Chapter 3. Basic Security
3.1. Configuring Basic Security
Before you start the container
Create a secure JAAS user
InstallDir/etc/users.propertiesfile and add a new user field, as follows:
Passwordare the new user credentials. The
Administratorrole gives this user the privileges to access all administration and management functions of the container. For more details about JAAS, see Chapter 14, Configuring JAAS Security.
Role-based access control
Table 3.1. Standard Roles for Access Control
|Grants read-only access to the container.|
|Grants read-write access at the appropriate level for ordinary users, who want to deploy and run applications. But blocks access to sensitive container configuration settings.|
|Grants unrestricted access to the container.|
Ports exposed by the JBoss Fuse container
Figure 3.1. Ports Exposed by the JBoss Fuse Container
- Console port—enables remote control of a container instance, through Apache Karaf shell commands. This port is enabled by default and is secured both by JAAS authentication and by SSH.
- JMX port—enables management of the container through the JMX protocol. This port is enabled by default and is secured by JAAS authentication.
- Web console port—provides access to an embedded Jetty container that can host Web console servlets. By default, the Fuse Management Console is installed in the Jetty container.
Enabling the remote console port
- JAAS is configured with at least one set of login credentials.
- The JBoss Fuse runtime has not been started in client mode (client mode disables the remote console port completely).
./client -u Username -p Password
Passwordare the credentials of a JAAS user with
Administratorprivileges. For more details, see Chapter 8, Using Remote Connections to Manage a Container.
Strengthening security on the remote console port
- Make sure that the JAAS user credentials have strong passwords.
- Customize the X.509 certificate (replace the Java keystore file,
InstallDir/etc/host.key, with a custom key pair).
Enabling the JMX port
jconsole) and connect to the following JMX URI:
/karaf-ContainerName. If you change the container name from
rootto some other name, you must modify the JMX URI accordingly.