⁠Chapter 6. Common Configuration

Procedure 6.1. Manage Network Firewalls and JBoss EAP 6 to work together

1. Log into the Management Console.

   Log into the Management Console. By default, it runs on http://localhost:9990/console/.

2. Determine the socket bindings used by the socket binding group.

   1. Click the Configuration label at the top of the Management Console.
   2. Expand the General Configuration menu. Select the Socket Binding.
   3. The Socket Binding Declarations screen appears. Initially, the standard-sockets group is shown. Choose a different group by selecting it from the combo box on the right-hand side.

   Note

   If you use a standalone server, it has only one socket binding group.
   The list of socket names and ports is shown, eight values per page. You can go through the pages by using the arrow navigation below the table.

3. Determine the ports you need to open.

   Depending on the function of the particular port and the requirements of your environment, some ports may need to be opened on your firewall.

4. Configure your firewall to forward traffic to JBoss EAP 6.

   Perform these steps to configure your network firewall to allow traffic on the desired port.
   1. Log into your firewall machine and access a command prompt, as the root user.
   2. Issue the command system-config-firewall to launch the firewall configuration utility. A GUI or command-line utility launches, depending on the way you are logged into the firewall system. This task makes the assumption that you are logged in via SSH and using the command-line interface.
   3. Use the TAB key on your keyboard to navigate to the Customize button, and press the ENTER key. The Trusted Services screen appears.
   4. Do not change any values, but use the TAB key to navigate to the Forward button, and press ENTER to advanced to the next screen. The Other Ports screen appears.
   5. Use the TAB key to navigate to the <Add> button, and press ENTER. The Port and Protocol screen appears.
   6. Enter 5445 in the Port / Port Range field, then use the TAB key to move to the Protocol field, and enter tcp. Use the TAB key to navigate to the OK button, and press ENTER.
   7. Use the TAB key to navigate to the Forward button until you reach the Port Forwarding screen.
   8. Use the TAB key to navigate to the <Add> button, and press the ENTER key.
   9. Fill in the following values to set up port forwarding for port 5445.
      • Source interface: eth1
      • Protocol: tcp
      • Port / Port Range: 5445
      • Destination IP address: 10.1.1.2
      • Port / Port Range: 5445
      Use the TAB key to navigate to the OK button, and press ENTER.
   10. Use the TAB key to navigate to the Close button, and press ENTER.
   11. Use the TAB key to navigate to the OK button, and press ENTER. To apply the changes, read the warning and click Yes.

5. Configure a firewall on your JBoss EAP 6 host.

   Some organizations choose to configure a firewall on the JBoss EAP 6 server itself, and close all ports that are not necessary for its operation. See Section 6.1, “Network Ports Used By JBoss EAP 6” and determine which ports to open, then close the rest. The default configuration of Red Hat Enterprise Linux 6 closes all ports except 22 (used for Secure Shell (SSH) and 5353 (used for multicast DNS). While you are configuring ports, ensure you have physical access to your server so that you do not inadvertently lock yourself out.

Procedure 6.2. Configuring Firewall on Microsoft Windows using PowerShell

1. Switch off firewall for debug purpose to determine whether the current network behavior is related to the firewall configuration.

   Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall set allprofiles state off"'

2. Allow UDP connections on port 23364. For example:

   Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall firewall add rule name="UDP Port 23364" dir=in  action=allow protocol=UDP localport=23364"'
   Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall firewall add rule name="UDP Port 23364" dir=out action=allow protocol=UDP localport=23364"'

Procedure 6.3. Configure the Firewall on Red Hat Enterprise Linux 7 to Allow mod_cluster Advertising

• To allow mod_cluster advertising on Red Hat Enterprise Linux 7, you must enable the UDP port in the firewall as follows:

  firewall-cmd --permanent --zone=public --add-port=23364/udp

  Note

  224.0.1.105:23364 is the default address and port for mod_cluster balancer advertising UDP multicast.

Procedure 6.4. Create the Initial Administrative User for the Remote Management Interfaces

1. Run the add-user.sh or add-user.bat script.

   Change to the EAP_HOME/bin/ directory. Invoke the appropriate script for your operating system.

   Red Hat Enterprise Linux

   [user@host bin]$ ./add-user.sh

   Microsoft Windows Server

   C:\bin>  add-user.bat

2. Choose to add a Management user.

   Press ENTER to select the default option a to add a Management user.
   This user is added to the ManagementRealm and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. The other choice, b, adds a user to the ApplicationRealm, and provides no particular permissions. That realm is provided for use with applications.

3. Enter the desired username and password.

   When prompted, enter the username and password. You will be prompted to confirm the password.

4. Enter group information.

   Add the group or groups to which the user belongs. If the user belongs to multiple groups, enter a comma-separated list. Leave it blank if you do not want the user to belong to any groups.

5. Review the information and confirm.

   You are prompted to confirm the information. If you are satisfied, type yes.

6. Choose whether the user represents a remote JBoss EAP 6 server instance.

   Besides administrators, the other type of user which occasionally needs to be added to JBoss EAP 6 in the ManagementRealm is a user representing another instance of JBoss EAP 6, which must be able to authenticate to join a cluster as a member. The next prompt allows you to designate your added user for this purpose. If you select yes, you will be given a hashed secret value, representing the user's password, which would need to be added to a different configuration file. For the purposes of this task, answer no to this question.

7. Enter additional users.

   You can enter additional users if desired, by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations.

8. Create users non-interactively.

   You can create users non-interactively, by passing in each parameter at the command line. This approach is not recommended on shared systems, because the passwords will be visible in log and history files. The syntax for the command, using the management realm, is:

   [user@host bin]$ ./add-user.sh username password

   To use the application realm, use the -a parameter.

   [user@host bin]$ ./add-user.sh -a username password

9. You can suppress the normal output of the add-user script by passing the --silent parameter. This applies only if the minimum parameters username and password have been specified. Error messages will still be shown.