Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

2.5. Configuration Requirements

The following sections describe modifications to be made to the production server configuration to comply with CC requirements. It is recommended, however, to back up the production configuration prior to making the changes shown in the following subsections.
Backing up the production configuration simply involves making a copy of the ${JBOSS_HOME}/server/production directory. If you are using Microsoft Windows you can simply use Windows Explorer to make a copy of this folder using copy-paste and rename the copy to production.backup. Under UNIX or Linux you can issue the command:
cp -pr ${JBOSS_HOME}/server/production ${JBOSS_HOME}/server/production.backup
In an emergency you can always retrieve the original files from the installation files.

2.5.1. Setup Configuration

The following configuration steps must be performed to ensure compliance with Common Criteria requirements.
  1. Disable Simple Network Management Protocol (SNMP)
    Delete the directory ${JBOSS_HOME}/server/production/deploy/snmp-adaptor.sar
    $ rm -rf ${JBOSS_HOME}/server/production/deploy/snmp-adaptor.sar
  2. Disable Remote Method Invocation (RMI) under the Internet Inter-ORB Protocol (IIOP)
    To disable RMI/IIOP delete following files:
    • ${JBOSS_HOME}/server/production/conf/jacorb.properties
    • ${JBOSS_HOME}/server/production/deploy/iiop-service.xml
    • ${JBOSS_HOME}/server/production/lib/jacorb.jar
    • ${JBOSS_HOME}/server/production/lib/jboss-iiop.jar
    $ rm ${JBOSS_HOME}/server/production/conf/jacorb.properties
    $ rm ${JBOSS_HOME}/server/production/deploy/iiop-service.xml
    $ rm ${JBOSS_HOME}/server/production/lib/jacorb.jar
    $ rm ${JBOSS_HOME}/server/production/lib/jboss-iiop.jar
  3. Disable AJP from JBoss Web.
    Comment out the following section from ${JBOSS_HOME}/server/production/deploy/jboss-web.deployer/server.xml:
    <Connector port="8009" address="${jboss.bind.address}" 
    protocol="AJP/1.3" emptySessionPath="true" 
    enableLookups="false" redirectPort="8443" />
  4. Disable Clustering High-Availability JNDI service (port 1102)
    1. delete the file ${JBOSS_HOME}/server/production/deploy/hajndi-jms-ds.xml
      rm ${JBOSS_HOME}/server/production/deploy/hajndi-jms-ds.xml
    2. copy jms-ds.xml from default configuration to production:
      cp -p ${JBOSS_HOME}/server/default/deploy/jms-ds.xml ${JBOSS_HOME}/server/production/deploy/
    3. From the file ${JBOSS_HOME}/server/production/deploy/cluster-service.xml comment out the following MBean definitions:
      <mbean code="org.jboss.ha.jndi.HANamingService"
        name="jboss:service=HAJNDI">
      <mbean code="org.jboss.invocation.unified.server.UnifiedInvokerHA"
        name="jboss:service=invoker,type=unifiedha">
      <mbean code="org.jboss.invocation.pooled.server.PooledInvokerHA"
        name="jboss:service=invoker,type=pooledha">
      <mbean 
       code="org.jboss.cache.invalidation.bridges.JGCacheInvalidationBridge"
       name="jboss.cache:service=InvalidationBridge,type=JavaGroups">
  5. Use password hashing and do not store plain text passwords on the server.
    You should refer to the JBoss Enterprise Application Platform Configuration Guide, Chapter 8, Section 5.3.2 Password Hashing, for details on configuring this: http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.3/doc/Server_Configuration_Guide/html/Using_JBoss_Login_Modules-Password_Hashing.html