Bug 864698
Summary: | Security Guide instructions for Securing HTTP Invoker are actually for Securing JMX Invoker | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 5 | Reporter: | Scott Mumford <smumford> |
Component: | doc-JBoss_Security_Guide | Assignee: | Scott Mumford <smumford> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.2.0 | CC: | jskeoch, jwulf, mhideo |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-03-12 04:02:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Scott Mumford
2012-10-09 23:02:13 UTC
Scott Mumford <smumford> made a comment on jira JBPAPP-10089 Based on the advice outlined above, the document now has two 'JMX Invoker' sections; One (21.6.3. JMX Invoker) which used to be the HTTP Invoker section, with references changed to JMX Invoker (as per advice) and the original one (21.6.4. JMX Invoker). [1] A new version of the document (5.2.0-10) has been staged for SME input needed to confirm which is the correct section to keep. Adding [~jshepher] for input. Jason, please review and advise. Once the correct content has been identified, the testing data will be added. 1 ; http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Security_Guide/index.html#How_to_Secure_the_JBoss_Server-The_HTTP_Invokers NOTE; At the time of writing this comment, the document at the link above had not updated after having been rebrewed, although the brew task succeeded without issue. Jason Shepherd <jshepherd> made a comment on jira JBPAPP-10089 Hi Scott, I don't think the new section has enough information. I would write it like this: ------------------------- Chapter 21. Securing the Administrative Access Points JBoss Enterprise Application Platform ships with several administrative access points must be secured or removed to prevent unauthorized access to administrative functions in a deployment. This chapter discusses the various administration services, how to secure them, and how to disable authentication on these access points for developement purposes. 21.1. JMX Console The JMX Console is provided by the jmx-console.war file located in the deploy directory. It provides with an HTML view into the JMX Microkernel and allows you to perform administrative actions such as shutting down the server, stopping services, deploying new services, etc. This service is secured by default, and permissions need to be granted to the 'jmx-console' security domin to allow access. Follow procedure 21.1 to allow access to it. In order to remove it, delete the 'jmx-console' folder from the 'deploy' directory. 21.2. Admin Console The Admin Console improves on the former Web Console, and is an embedded version of the JOPR project, which JBoss Operation Network is based on. This console allows access for users to deploy and undeploy applications, and should be secured or removed. It is secured by default, and you need to follow procedure 21.1 to allow access to it. It can be removed by deleting he 'admin-console' directory from the 'deploy' directory. 21.3 Web Console The Web Console is a legacy console, from the EAP 4 series. The Admin Console is a more fully featured console. The Web Console is secured by default. The Web Console is secured by the web-console security domain which is defined in $JBOSS_HOME/server/$PROFILE/conf/login-config.xml. By default the web-console security domain uses the same security configuration as the jmx-console domain, so you need to follow the procedure 21.1 to allow access to it. 21.3. HTTP Invoker The HTTP Invoker is a service that provides HTTP and Remote Method Invocation (RMI) access for EJBs and the JNDI Naming service. It is secured by the 'jmx-console' security domain, and you need to follow the precedure 21.1 to allow access to it. 21.4. JMX Invoker This invoker exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. The JMX Invoker is secured by default in JBoss Enterprise Application Platform 5.1 and later, by restricting access to the request originating from the loopback network interface, or 'localhost'. To allow access to it from remote hosts, follow the procedure outlined in 21.2. Procedure 21.1. Create jmx-console, admin-console, and http invoker user account This procedure creates user with access permissions to the admin and jmx consoles, and the http invoker The jmx-console is secured by the jmx-console security domain which is defined in $JBOSS_HOME/server/$PROFILE/conf/login-config.xml. In order too allow access: Add a username and password to $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties. Create a username = password pair. Default admin user configuration The commented admin=admin username and password pair is an example of the username/password definition syntax. Do not use this for your user account. Grant permissions to user Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties. Create an entry for the user of the form: username=JBossAdmin,HttpInvoker JBossAdmin Grant the user permission to access the JMX Console and Admin Console. HttpInvoker Grant the user permission to access the httpinvoker Procedure 21.3 Allow access to the JMX Invoker from remote hosts To allow access on the the hostName 'myservice.example.com', add a 'hostName' property to invoker you which to use. Pooled or non-Pooled. Be aware that 'myservice.example.com' most resolve to an IP Address served by this machine. <!-- RMI/JRMP invoker --> <bean class="org.jboss.services.binding.ServiceBindingMetadata"> <property name="serviceName">jboss:service=invoker,type=jrmp</property> <property name="port">4444</property> <property name="description">Socket for the legacy RMI/JRMP invoker</property> <property name="hostName">myservice.example.com</property> </bean> <!-- Pooled invoker --> <bean class="org.jboss.services.binding.ServiceBindingMetadata"> <property name="serviceName">jboss:service=invoker,type=pooled</property> <property name="port">4445</property> <property name="description">Socket for the legacy Pooled invoker</property> <property name="hostName">myservice.example.com</property> </bean> Scott Mumford <smumford> made a comment on jira JBPAPP-10089 Thanks Jason, The new content has been added here: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Consoles_and_Invokers.html Let me know if I misunderstood how you intended it to be laid out. Scott Mumford <smumford> updated the status of jira JBPAPP-10089 to Coding In Progress Jason Shepherd <jshepherd> made a comment on jira JBPAPP-10089 Hi Scott, Pretty close, except still needs a bit of tweaking: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/How_to_Secure_the_JBoss_Server-The_Web_Console.html The procedure to follow here is this one: "Task: Create jmx-console, admin-console, and http invoker user account" "Task: Allow access to the JMX Invoker from remote hosts" is for the HTTP Invoker, so it should be moved to this page: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/How_to_Secure_the_JBoss_Server-The_HTTP_Invokers.html Also this procedure should be named "Task: Allow access to the HTTP Invoker from remote hosts" Thanks! Scott Mumford <smumford> made a comment on jira JBPAPP-10089 Thanks Jason. I've made the changes and a new version is available at: http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Consoles_and_Invokers.html If you can verify the content, please feel free to resolve and close this JIRA. Thanks again for your input. Russell Dickenson <rdickens> updated the status of jira JBPAPP-10089 to Resolved Russell Dickenson <rdickens> made a comment on jira JBPAPP-10089 The requested changes have been made and are now awaiting confirmation that the document is now correct. Josef Cacek <jcacek> updated the status of jira JBPAPP-10089 to Closed Josef Cacek <jcacek> made a comment on jira JBPAPP-10089 Changes verified in http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Security_Guide/index.html#chap-Consoles_and_Invokers |