Red Hat Training

A Red Hat training course is available for Red Hat Fuse

Chapter 3. Basic Security

Abstract

This chapter describes the basic steps to configure security before you start Red Hat JBoss Fuse for the first time. By default, JBoss Fuse is secure, but none of its services are remotely accessible. This chapter explains how to enable secure access to the ports exposed by JBoss Fuse.

3.1. Configuring Basic Security

Overview

The Red Hat JBoss Fuse runtime is secured against network attack by default, because all of its exposed ports require user authentication and no users are defined initially. In other words, the Red Hat JBoss Fuse runtime is remotely inaccessible by default.
If you want to access the runtime remotely, you must first customize the security configuration, as described here.

Before you start the container

If you want to enable remote access to the JBoss Fuse container, you must create a secure JAAS user before starting the container:

Create a secure JAAS user

By default, no JAAS users are defined for the container, which effectively disables remote access (it is impossible to log on).
To create a secure JAAS user, edit the InstallDir/etc/users.properties file and add a new user field, as follows:
Username=Password,admin
Where Username and Password are the new user credentials. The admin role gives this user the privileges to access all administration and management functions of the container. For more details about JAAS, see Chapter 14, Configuring JAAS Security.
Warning
It is strongly recommended that you define custom user credentials with a strong password.

Ports exposed by the Red Hat JBoss Fuse container

Figure 3.1, “Ports Exposed by the Red Hat JBoss Fuse Container” shows the ports exposed by the JBoss Fuse container by default.

Figure 3.1. Ports Exposed by the Red Hat JBoss Fuse Container

The following ports are exposed by the container:
  • Console port—enables remote control of a container instance, through Apache Karaf shell commands. This port is enabled by default and is secured both by JAAS authentication and by SSH.
  • JMX port—enables management of the container through the JMX protocol. This port is enabled by default and is secured by JAAS authentication.
  • Web console port—provides access to an embedded Jetty container that can host Web console servlets. By default, the Fuse Management Console is installed in the Jetty container.

Enabling the remote console port

You can access the remote console port whenever both of the following conditions are true:
  • JAAS is configured with at least one set of login credentials.
  • The JBoss Fuse runtime has not been started in client mode (client mode disables the remote console port completely).
For example, to log on to the remote console port from the same machine where the container is running, enter the following command:
./client -u Username -p Password
Where the Username and Password are the credentials of a JAAS user with admin privileges. For more details, see Chapter 8, Using Remote Connections to Manage a Container.

Strengthening security on the remote console port

You can employ the following measures to strengthen security on the remote console port:
  • Make sure that the JAAS user credentials have strong passwords.
  • Customize the X.509 certificate (replace the Java keystore file, InstallDir/etc/host.key, with a custom key pair).

Enabling the JMX port

The JMX port is enabled by default and secured by JAAS authentication. In order to access the JMX port, you must have configured JAAS with at least one set of login credentials. To connect to the JMX port, open a JMX client (for example, jconsole) and connect to the following JMX URI:
service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root
You must also provide valid JAAS credentials to the JMX client in order to connect.
Note
In general, the tail of the JMX URI has the format /karaf-ContainerName. If you change the container name from root to some other name, you must modify the JMX URI accordingly.

Strengthening security on the Fuse Management Console port

The Fuse Management Console is already secured by JAAS authentication. To add SSL security, see chapter "Securing the Jetty HTTP Server" in "Security Guide".