑​器​里​打​开​ jboss-as-web/server/PROFILE/deploy/jboss-brms.war/WEB-INF/components.xml 文​件​。​

  4. 找​到​ <property name="enableRoleBasedAuthorization"> 元​素​

    在​缺​省​的​ components.xml 文​件​里​,这​个​ XML 元​素​是​ <components> 的​子​元​素​。​ 
    <component name="org.jboss.seam.security.roleBasedPermissionResolver">
   <property name="enableRoleBasedAuthorization">false</property>
</component>
    Copy to Clipboard Toggle word wrap

    注意

    在​ 5.1 和​更​早​的​版​本​里​,找​到​下​列​ XML 
    <security:role-based-permission-resolver 
    enable-role-based-authorization="false"/>
    Copy to Clipboard Toggle word wrap

  5. 更​新​属​性​值​为​ "True"

    更​新​ enable-role-based-authorization 属​性​为​ true 并​保​存​文​件​。​ 
    <component name="org.jboss.seam.security.roleBasedPermissionResolver">
   <property name="enableRoleBasedAuthorization">true</property>
</component>
    Copy to Clipboard Toggle word wrap

    注意

    在​ 5.1 和​更​早​的​版​本​里​,找​到​下​列​ XML 
    <security:role-based-permission-resolver 
    enable-role-based-authorization="true"/>
    Copy to Clipboard Toggle word wrap

  6. 重​新​启​动​

    重​启​应​用​服​务​器​
JBoss 企​业​级​ BRMS 平​台​不​管​理​用​户​的​身​份​。​只​有​分​配​为​ BRMS 用​户​的​用​户​才​会​在​ JBoss 企​业​级​ BRMS 平​台​的​用​户​权​限​里​可​见​。​

过程 6.4. 添​加​新​用​户​到​ BRMS 里​

  1. 选​择​权​限​细​节​

    从​ navigation pane 里​选​择​ Administration,然​后​选​择​ User Permissions。​

  2. 添​加​用​户​映​射​

    点​击​ Create new user mapping 按​钮​。​在​对​话​框​里​输​入​用​户​名​,并​点​击​ OK。​

    注意

    为​该​角​色​指​定​的​用​户​名​必​须​匹​配​验​证​服​务​里​的​一​个​用​户​名​,否​则​它​无​法​使​用​。​

  3. 添​加​权​限​

    详​情​请​参​考​『​过程 6.5, “管​理​用​户​权​限​”』​。​

过程 6.5. 管​理​用​户​权​限​

  1. 选​择​用​户​权​限​

    从​ navigation pane 里​选​择​ Administration,然​后​选​择​ User Permissions。​

  2. 选​择​用​户​

    点​击​用​户​名​旁​边​的​ Open
    权​限​细​节​
    View larger image
    权​限​细​节​

    图 6.2. 权​限​细​节​

  3. 分​配​用​户​权​限​

    点​击​加​号​图​标​来​添​加​权​限​,然​后​从​ Permission type 下​列​菜​单​里​选​择​合​适​的​权​限​。​点​击​ OK 进​行​确​认​。​
    编​辑​用​户​权​限​
    View larger image
    编​辑​用​户​权​限​

    图 6.3. 编​辑​用​户​权​限​

  4. 删​除​用​户​权​限​

    点​击​要​删​除​的​权​限​旁​边​的​减​号​图​标​,然​后​点​击​ OK 来​确​认​。​
分​配​了​ admin 权​限​的​用​户​可​以​修​改​其​他​用​户​的​角​色​和​权​限​。​
用​户​可​以​被​分​配​下​列​三​种​角​色​:
  • admin
  • analyst
  • package
分​配​了​ admin 角​色​的​用​户​具​有​对​ JBoss 企​业​级​ BRMS 平​台​所​有​方​面​的​访​问​权​限​。​
Analyst 权​限​适​用​于​负​责​维​护​规​则​资​源​的​用​户​。​开​发​人​员​和​商​业​分​析​师​应​该​具​有​这​个​级​别​的​权​限​。​

注意

当​为​用​户​分​配​ analyst 权​限​时​,你​会​被​提​示​输​入​ category。​Category 是​一​种​将​规​则​分​组​的​方​法​,它​独​立​于​这​些​规​则​所​属​的​知​识​软​件​包​。​

注意

当​ analyst 负​载​维​护​某​个​类​别​里​的​规​则​且​需​要​检​查​另​外​一​个​类​别​里​的​规​则​时​,你​可​以​使​用​只​读​ analyst 权​限​。​

重要

只​赋​予​了​ category 权​限​的​用​户​将​不​能​查​看​任​何​软​件​包​视​图​细​节​:它​们​只​能​查​看​ Simple Categories 视​图​。​
当​分​配​角​色​时​,你​会​被​提​示​选​择​软​件​包​权​限​。​有​三​种​不​同​的​软​件​包​权​限​可​分​配​给​用​户​:
软​件​包​管​理​员​(Package Administrator)

软​件​包​管​理​员​权​限​赋​予​对​指​定​软​件​包​的​完​全​控​制​,包​括​部​署​的​权​利​。​但​软​件​包​管​理​员​权​限​不​赋​予​ JBoss 企​业​级​ BRMS 平​台​其​他​部​分​的​任​何​管​理​权​限​。​

软​件​包​开​发​人​员​(Package Developer)

软​件​包​开​发​人​员​权​限​允​许​用​户​在​指​定​的​软​件​包​内​创​建​和​编​辑​条​目​。​如​创​建​和​运​行​测​试​用​例​,但​不​包​括​部​署​软​件​包​的​权​利​。​

只​读​软​件​包​(Package Read-only)

只​读​软​件​包​权​限​和​ analyst read-only 权​限​类​似​,但​它​分​配​给​软​件​包​而​不​是​类​别​。​

阅​读​本​节​来​学​习​规​则​软​件​包​签​名​以​及​密​钥​库​的​配​置​。​
规​则​软​件​包​签​名​(Rule Package Signing)确​保​了​软​件​包​在​从​ BRMS 平​台​服​务​器​下​载​到​客​户​端​应​用​程​序​时​不​会​被​损​坏​或​改​动​。​在​缺​省​情​况​下​它​是​禁​用​的​。​

重要

红​帽​强​烈​推​荐​在​产​品​环​境​里​启​用​规​则​软​件​签​名​。​
规​则​软​件​包​签​名​是​用​公​共​密​钥​加​密​(Public Key Cryptography)来​实​现​的​。​JDK 命​令​ keytool 用​来​创​建​私​有​密​钥​和​对​应​的​公​共​数​字​证​书​。​用​私​有​密​钥​签​名​的​软​件​包​只​可​以​用​匹​配​的​证​书​来​检​验​。​私​有​密​钥​存​储​在​名​为​ keystore 的​文​件​里​,服​务​器​用​它​来​自​动​为​每​个​软​件​包​签​名​。​被​称​为​信​任​库​(truststore)里​的​公​共​证​书​对​于​每​个​客​户​端​应​用​程​序​可​用​。​信​任​库​里​的​证​书​用​来​检​验​签​名​软​件​包​的​真​实​性​。​在​下​载​过​程​中​已​损​坏​或​修​改​规​则​软​件​包​将​被​客​户​端​拒​绝​,因​为​其​签​名​和​证​书​不​再​匹​配​。​
下​面​的​过​程​描​述​了​配​置​用​于​规​则​软​件​包​签​名​的​服​务​器​的​过​程​。​
在​这​个​过​程​中​,你​必​须​:
  • 创​建​一​个​私​有​签​名​密​钥​和​对​应​的​公​共​数​字​证​书​。​
  • 使​私​有​签​名​密​钥​和​公​共​数​字​证​书​对​于​密​钥​库​里​的​服​务​器​可​用​。​
  • 配​置​服​务​器​以​使​用​密​钥​库​。​

过程 6.6. 配​置​规​则​软​件​包​签​名​

  1. 创​建​私​有​密​钥​

    使​用​ keytool 创​建​私​有​密​钥​: 
    keytool -genkey -alias ALIAS -keyalg RSA -keystore PRIVATE.keystore
    Copy to Clipboard Toggle word wrap
    -alias 参​数​指​定​了​用​来​链​接​密​钥​库​里​相​关​实​体​的​名​称​。​对​于​每​个​步​骤​都​使​用​相​同​的​别​名​。​别​名​是​不​区​分​大​小​写​的​。​-keystore 提​供​了​将​被​创​建​以​保​存​私​有​密​钥​的​文​件​的​名​称​。​
    keytool 将​提​示​你​确​定​一​些​信​息​以​及​两​个​密​码​。​第​一​个​密​码​是​密​钥​库​密​码​。​第​二​个​密​码​是​密​钥​密​码​,用​于​正​创​建​的​密​钥​。​ 
    [localhost ]$ keytool -genkey -alias BRMSKey -keyalg RSA -keystore PrivateBRMS.keystore
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
   [Unknown]:  John Smith
What is the name of your organizational unit?
   [Unknown]:  Accounts
What is the name of your organization?
   [Unknown]:  ACME INC
What is the name of your City or Locality?
   [Unknown]:  Captital City
What is the name of your State or Province?
   [Unknown]:  CC
What is the two-letter country code for this unit?
   [Unknown]:  US
Is CN=John Smith, OU=Accounts, O=ACME INC, L=Captial City, ST=CC, C=US correct?
   [no]:  yes
Enter key password for <BRMSKey>
   (RETURN if same as keystore password):  
Re-enter new password:
    Copy to Clipboard Toggle word wrap

  2. 创​建​数​字​证​书​

    使​用​ keytool 创​建​数​字​证​书​: 
    keytool -export -alias ALIAS -file CERTIFICATE.crt -keystore PRIVATE.keystore
    Copy to Clipboard Toggle word wrap
    使​用​和​前​一​步​骤​相​同​的​别​名​和​密​钥​库​。​-file 参​数​指​定​要​创​建​的​新​证​书​的​名​称​。​-keystore 参​数​指​定​私​有​密​钥​库​的​文​件​名​。​
    在​提​示​符​后​输​入​密​钥​库​的​密​码​。​ 
    [localhost ]$ keytool -export -alias BRMSKey -file BRMSKey.crt -keystore PrivateBRMS.keystore
Enter keystore password:  
Certificate stored in file <BRMSKey.crt>
    Copy to Clipboard Toggle word wrap

  3. 将​数​字​证​书​导​入​到​信​任​库​

    使​用​ keytool 命​令​将​数​字​证​书​导​入​到​密​钥​库​里​: 
    keytool -import -alias ALIAS -file CERTIFICATE.crt -keystore PUBLIC.keystore
    Copy to Clipboard Toggle word wrap
    这​会​创​建​一​个​新​的​密​钥​库​和​包​含​数​字​证​书​的​信​任​库​。​信​任​库​使​数​字​证​书​可​为​客​户​端​应​用​程​序​所​用​。​ 
    [localhost ]$ keytool -import -alias BRMSKey -file BRMSKey.crt -keystore PublicBRMS.keystore
Enter keystore password:  
Re-enter new password: 
Owner: CN=John Smith, OU=Accounts, O=ACME INC, L=Captial City, ST=CC, C=US
Issuer: CN=John Smith, OU=Accounts, O=ACME INC, L=Captial City, ST=CC, C=US
Serial number: 4ca0021b
Valid from: Sun Sep 26 22:31:55 EDT 2010 until: Sat Dec 25 21:31:55 EST 2010
Certificate fingerprints:
   MD5:  31:1D:1B:98:59:CC:0E:3C:3F:57:01:C2:FE:F2:6D:C9
   SHA1: 4C:26:52:CA:0A:92:CC:7A:86:04:50:53:80:94:2A:4F:82:6F:53:AD
   Signature algorithm name: SHA1withRSA
   Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
    Copy to Clipboard Toggle word wrap

  4. 将​私​有​密​钥​库​移​至​安​全​位​置​

    私​有​密​钥​库​需​要​保​存​在​只​有​ JBoss 企​业​级​ BRMS 平​台​服​务​器​能​够​访​问​的​安​全​位​置​。​它​可​以​在​相​同​的​机​器​或​是​安​全​的​网​络​位​置​上​。​

    重要

    JBoss 企​业​级​ BRMS 平​台​不​能​为​网​络​资​源​提​供​验​证​凭​证​。​如​果​私​有​密​钥​库​保​存​在​安​全​的​网​络​位​置​,那​么​任​何​验​证​过​程​都​必​须​代​替​ JBoss 企​业​级​ BRMS 平​台​服​务​器​来​执​行​,从​而​使​得​私​有​密​钥​库​为​之​所​用​。​例​如​,操​作​系​统​可​以​验​证​并​挂​载​一​个​保​存​私​有​密​钥​库​的​共​享​文​件​为​本​地​目​录​,以​供​ JBoss 企​业​级​ BRMS 平​台​服​务​器​进​行​访​问​。​

  5. 将​信​任​库​移​至​公​共​位​置​

    信​任​库​需​要​可​被​客​户​端​应​用​程​序​访​问​。​这​可​以​通​过​把​信​任​库​放​在​网​络​共​享​或​ web 服​务​器​上​来​实​现​。​

  6. 设​置​ Drools 序​列​化​属​性​

    你​需​要​在​服​务​器​上​设​置​ Drools 序​列​化​系​统​属​性​。​这​是​存​储​访​问​密​钥​库​所​需​信​息​的​属​性​。​因​为​ JBoss 企​业​级​ BRMS 平​台​也​包​含​客​户​组​件​,所​以​私​有​密​钥​库​和​信​任​库​属​性​都​需​要​进​行​设​置​。​
    关​于​在​哪​里​设​置​这​些​属​性​的​细​节​,请​参​考​『​第 6.3.1 节 “设​置​序​列​化​属​性​”』​。​
    需​要​设​置​的​属​性​是​:
    • drools.serialization.sign - 指​定​是​否​启​用​签​名​。​它​必​须​为​ true。​
    • drools.serialization.private.keyStoreURL - 私​有​密​钥​库​所​在​的​ URL
    • drools.serialization.private.keyStorePwd - 信​任​库​的​密​码​
    • drools.serialization.private.keyAlias - 创​建​密​钥​库​时​使​用​的​别​名​
    • drools.serialization.private.keyPwd - 密​钥​密​码​
    • drools.serialization.public.keyStoreURL - 信​任​库​所​在​的​ URL
    • drools.serialization.public.keyStorePwd - 信​任​库​的​密​码​

  7. 加​密​密​钥​库​凭​证​

    密​钥​库​密​码​目​前​是​以​明​文​进​行​存​储​的​。​
    关​于​加​密​密​钥​库​凭​证​的​说​明​,请​参​考​『​https://access.redhat.com/kb/docs/DOC-47247』​。​
  • 关​于​如​何​配​置​客​户​端​来​使​用​签​名​的​ Rule 软​件​包​,请​参​考​《​BRMS 用​户​指​南​》​。​

6.3.1. 设​置​序​列​化​属​性​
复制链接

如​下​所​述​,用​于​密​钥​库​凭​证​的​系​统​属​性​可​以​多​种​方​式​进​行​设​置​。​这​些​属​性​只​需​要​在​一​个​地​方​进​行​设​置​,就​可​为​运​行​在​相​同​应​用​服​务​器​上​的​所​有​应​用​程​序​所​用​。​
JBoss Properties 服​务​
要​用​ JBoss Properties 服​务​设​置​属​性​,在​ /server/PROFILE/deploy/properties-service.xml 文​件​里​添​加​下​列​受​管​ bean 的​配​置​,并​用​你​的​系​统​里​的​这​些​属​性​替​换​示​例​里​的​值​。​ 
<mbean code="org.jboss.varia.property.SystemPropertiesService"  
      name="jboss:type=Service,name=SystemProperties">
   <attribute name="Properties">
   # Drools Security Serialization specific properties
   drools.serialization.sign=true
   drools.serialization.private.keyStoreURL=file:///opt/secure/PrivateBRMS.keystore
   drools.serialization.private.keyStorePwd=storepassgoeshere
   drools.serialization.private.keyAlias=BRMSKey
   drools.serialization.private.keyPwd=keypassgoeshere
   drools.serialization.public.keyStoreURL=file:///opt/public/PublicBRMS.keystore
   drools.serialization.public.keyStorePwd=keypassgoeshere
   </attribute>
</mbean>
Copy to Clipboard Toggle word wrap
jboss-brm.war 属​性​文​件​
要​在​ jboss-brm.war 属​性​文​件​里​设​置​属​性​,请​添​加​下​列​代​码​到​ jboss-brms.war/WEB-INF/classes/preferences.properties 文​件​里​。​ 
drools.serialization.sign=true
drools.serialization.private.keyStoreURL=file:///opt/secure/PrivateBRMS.keystore
drools.serialization.private.keyStorePwd=storepassgoeshere
drools.serialization.private.keyAlias=BRMSKey
drools.serialization.private.keyPwd=keypassgoeshere
drools.serialization.public.keyStoreURL=file:///opt/public/PublicBRMS.keystore
drools.serialization.public.keyStorePwd=keypassgoeshere
Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat