Chapter 9. Post Installation Configuration

9.1. Post Installation Security Configuration
9.1.1. Security Configuration: JMX Console, Admin Console, HttpInvoker
9.1.2. Securing the HTTPInvoker
9.1.3. Security Configuration: Web Console
9.1.4. Security Configuration: JBoss Messaging
9.2. Default Database
9.3. Memory Settings for the Enterprise Web Platform
9.4. Run the Application Server as a Service

9.1.  Post Installation Security Configuration

When installed from the zip archive, authentication is required to access the majority of JBoss services, including administrative services. Consoles are secured by the JAAS security domain "jmx-console". At installation this security domain has no user accounts. This is to eliminate the possibility of default username/password based attacks. Refer to Procedure 9.1, “Create jmx-console, admin-console, and http invoker user account” to create a user account to access the consoles.
To disable authentication (useful for development, but not recommended for production), refer to Appendix A, Disabling Authentication.
When installed via the graphical installer, a JAAS security domain and a user account is created as part of the install process. Even if you change the name of the JAAS security domain during installation, the users are stored in the same place. Follow the instructions in Procedure 9.1, “Create jmx-console, admin-console, and http invoker user account” to edit your user account, or create a new one.

9.1.1. Security Configuration: JMX Console, Admin Console, HttpInvoker

Procedure 9.1. Create jmx-console, admin-console, and http invoker user account

This procedure creates user with access permissions to the admin and jmx consoles, and the http invoker

  1. Create a user in the default JAAS security domain

    1. Edit the file jboss-as-web/server/$PROFILE/conf/props/jmx-console-users.properties.
    2. Create a username = password pair.

      Default admin user configuration

      The commented admin=admin username and password pair is an example of the username/password definition syntax. Do not use this for your user account.

  2. Grant permissions to user

    1. Edit the file jboss-as-web/server/$PROFILE/conf/props/jmx-console-roles.properties.
    2. Create an entry for the user of the form: 
      username=JBossAdmin,HttpInvoker
      JBossAdmin
      Grant the user permission to access the JMX Console and Admin Console.
      HttpInvoker
      Grant the user permission to access the httpinvoker

Important

The authentication system applied to the JMX Console, Admin Console and Web Console does not block brute-force password attacks. It is recommended that in production environments, JBoss servers are protected by firewalls or reverse proxies that include measures to mitigate brute force attacks.

9.1.2. Securing the HTTPInvoker

The HTTP Invoker is a service that provides HTTP and Remote Method Invocation (RMI) access for EJBs and the JNDI Naming service. Secure this service to prevent unauthorized access.

Procedure 9.2. Secure the HTTP Invoker

  1. Defining security constraints

    The server/$PROFILE/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml or server/$PROFILE/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml file (depending on your server profile) must define a JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet in the security realm. This means that the security-constraint element should be similar to: 
    
<security-constraint>
   <web-resource-collection>
      <web-resource-name>HttpInvokers</web-resource-name>
      <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets
      </description>
      <url-pattern>/restricted/*</url-pattern>
      <url-pattern>/JNDIFactory/*</url-pattern>
      <url-pattern>/EJBInvokerServlet/*</url-pattern>
      <url-pattern>/JMXInvokerServlet/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>HttpInvoker</role-name>
   </auth-constraint>
</security-constraint>

  2. Define an associated security domain

    Add the following to fragment to web.xml: 
    <jboss-web>
   <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

  3. Binding the jmx-invoker to localhost

    Note

    Binding the jmx-invoker to localhost is highly recommended for security, but makes it unavailable for use remotely.
    Edit server/$PROFILE/conf/jboss-service.xml such that the ServerAddress of the RMI/JRMP invoker is localhost, as shown in the following code snippet: 
    <-- RMI/JRMP invoker -->
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
      name="jboss:service=invoker,type=jrmp">
   <attribute name="RMIObjectPort">4444</attribute>
   <attribute name="ServerAddress">localhost</attribute>
....
  4. Add the following lines to the server section of server/$PROFILE/deploy/jmx-invoker-service.xml: 
    <-- A pooled invoker bound to localhost -->
<mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
         name="jboss:service=invoker,type=pooled,host=localhost">
   <attribute name="NumAcceptThreads">1</attribute>
   <attribute name="MaxPoolSize">300</attribute>
   <attribute name="ClientMaxPoolSize">300</attribute>
   <attribute name="SocketTimeout">60000</attribute>
   <attribute name="ServerBindAddress">localhost</attribute>
   <attribute name="ServerBindPort">4443</attribute>
   <attribute name="ClientConnectAddress">localhost</attribute>
   <attribute name="ClientConnectPort">0</attribute>
   <attribute name="ClientRetryCount">1</attribute>
   <attribute name="EnableTcpNoDelay">false</attribute>
   <depends optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager</depends>
  5. In the <mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory" section, change <depends optional-attribute-name="InvokerName"> to: 
    <depends optional-attribute-name="InvokerName">
jboss:service=invoker,type=pooled,host=localhost
</depends>

9.1.3. Security Configuration: Web Console

Procedure 9.3. Create web console user account

This procedure creates a user with access permissions to the web console

  1. Create a user in the web-console JAAS security domain

    1. Edit the file web-console-users.properties in jboss-as-web/server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/.
    2. Create a username = password pair.

      Default admin user configuration

      The commented admin=admin username and password is an example of the username/password definition syntax. Do not use this for your user account.

  2. Grant permissions to user

    1. Edit the file web-console-roles.properties in jboss-as/server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/.
    2. Create an entry for the user of the form: 
      username=JBossAdmin,HttpInvoker
      JBossAdmin
      Grant the user permission to access the Web-Console
      HttpInvoker
      Grant the user permission to access the HTTP Invoker

Important

The authentication system applied to the JMX Console, Admin Console and Web Console does not block brute-force password attacks. It is recommended that in production environments, JBoss servers are protected by firewalls or reverse proxies that include measures to mitigate brute force attacks.

9.1.4. Security Configuration: JBoss Messaging

JBoss Messaging makes internal connections between nodes in order to redistribute messages between clustered destinations. These connections are made with the user name of a special reserved user whose password is specified in the property suckerPassword in the configuration file:

Procedure 9.4. Set suckerPassword for JBoss Messaging:

This procedure sets the password used by JBoss Messaging in a clustered environment
  1. Edit the file jboss-as-web/server/$PROFILE/deploy/messaging/messaging-jboss-beans.xml.
  2. Change the suckerPassword value.