How to restrict jmx invoker to localhost in JBoss EAP?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform(EAP)
    • 4.x
    • 5.x
  • Red Hat JBoss SOA-Platform (SOA-P)
    • 4.x
    • 5.x

Issue

  • In order to secure the jmx invoker, access needs to be restricted to localhost. How can this be configured ?

Resolution

EAP 4.x and SOA-P 4.x

Binding the JMX invoker to localhost - HIGHLY RECOMMENDED:

It is recommended that the jmx-invoker be bound specifically to localhost only. Do it as follows:

In $JBOSS_HOME/server/$PROFILE/conf/jboss-service.xml, look for RMI/JRMP invoker section and update ServerAddress to be localhost. The section should then look something like:

    <!-- RMI/JRMP invoker -->
    <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
       name="jboss:service=invoker,type=jrmp">
       <attribute name="RMIObjectPort">4444</attribute>
       <attribute name="ServerAddress">localhost</attribute>
       ....

In $JBOSS_HOME/server/$PROFILE/deploy/jmx-invoker-service.xml, add the following lines inside the <server> section:

    <!-- A pooled invoker bound to localhost -->
    <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
       name="jboss:service=invoker,type=pooled,host=localhost">
       <attribute name="NumAcceptThreads">1</attribute>
       <attribute name="MaxPoolSize">300</attribute>
       <attribute name="ClientMaxPoolSize">300</attribute>
       <attribute name="SocketTimeout">60000</attribute>
       <attribute name="ServerBindAddress">localhost</attribute>
       <attribute name="ServerBindPort">4443</attribute>
       <attribute name="ClientConnectAddress">localhost</attribute>
       <attribute name="ClientConnectPort">0</attribute>
       <attribute name="ClientRetryCount">1</attribute>
       <attribute name="EnableTcpNoDelay">false</attribute>
       <depends  optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager</depends>

EAP 5.x and SOA-P 5.x

In JBoss EAP 5, the MBeans org.jboss.invocation.jrmp.server.JRMPInvoker and org.jboss.invocation.pooled.server.PooledInvoker are defined in $JBOSS_HOME/server/$PROFILE/deploy/legacy-invokers-service.xml:

   <!-- RMI/JRMP invoker -->
   <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
      name="jboss:service=invoker,type=jrmp">
      <attribute name="RMIObjectPort">
         <value-factory bean="ServiceBindingManager" method="getIntBinding" parameter="jboss:service=invoker,type=jrmp"/>
      </attribute>
      <attribute name="ServerAddress">
         <value-factory bean="ServiceBindingManager" method="getStringBinding" parameter="jboss:service=invoker,type=jrmp"/>
      </attribute>
      ... 

   <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
      name="jboss:service=invoker,type=pooled">
      <attribute name="NumAcceptThreads">1</attribute>
      <attribute name="MaxPoolSize">300</attribute>
      <attribute name="ClientMaxPoolSize">300</attribute>
      <attribute name="SocketTimeout">300000</attribute>
      <attribute name="ServerBindAddress">
         <value-factory bean="ServiceBindingManager" method="getStringBinding" parameter="jboss:service=invoker,type=pooled"/>
      </attribute>
      <attribute name="ServerBindPort">
         <value-factory bean="ServiceBindingManager" method="getIntBinding" parameter="jboss:service=invoker,type=pooled"/>
      </attribute>
      <attribute name="ClientConnectAddress">
         <value-factory bean="ServiceBindingManager" method="getStringBinding" parameter="jboss:service=invoker,type=pooled"/>
      </attribute>
      ...

There are 2 options to bind them to localhost:

  • Option 1 is to change the Service Binding Manager configuration in $JBOSS_HOME/server/$PROFILE/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml

    • Add the properties hostName and fixedHostName to each invoker as shown below
    • The hostName tells it to use localhost for the host
    • The fixedHostName = true tells it to always use localhost regardless of which jboss.service.binding.set the customer uses

                  <!-- ********************* deploy/legacy-invokers-service.xml ****************** -->
      
                  <!-- RMI/JRMP invoker -->
                  <bean class="org.jboss.services.binding.ServiceBindingMetadata">
                     <property name="serviceName">jboss:service=invoker,type=jrmp</property>
                     <property name="port">4444</property>
                     <property name="description">Socket for the legacy RMI/JRMP invoker</property>
                     <property name="hostName">localhost</property>
                     <property name="fixedHostName">true</property>
                  </bean>
      
                  <!-- Pooled invoker -->
                  <bean class="org.jboss.services.binding.ServiceBindingMetadata">
                     <property name="serviceName">jboss:service=invoker,type=pooled</property>
                     <property name="port">4445</property>
                     <property name="description">Socket for the legacy Pooled invoker</property>
                     <property name="hostName">localhost</property>
                     <property name="fixedHostName">true</property>
                  </bean>
      
  • Option 2 is to remove the <value-factor-bean... in the ServerAddress, ServerBindAddress, and ClientConnectAddress and replace them with localhost. Option is recommended to keep the configuration all in one place.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

In addition to binding to localhost, you should also enable authorization for the JMX Invoker. Following this article for details of how to do that: https://access.redhat.com/solutions/45579