Chapter 7. Getting Started with JBoss Enterprise Application Platform 6

7.1. Add the Initial User for the Management Interfaces

Overview
The management interfaces in JBoss Enterprise Application Platform 6 are secured by default, and there is no default user. This is a security precaution, to prevent security breaches from remote systems due to simple configuration errors. Local non-HTTP access is protected by a SASL mechanism, with a negotiation happening between the client and server each time the client connects for the first time from the localhost.
This task describes how to create the initial administrative user, which can use the web-based Management Console and remote instances of the Management CLI to configure and administer JBoss Enterprise Application Platform 6 from remote systems. For more information about the default security configuration, refer to Section 7.8, “Default User Security Configuration”.

Note

HTTP communication with JBoss Enterprise Application Platform 6 is considered to be remote access, even if the traffic originates on the localhost. Therefore, you must create at least one user in order to be able to use the management console. If you attempt to access the management console before adding a user, you will receive an error because it does not even deploy until the user is added.

Procedure 7.1. Task

  1. Invoke the add-user.sh or add-user.bat script.

    Change to the EAP_HOME/bin/ directory. Invoke the appropriate script for your operating system.
    Red Hat Enterprise Linux
    [user@host bin]$ ./add-user.sh
    Microsoft Windows Server
    C:\bin>  add-user.bat
  2. Choose to add a Management user.

    Select option a to add a Management user. This user is added to the ManagementRealm and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. The other choice, b, adds a user to the ApplicationRealm, and provides no particular permissions. That realm is provided for use with applications.
  3. Choose the realm for the user.

    The next prompt refers to the realm where the user will be added. For a user with permissions to manage JBoss Enterprise Application Platform 6, choose the default, which is ManagementRealm.
  4. Enter the desired username and password.

    When prompted, enter the security realm, username and password. Pressing ENTER selects the default realm of ManagementRealm, which allows the user to administer JBoss Enterprise Application Platform 6 using the management interfaces. You must add at least one user to this realm. You are prompted to confirm the information. If you are satisfied, type yes .
  5. Choose whether the user represents a remote JBoss Enterprise Application Platform 6 server instance.

    Besides administrators, the other type of user which occasionally needs to be added to JBoss Enterprise Application Platform 6 in the ManagementRealm is a user representing another instance of JBoss Enterprise Application Platform 6, which needs to be able to authenticate to join a cluster as a member. The next prompt allows you to designate your added user for this purpose. If you select yes, you will be given a hashed secret value, representing the user's password, which would need to be added to a different configuration file. For the purposes of this task, answer no to this question.
  6. Enter additional users.

    You can enter additional users if desired, by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations.
  7. Create users non-interactively.

    You can create users non-interactively, by passing in each parameter at the command line. This approach is not recommended on shared systems, because the passwords will be visible in log and history files. The syntax for the command, using the management realm, is:
    [user@host bin]$ ./add-user.sh username password
    To use the application realm, use the -a parameter.
    [user@host bin]$ ./add-user.sh -a username password
Result
Any users you add are activated within the security realms you have specified. Users active within the ManagementRealm realm are able to manage JBoss Enterprise Application Platform 6 from remote systems.