Fuse ESB Enterprise - Configuring and Running Fuse ESB Enterprise

Configuring Basic Security

Overview

The Fuse ESB Enterprise runtime is secured against network attack by default, because all of its exposed ports require user authentication and no users are defined initially. In other words, the Fuse ESB Enterprise runtime is remotely inaccessible by default.

If you want to access the runtime remotely, you must first customize the security configuration, as described here.

Before you start the container

If you want to enable remote access to the Fuse ESB Enterprise container, perform the following configuration steps before starting the container:

Create a secure JAAS user

By default, no JAAS users are defined for the container, which effectively disables remote access (it is impossible to log on).

To create a secure JAAS user, edit the InstallDir/etc/users.properties file and add a new user field, as follows:

Username=Password,admin

Where Username and Password are the new user credentials. The admin role gives this user the privileges to access all administration and management functions of the container. For more details about JAAS, see Configuring JAAS Security.

	Warning
	It is strongly recommended that you define custom user credentials with a strong password.

Configure the Apache ActiveMQ Web console (optional)

If you want to access the Apache ActiveMQ Web console (for remote administration of JMS messaging), you must provide the Web console servlet with the credentials it needs to login to the JMS broker.

Edit the InstallDir/etc/system.properties file and modify the webconsole.jmx.* and webconsole.jms.* properties as follows:

webconsole.jmx.user=Username
webconsole.jmx.password=Password
webconsole.jms.user=Username
webconsole.jms.password=Password

Where the Username and Password are the credentials of a JAAS user with admin privileges.

Ports exposed by the Fuse ESB Enterprise container

Figure 1 shows the ports exposed by the Fuse ESB Enterprise container by default.

Figure 1. Ports Exposed by the Fuse ESB Enterprise Container

The following ports are exposed by the container:

Console port—enables remote control of a container instance, through Apache Karaf shell commands. This port is enabled by default and is secured both by JAAS authentication and by SSL.
JMX port—enables management of the container through the JMX protocol. This port is enabled by default and is secured by JAAS authentication.
Web console port—provides access to an embedded Jetty container that can host Web console servlets. By default, the Web consoles are not installed in the container.

Enabling the remote console port

You can access the remote console port whenever both of the following conditions are true:

JAAS is configured with at least one set of login credentials.
The Fuse ESB Enterprise runtime has not been started in client mode (client mode disables the remote console port completely).

For example, to log on to the remote console port from the same machine where the container is running, enter the following command:

./client -u Username -p Password

Where the Username and Password are the credentials of a JAAS user with admin privileges. For more details, see Using Remote Connections to Manage a Container.

Strengthening security on the remote console port

You can employ the following measures to strengthen security on the remote console port:

Make sure that the JAAS user credentials have strong passwords.
Customize the X.509 certificate (replace the Java keystore file, InstallDir/etc/host.key, with a custom key pair).

Enabling the JMX port

The JMX port is enabled by default and secured by JAAS authentication. In order to access the JMX port, you must have configured JAAS with at least one set of login credentials. To connect to the JMX port, open a JMX client (for example, jconsole) and connect to the following JMX URI:

service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root

You must also provide valid JAAS credentials to the JMX client in order to connect.

	Note
	In general, the tail of the JMX URI has the format `/karaf-ContainerName`. If you change the container name from `root` to some other name, you must modify the JMX URI accordingly.

Enabling the Web console port

All of the Web consoles are installed as servlets in the container's embedded Jetty container. The Web consoles share the same HTTP server port, which is powered by Jetty. You can optionally enable the following Web consoles in Fuse ESB Enterprise:

Karaf Web console—is not installed by default. To enable the Karaf Web console, perform the following steps:
1. In a running Fuse ESB Enterprise instance (see Starting Fuse ESB Enterprise), enter the following console command:
```
karaf@root> features:install webconsole
```
2. In a Web browser, navigate to the following URL:
```
http://localhost:8181/system/console
```
3. The browser will prompt you to log on. Enter valid JAAS user credentials to access the console.

Apache ActiveMQ Web console—is not installed by default. To enable the Apache ActiveMQ Web console, perform the following steps:

Make sure that you have already configured the container's Java system properties, as described in Configure the Apache ActiveMQ Web console (optional).

	Note
	The Apache ActiveMQ Web console has a three tier architecture, as shown in Figure 1. The credentials provided in this step enable the middle tier (the Web console servlet) to log on to the back-end tier (the Apache ActiveMQ broker).

In a running Fuse ESB Enterprise instance, enter the following console command:
```
karaf@root> features:install mq-web-console
```
In a Web browser, navigate to the following URL:
```
http://localhost:8181/activemqweb
```
The browser will prompt you to log on. Enter valid JAAS user credentials to access the console.

Strengthening security on the Web console port

The Karaf Web console is already secured by JAAS authentication. To add SSL security, see Securing the Web Console in Security Guide.

Comments powered by Disqus