Bug 864698

Scott Mumford <smumford> made a comment on jira JBPAPP-10089

Based on the advice outlined above, the document now has two 'JMX Invoker' sections;

One (21.6.3. JMX Invoker) which used to be the HTTP Invoker section, with references changed to JMX Invoker (as per advice) and the original one (21.6.4. JMX Invoker). [1]

A new version of the document (5.2.0-10) has been staged for SME input needed to confirm which is the correct section to keep. 
Adding [~jshepher] for input. Jason, please review and advise.

Once the correct content has been identified, the testing data will be added.

1 ; http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Security_Guide/index.html#How_to_Secure_the_JBoss_Server-The_HTTP_Invokers

NOTE; At the time of writing this comment, the document at the link above had not updated after having been rebrewed, although the brew task succeeded without issue.

Jason Shepherd <jshepherd> made a comment on jira JBPAPP-10089

Hi Scott, 

I don't think the new section has enough information. I would write it like this:

-------------------------

Chapter 21. Securing the Administrative Access Points

JBoss Enterprise Application Platform ships with several administrative access points must be secured or removed to prevent unauthorized access to administrative functions in a deployment. This chapter discusses the various administration services, how to secure them, and how to disable authentication on these access points for developement purposes. 

21.1. JMX Console

The JMX Console is provided by the jmx-console.war file located in the deploy directory. It provides with an HTML view into the JMX Microkernel and allows you to perform administrative actions such as shutting down the server, stopping services, deploying new services, etc. This service is secured by default, and permissions need to be granted to the 'jmx-console' security domin to allow access. Follow procedure 21.1 to allow access to it. In order to remove it, delete the 'jmx-console' folder from the 'deploy' directory.

21.2. Admin Console

The Admin Console improves on the former Web Console, and is an embedded version of the JOPR project, which JBoss Operation Network is based on. This console allows access for users to deploy and undeploy applications, and should be secured or removed. It is secured by default, and you need to follow procedure 21.1 to allow access to it. It can be removed by deleting he 'admin-console' directory from the 'deploy' directory.

21.3 Web Console

The Web Console is a legacy console, from the EAP 4 series. The Admin Console is a more fully featured console. The Web Console is secured by default. The Web Console is secured by the web-console security domain which is defined in $JBOSS_HOME/server/$PROFILE/conf/login-config.xml. By default the web-console security domain uses the same security configuration as the jmx-console domain, so you need to follow the procedure 21.1 to allow access to it.

21.3. HTTP Invoker

The HTTP Invoker is a service that provides HTTP and Remote Method Invocation (RMI) access for EJBs and the JNDI Naming service. It is secured by the 'jmx-console' security domain, and you need to follow the precedure 21.1 to allow access to it.

21.4. JMX Invoker

This invoker exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. The JMX Invoker is secured by default in JBoss Enterprise Application Platform 5.1 and later, by restricting access to the request originating from the loopback network interface, or 'localhost'. To allow access to it from remote hosts, follow the procedure outlined in 21.2.

Procedure 21.1. Create jmx-console, admin-console, and http invoker user account

This procedure creates user with access permissions to the admin and jmx consoles, and the http invoker

    The jmx-console is secured by the jmx-console security domain which is defined in $JBOSS_HOME/server/$PROFILE/conf/login-config.xml. In order too allow access:

        Add a username and password to $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties.

        Create a username = password pair.
        Default admin user configuration

        The commented admin=admin username and password pair is an example of the username/password definition syntax. Do not use this for your user account.

    Grant permissions to user

        Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties.

        Create an entry for the user of the form:

        username=JBossAdmin,HttpInvoker

        JBossAdmin

            Grant the user permission to access the JMX Console and Admin Console.
        HttpInvoker

            Grant the user permission to access the httpinvoker

Procedure 21.3 Allow access to the JMX Invoker from remote hosts

   To allow access on the the hostName 'myservice.example.com', add a 'hostName' property to invoker you which to use. Pooled or non-Pooled. Be aware that 'myservice.example.com' most resolve to an IP Address served by this machine.

            <!-- RMI/JRMP invoker -->
            <bean class="org.jboss.services.binding.ServiceBindingMetadata">
               <property name="serviceName">jboss:service=invoker,type=jrmp</property>
               <property name="port">4444</property>
               <property name="description">Socket for the legacy RMI/JRMP invoker</property>
               <property name="hostName">myservice.example.com</property>
            </bean>

            <!-- Pooled invoker -->
            <bean class="org.jboss.services.binding.ServiceBindingMetadata">
               <property name="serviceName">jboss:service=invoker,type=pooled</property>
               <property name="port">4445</property>
               <property name="description">Socket for the legacy Pooled invoker</property>
               <property name="hostName">myservice.example.com</property>
            </bean>

Scott Mumford <smumford> made a comment on jira JBPAPP-10089

Thanks Jason,

The new content has been added here:
http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Consoles_and_Invokers.html

Let me know if I misunderstood how you intended it to be laid out.

Scott Mumford <smumford> updated the status of jira JBPAPP-10089 to Coding In Progress

Jason Shepherd <jshepherd> made a comment on jira JBPAPP-10089

Hi Scott,

Pretty close, except still needs a bit of tweaking:

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/How_to_Secure_the_JBoss_Server-The_Web_Console.html

The procedure to follow here is this one: "Task: Create jmx-console, admin-console, and http invoker user account"

"Task: Allow access to the JMX Invoker from remote hosts" is for the HTTP Invoker, so it should be moved to this page:

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/How_to_Secure_the_JBoss_Server-The_HTTP_Invokers.html

Also this procedure should be named "Task: Allow access to the HTTP Invoker from remote hosts"

Thanks!

Scott Mumford <smumford> made a comment on jira JBPAPP-10089

Thanks Jason.

I've made the changes and a new version is available at:
http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Consoles_and_Invokers.html

If you can verify the content, please feel free to resolve and close this JIRA.

Thanks again for your input.

Russell Dickenson <rdickens> updated the status of jira JBPAPP-10089 to Resolved

Russell Dickenson <rdickens> made a comment on jira JBPAPP-10089

The requested changes have been made and are now awaiting confirmation that the document is now correct.

Josef Cacek <jcacek> updated the status of jira JBPAPP-10089 to Closed

Josef Cacek <jcacek> made a comment on jira JBPAPP-10089

Changes verified in http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Security_Guide/index.html#chap-Consoles_and_Invokers