Bug 864698 - Security Guide instructions for Securing HTTP Invoker are actually for Securing JMX Invoker
Security Guide instructions for Securing HTTP Invoker are actually for Securi...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 5
Classification: JBoss
Component: doc-JBoss_Security_Guide (Show other bugs)
5.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Scott Mumford
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-09 19:02 EDT by Scott Mumford
Modified: 2013-03-12 00:02 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-12 00:02:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10089 Major Closed Security Guide instructions for Securing HTTP Invoker are actually for Securing JMX Invoker 2014-04-08 09:57:18 EDT

  None (edit)
Description Scott Mumford 2012-10-09 19:02:13 EDT
Investigations by Jason Shepherd surrounding JBPAPP-7410 have highlighted the fact that the content in the EAP docs suite regarding securing the HTTP Invoker is actually to do with the JMX Invoker.

Jason recommends renaming the section to "Securing the Legacy Invokers" and advises that, since the HTTP Invoker is secured by default in EAP 5.1 and later, no content is required to replace the HTTP Invoker topic.

This KBase article was provided as a reference point:
https://access.redhat.com/knowledge/solutions/45530
(Red Hat login required)

Jason has also advised that this procedure can be tested by using telnet to confirm "we only bind the service on 4444 and 4445 to localhost", should this be required in the documentation.

Resolving this issue will require:
* Changing the title of the content (as mentioned above)
* Changing references within the section from HTTP INvoker to JMX Invoker
* Confirming that the content accurately reflects what is in the reference article linked above.
* Requesting QA verification of the changes (including the testing advice if it is included).

NOTE
The content in question appears in the Installation Guide on the live docs site [1] but it has been moved to the Security Guide for the next release [2].

1 https://access.redhat.com/knowledge/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Installation_Guide/index.html#Adminstration_Console_User_Guide-Configuration-Security-HTTPInvoker

2 http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Security_Guide/index.html#Adminstration_Console_User_Guide-Configuration-Security-HTTPInvoker
Comment 1 JBoss JIRA Server 2012-11-20 00:01:49 EST
Scott Mumford <smumford@redhat.com> made a comment on jira JBPAPP-10089

Based on the advice outlined above, the document now has two 'JMX Invoker' sections;

One (21.6.3. JMX Invoker) which used to be the HTTP Invoker section, with references changed to JMX Invoker (as per advice) and the original one (21.6.4. JMX Invoker). [1]

A new version of the document (5.2.0-10) has been staged for SME input needed to confirm which is the correct section to keep. 
Adding [~jshepher] for input. Jason, please review and advise.

Once the correct content has been identified, the testing data will be added.

1 ; http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Security_Guide/index.html#How_to_Secure_the_JBoss_Server-The_HTTP_Invokers

NOTE; At the time of writing this comment, the document at the link above had not updated after having been rebrewed, although the brew task succeeded without issue.
Comment 2 JBoss JIRA Server 2012-11-20 19:11:37 EST
Jason Shepherd <jshepherd@redhat.com> made a comment on jira JBPAPP-10089

Hi Scott, 

I don't think the new section has enough information. I would write it like this:

-------------------------

Chapter 21. Securing the Administrative Access Points

JBoss Enterprise Application Platform ships with several administrative access points must be secured or removed to prevent unauthorized access to administrative functions in a deployment. This chapter discusses the various administration services, how to secure them, and how to disable authentication on these access points for developement purposes. 

21.1. JMX Console

The JMX Console is provided by the jmx-console.war file located in the deploy directory. It provides with an HTML view into the JMX Microkernel and allows you to perform administrative actions such as shutting down the server, stopping services, deploying new services, etc. This service is secured by default, and permissions need to be granted to the 'jmx-console' security domin to allow access. Follow procedure 21.1 to allow access to it. In order to remove it, delete the 'jmx-console' folder from the 'deploy' directory.

21.2. Admin Console

The Admin Console improves on the former Web Console, and is an embedded version of the JOPR project, which JBoss Operation Network is based on. This console allows access for users to deploy and undeploy applications, and should be secured or removed. It is secured by default, and you need to follow procedure 21.1 to allow access to it. It can be removed by deleting he 'admin-console' directory from the 'deploy' directory.

21.3 Web Console

The Web Console is a legacy console, from the EAP 4 series. The Admin Console is a more fully featured console. The Web Console is secured by default. The Web Console is secured by the web-console security domain which is defined in $JBOSS_HOME/server/$PROFILE/conf/login-config.xml. By default the web-console security domain uses the same security configuration as the jmx-console domain, so you need to follow the procedure 21.1 to allow access to it.

21.3. HTTP Invoker

The HTTP Invoker is a service that provides HTTP and Remote Method Invocation (RMI) access for EJBs and the JNDI Naming service. It is secured by the 'jmx-console' security domain, and you need to follow the precedure 21.1 to allow access to it.

21.4. JMX Invoker

This invoker exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. The JMX Invoker is secured by default in JBoss Enterprise Application Platform 5.1 and later, by restricting access to the request originating from the loopback network interface, or 'localhost'. To allow access to it from remote hosts, follow the procedure outlined in 21.2.

Procedure 21.1. Create jmx-console, admin-console, and http invoker user account

This procedure creates user with access permissions to the admin and jmx consoles, and the http invoker

    The jmx-console is secured by the jmx-console security domain which is defined in $JBOSS_HOME/server/$PROFILE/conf/login-config.xml. In order too allow access:

        Add a username and password to $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties.

        Create a username = password pair.
        Default admin user configuration

        The commented admin=admin username and password pair is an example of the username/password definition syntax. Do not use this for your user account.

    Grant permissions to user

        Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties.

        Create an entry for the user of the form:

        username=JBossAdmin,HttpInvoker

        JBossAdmin

            Grant the user permission to access the JMX Console and Admin Console.
        HttpInvoker

            Grant the user permission to access the httpinvoker

Procedure 21.3 Allow access to the JMX Invoker from remote hosts

   To allow access on the the hostName 'myservice.example.com', add a 'hostName' property to invoker you which to use. Pooled or non-Pooled. Be aware that 'myservice.example.com' most resolve to an IP Address served by this machine.

            <!-- RMI/JRMP invoker -->
            <bean class="org.jboss.services.binding.ServiceBindingMetadata">
               <property name="serviceName">jboss:service=invoker,type=jrmp</property>
               <property name="port">4444</property>
               <property name="description">Socket for the legacy RMI/JRMP invoker</property>
               <property name="hostName">myservice.example.com</property>
            </bean>

            <!-- Pooled invoker -->
            <bean class="org.jboss.services.binding.ServiceBindingMetadata">
               <property name="serviceName">jboss:service=invoker,type=pooled</property>
               <property name="port">4445</property>
               <property name="description">Socket for the legacy Pooled invoker</property>
               <property name="hostName">myservice.example.com</property>
            </bean>
Comment 3 JBoss JIRA Server 2012-11-25 21:38:05 EST
Scott Mumford <smumford@redhat.com> made a comment on jira JBPAPP-10089

Thanks Jason,

The new content has been added here:
http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Consoles_and_Invokers.html

Let me know if I misunderstood how you intended it to be laid out.
Comment 4 JBoss JIRA Server 2012-11-25 21:40:15 EST
Scott Mumford <smumford@redhat.com> updated the status of jira JBPAPP-10089 to Coding In Progress
Comment 5 JBoss JIRA Server 2012-11-26 01:51:36 EST
Jason Shepherd <jshepherd@redhat.com> made a comment on jira JBPAPP-10089

Hi Scott,

Pretty close, except still needs a bit of tweaking:

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/How_to_Secure_the_JBoss_Server-The_Web_Console.html

The procedure to follow here is this one: "Task: Create jmx-console, admin-console, and http invoker user account"

"Task: Allow access to the JMX Invoker from remote hosts" is for the HTTP Invoker, so it should be moved to this page:

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/How_to_Secure_the_JBoss_Server-The_HTTP_Invokers.html

Also this procedure should be named "Task: Allow access to the HTTP Invoker from remote hosts"

Thanks!
Comment 6 JBoss JIRA Server 2012-11-27 20:21:37 EST
Scott Mumford <smumford@redhat.com> made a comment on jira JBPAPP-10089

Thanks Jason.

I've made the changes and a new version is available at:
http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Consoles_and_Invokers.html

If you can verify the content, please feel free to resolve and close this JIRA.

Thanks again for your input.
Comment 7 JBoss JIRA Server 2013-01-10 23:40:31 EST
Russell Dickenson <rdickens@redhat.com> updated the status of jira JBPAPP-10089 to Resolved
Comment 8 JBoss JIRA Server 2013-01-10 23:40:31 EST
Russell Dickenson <rdickens@redhat.com> made a comment on jira JBPAPP-10089

The requested changes have been made and are now awaiting confirmation that the document is now correct.
Comment 9 JBoss JIRA Server 2013-01-16 07:15:33 EST
Josef Cacek <jcacek@redhat.com> updated the status of jira JBPAPP-10089 to Closed

Note You need to log in before you can comment on or make changes to this bug.