7.4.  Post Installation Security Configuration

When installed from the zip archive, all JBoss services require authentication to access most JBoss services, including administrative services. Additionally no user accounts are set up. This is to stop default user/password-based attacks.

Set up Accounts for jmx-console and the invokers by modifying:

$JBOSS_HOME/server/$CONFIG/conf/props/jmx-console-users.properties

Set up Accounts for web-console users by modifying:

$JBOSS_HOME/server/$CONFIG/deploy/management/console-mgr.sar/
web-console.war/WEB-INF/classes/web-console-users.properties
Where $JBOSS_HOME is the install directory and $CONFIG is the server configuration being used.

Set SuckerPassword for JBoss Messaging:

JBoss Messaging makes internal connections between nodes in order to redistribute messages between clustered destinations. These connections are made with the user name of a special reserved user whose password is specified by this parameter SuckerPassword in the Server Peer configuration file:
$JBOSS_HOME/server/$CONFIG/deploy/jboss-messaging.sar/messaging-service.xml
Where $JBOSS_HOME is the install directory and $CONFIG is the server configuration being used. To avoid a security risk, you MUST specify the value of the attribute SuckerPassword, failing which the default value will be used. Any one who knows the default password will be able to gain access to any destinations on the server. The following fragment should be uncommented and modified:
  <mbean code="org.jboss.jms.server.ServerPeer"
      name="jboss.messaging:service=ServerPeer"
      xmbean-dd="xmdesc/ServerPeer-xmbean.xml">
      ...
      ...
      ...
      ...
   <!-- The password used by the message sucker connections to create connections.
           THIS SHOULD ALWAYS BE CHANGED AT INSTALL TIME TO SECURE SYSTEM    -->
      <attribute name="SuckerPassword"></attribute>

      ...
      ...
      ...
   </mbean>