2.2. 使用旧的内核管理验证为域控制器配置密码身份验证
默认情况下,Red Hat JBoss Enterprise Application Platform 配置主域控制器,要求从连接到主域控制器的每个从属控制器进行身份验证。
使用适当的凭证配置从属控制器。
流程
使用
add-user
脚本将用户添加到主域控制器。-
检查用户是否已添加到同一个域中,master 用来保护其管理界面,默认是
ManagementRealm
。 如以下示例所示,添加一个从(slave)用户。对于 是否将这个新用户用于一个 AS 进程连接到另一个 AS 进程,请选择
yes
?$ EAP_HOME/bin/add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): a Enter the details of the new user to add. Using realm 'ManagementRealm' as discovered from the existing property files. Username : slave-user Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file. - The password should be different from the username - The password should not be one of the following restricted values {root, admin, administrator} - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s) Password : Re-enter Password : What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: About to add user 'slave-user' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'slave-user' to file '/home/user/EAP-7.4.0/standalone/configuration/mgmt-users.properties' Added user 'slave-user' to file '/home/user/EAP-7.4.0/domain/configuration/mgmt-users.properties' Added user 'slave-user' with groups to file '/home/user/EAP-7.4.0/standalone/configuration/mgmt-groups.properties' Added user 'slave-user' with groups to file '/home/user/EAP-7.4.0/domain/configuration/mgmt-groups.properties' Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls. yes/no? yes To represent the user add the following to the server-identities definition <secret value="ABCzc3dv11Qx" />
重要添加用户后,脚本会输出一个
<secret>
元素。在下一步中,您需要使用此元素。
-
检查用户是否已添加到同一个域中,master 用来保护其管理界面,默认是
配置从属控制器以使用该凭据。在主域控制器上创建用户后,您必须更新每个从属控制器,以便在主机配置文件中使用该凭证。例如,
host.xml
或host-slave.xml
。以下示例显示了在域控制器配置中的 <
remote>
; 元素中添加用户名。另外,示例显示了将<secret>
添加到用于保护<remote>
元素的域的server-identities
中。注意用户名和 < ;secret& gt; 均通过在上一步中向 master 域控制器添加用户来获取。
... <security-realm name="ManagementRealm"> <server-identities> <!-- Replace this with either a base64 password of your own, or use a vault with a vault expression --> <secret value="ABCzc3dv11Qx"/> </server-identities> ... <domain-controller> <remote security-realm="ManagementRealm" username="slave-user"> <discovery-options> <static-discovery name="primary" protocol="${jboss.domain.master.protocol:remote}" host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9990}"/> </discovery-options> </remote> </domain-controller>