Red Hat Training
A Red Hat training course is available for Red Hat JBoss Data Virtualization
3.3. Adding a JBoss EAP Management User
3.3.1. Add the User for the Management Interfaces
Procedure 3.1. Create the Initial Administrative User for the Remote Management Interfaces
Run the
add-user.sh
oradd-user.bat
script.Change to theEAP_HOME/bin/
directory. Invoke the appropriate script for your operating system.- Red Hat Enterprise Linux
[user@host bin]$
./add-user.sh- Microsoft Windows Server
C:\bin>
add-user.bat
Choose to add a Management user.
Press ENTER to select the default optiona
to add a Management user.This user is added to theManagementRealm
and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. The other choice,b
, adds a user to theApplicationRealm
, and provides no particular permissions. That realm is provided for use with applications.Enter the desired username and password.
When prompted, enter the username and password. You will be prompted to confirm the password.Enter group information.
Add the group or groups to which the user belongs. If the user belongs to multiple groups, enter a comma-separated list. Leave it blank if you do not want the user to belong to any groups.Review the information and confirm.
You are prompted to confirm the information. If you are satisfied, typeyes
.Choose whether the user represents a remote JBoss EAP 6 server instance.
Besides administrators, the other type of user which occasionally needs to be added to JBoss EAP 6 in theManagementRealm
is a user representing another instance of JBoss EAP 6, which must be able to authenticate to join a cluster as a member. The next prompt allows you to designate your added user for this purpose. If you selectyes
, you will be given a hashedsecret
value, representing the user's password, which would need to be added to a different configuration file. For the purposes of this task, answerno
to this question.Enter additional users.
You can enter additional users if desired, by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations.Create users non-interactively.
You can create users non-interactively, by passing in each parameter at the command line. This approach is not recommended on shared systems, because the passwords will be visible in log and history files. The syntax for the command, using the management realm, is:[user@host bin]$
./add-user.sh username passwordTo use the application realm, use the-a
parameter.[user@host bin]$
./add-user.sh -a username password- You can suppress the normal output of the add-user script by passing the
--silent
parameter. This applies only if the minimum parametersusername
andpassword
have been specified. Error messages will still be shown.
Any users you add are activated within the security realms you have specified. Users active within the ManagementRealm
realm are able to manage JBoss EAP 6 from remote systems.
3.3.2. Default User Security Configuration
All management interfaces in JBoss EAP 6 are secured by default. This security takes two different forms:
- Local interfaces are secured by a SASL contract between local clients and the server they connect to. This security mechanism is based on the client's ability to access the local filesystem. This is because access to the local filesystem would allow the client to add a user or otherwise change the configuration to thwart other security mechanisms. This adheres to the principle that if physical access to the filesystem is achieved, other security mechanisms are superfluous. The mechanism happens in four steps:
Note
HTTP access is considered to be remote, even if you connect to the localhost using HTTP.- The client sends a message to the server which includes a request to authenticate with the local SASL mechanism.
- The server generates a one-time token, writes it to a unique file, and sends a message to the client with the full path of the file.
- The client reads the token from the file and sends it to the server, verifying that it has local access to the filesystem.
- The server verifies the token and then deletes the file.
- Remote clients, including local HTTP clients, use realm-based security. The default realm with the permissions to configure the JBoss EAP 6 instance remotely using the management interfaces is
ManagementRealm
. A script is provided which allows you to add users to this realm (or realms you create). For more information on adding users, see the User Management chapter of the JBoss EAP 6 Administration and Configuration Guide. For each user, the username and a hashed password are stored in a file.- Managed domain
EAP_HOME/domain/configuration/mgmt-users.properties
- Standalone server
EAP_HOME/standalone/configuration/mgmt-users.properties
Even though the contents of themgmt-users.properties
are masked, the file must still be treated as a sensitive file. It is recommended that it be set to the file mode of600
, which gives no access other than read and write access by the file owner.
3.3.3. Adding a JBoss Data Virtualization User
- Navigate to the bin directory.
- Launch the ./add-user.sh script.
- Selection option the "b) Application User (application-users.properties)" and add the username and password you desire.
Important