Chapter 5. Secure the Management Interfaces
A common development scenario is to run JBoss EAP 6 with no security on the management interfaces to allow rapid configuration changes.
In production deployment, secure the management interfaces by at least the following methods:
Additionally, the default silent local authentication mode allows local clients (on the server machine) to connect to the Management CLI without requiring a username or password. This is a convenience for local users and Management CLI scripts. To disable this, refer to Section 5.4, “Remove Silent Authentication from the Default Security Realm”.
5.1. Default User Security Configuration
All management interfaces in JBoss EAP 6 are secured by default. This security takes two different forms:
- Local interfaces are secured by a SASL contract between local clients and the server they connect to. This security mechanism is based on the client's ability to access the local filesystem. This is because access to the local filesystem would allow the client to add a user or otherwise change the configuration to thwart other security mechanisms. This adheres to the principle that if physical access to the filesystem is achieved, other security mechanisms are superfluous. The mechanism happens in four steps:
NoteHTTP access is considered to be remote, even if you connect to the localhost using HTTP.
- The client sends a message to the server which includes a request to authenticate with the local SASL mechanism.
- The server generates a one-time token, writes it to a unique file, and sends a message to the client with the full path of the file.
- The client reads the token from the file and sends it to the server, verifying that it has local access to the filesystem.
- The server verifies the token and then deletes the file.
- Remote clients, including local HTTP clients, use realm-based security. The default realm with the permissions to configure the JBoss EAP 6 instance remotely using the management interfaces is
ManagementRealm. A script is provided which allows you to add users to this realm (or realms you create). For more information on adding users, see the Getting Started chapter of the JBoss EAP 6 Installation Guide. For each user, the username and a hashed password are stored in a file.
Even though the contents of the
- Managed domain
- Standalone server
mgmt-users.propertiesare masked, the file must still be treated as a sensitive file. It is recommended that it be set to the file mode of
600, which gives no access other than read and write access by the file owner.