Red Hat Training

A Red Hat training course is available for Red Hat JBoss Data Virtualization

3.3. Adding a JBoss EAP Management User

3.3.1. Add the User for the Management Interfaces

The following procedure documents how to create the initial administrative user, in the event such a user is not created by the chosen installation method. This initial administrative user can use the web-based Management Console and remote instances of the Management CLI to configure and administer JBoss EAP 6 from remote systems.

Procedure 3.1. Create the Initial Administrative User for the Remote Management Interfaces

  1. Run the add-user.sh or add-user.bat script.

    Change to the EAP_HOME/bin/ directory. Invoke the appropriate script for your operating system.
    Red Hat Enterprise Linux
    [user@host bin]$ ./add-user.sh
    Microsoft Windows Server
    C:\bin>  add-user.bat

  2. Choose to add a Management user.

    Press ENTER to select the default option a to add a Management user.
    This user is added to the ManagementRealm and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. The other choice, b, adds a user to the ApplicationRealm, and provides no particular permissions. That realm is provided for use with applications.

  3. Enter the desired username and password.

    When prompted, enter the username and password. You will be prompted to confirm the password.

  4. Enter group information.

    Add the group or groups to which the user belongs. If the user belongs to multiple groups, enter a comma-separated list. Leave it blank if you do not want the user to belong to any groups.

  5. Review the information and confirm.

    You are prompted to confirm the information. If you are satisfied, type yes.

  6. Choose whether the user represents a remote JBoss EAP 6 server instance.

    Besides administrators, the other type of user which occasionally needs to be added to JBoss EAP 6 in the ManagementRealm is a user representing another instance of JBoss EAP 6, which must be able to authenticate to join a cluster as a member. The next prompt allows you to designate your added user for this purpose. If you select yes, you will be given a hashed secret value, representing the user's password, which would need to be added to a different configuration file. For the purposes of this task, answer no to this question.

  7. Enter additional users.

    You can enter additional users if desired, by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations.

  8. Create users non-interactively.

    You can create users non-interactively, by passing in each parameter at the command line. This approach is not recommended on shared systems, because the passwords will be visible in log and history files. The syntax for the command, using the management realm, is: 
    [user@host bin]$ ./add-user.sh username password
    To use the application realm, use the -a parameter. 
    [user@host bin]$ ./add-user.sh -a username password
  9. You can suppress the normal output of the add-user script by passing the --silent parameter. This applies only if the minimum parameters username and password have been specified. Error messages will still be shown.
Result

Any users you add are activated within the security realms you have specified. Users active within the ManagementRealm realm are able to manage JBoss EAP 6 from remote systems.

3.3.2. Default User Security Configuration

Introduction

All management interfaces in JBoss EAP 6 are secured by default. This security takes two different forms:

  • Local interfaces are secured by a SASL contract between local clients and the server they connect to. This security mechanism is based on the client's ability to access the local filesystem. This is because access to the local filesystem would allow the client to add a user or otherwise change the configuration to thwart other security mechanisms. This adheres to the principle that if physical access to the filesystem is achieved, other security mechanisms are superfluous. The mechanism happens in four steps:

    Note

    HTTP access is considered to be remote, even if you connect to the localhost using HTTP.
    1. The client sends a message to the server which includes a request to authenticate with the local SASL mechanism.
    2. The server generates a one-time token, writes it to a unique file, and sends a message to the client with the full path of the file.
    3. The client reads the token from the file and sends it to the server, verifying that it has local access to the filesystem.
    4. The server verifies the token and then deletes the file.
  • Remote clients, including local HTTP clients, use realm-based security. The default realm with the permissions to configure the JBoss EAP 6 instance remotely using the management interfaces is ManagementRealm. A script is provided which allows you to add users to this realm (or realms you create). For more information on adding users, see the User Management chapter of the JBoss EAP 6 Administration and Configuration Guide. For each user, the username and a hashed password are stored in a file.
    Managed domain
    EAP_HOME/domain/configuration/mgmt-users.properties
    Standalone server
    EAP_HOME/standalone/configuration/mgmt-users.properties
    Even though the contents of the mgmt-users.properties are masked, the file must still be treated as a sensitive file. It is recommended that it be set to the file mode of 600, which gives no access other than read and write access by the file owner.

3.3.3. Adding a JBoss Data Virtualization User

JBoss Data Virtualization's default configuration uses hashed files to define users and their roles. Follow these steps to add a new user for this default configuration.
  1. Navigate to the bin directory.
  2. Launch the ./add-user.sh script.
  3. Selection option the "b) Application User (application-users.properties)" and add the username and password you desire.

Important

The "admin" and "user" role names are reserved specifically for Dashboard Builder permissions. The odata group is needed for OData access.