12 Replies Latest reply on Apr 3, 2011 12:45 AM by vgarmash

    Secure jmx-console and web-console

      Hi there,

      The credentials of jmx-console and web-console are stored in plaintext files.

      Is there a better way to improve the security of jmxs passwords?


      Thanks,
      Andre

        • 1. Re: Secure jmx-console and web-console
          peterj

          You could use a database or ldap server login module instead - the password in the database or ldap could be encrypted.

          • 2. Re: Secure jmx-console and web-console
            saguilar

            How can we change the ports of the web-sonsole and the jmx-console, I installed jboss AS 4.2.3 on a shared server and some applications migh try to use the 8080 port

            • 3. Re: Secure jmx-console and web-console
              peterj

              saguilar, please to not hijack someone else's post - start a new one instead. (By the way, you might look in the docs or wiki, the answers to your questions are there)

              • 4. Re: Secure jmx-console and web-console

                Hi Pj,

                Thanks for the wiki SecureJboss.

                I tried to implement the SecureTheJmxConsole (http://www.jboss.org/community/docs/DOC-12190).

                Before applying the configuration I can access jmx-console without any access control.

                After applying the configuration I get a BLANK PAGE and the following error in APACHE.LOG:

                2009-02-26 09:42:19,729 WARN [FormAuthenticator] Unexpected error forwarding to login page
                java.lang.NullPointerException
                at org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage(FormAuthenticator.java:316)
                at org.jboss.web.tomcat.security.ExtendedFormAuthenticator.forwardToLoginPage(ExtendedFormAuthenticator.java:141)
                at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:244)
                at org.jboss.web.tomcat.security.ExtendedFormAuthenticator.authenticate(ExtendedFormAuthenticator.java:86)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
                at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
                at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
                at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                at java.lang.Thread.run(Thread.java:595)


                Any ideas,
                Andre

                • 5. Re: Secure jmx-console and web-console

                  I forgot to mention that I couldn´t understand what was in jboss-web.xml:

                  "You will need to edit the tmladaptor login configuration to setup the login modules used to authentication users"

                  Don´t know what to do with it.

                  Thanks again,
                  Andre

                  • 6. Re: Secure jmx-console and web-console
                    peterj

                    I don't know what that sentence means, either. It could be a holdover from a prior configuration that never got changed.

                    When you uncomment the security-domain in jboss-web.xml, it reference the jmx-console login module in conf/login-config.xml, and that login module uses the conf/props/jmx-*.properties files for the users and roles. So if you are happy with the given users and roles, then uncommenting that line is jboss-web.xml is all that is required.

                    Wait a second, where did APACHE.LOG come from? Also, the stack trace does not look like it is from JBoss AS... What, exactly, are you running?

                    • 7. Re: Secure jmx-console and web-console

                      Pj,

                      I have a jboss running on my windows desktop. In order to test the app I think that Jboss starts some products of Apache, for instance, coyote, catalina, etc...

                      The file apache.log appears in a log4j appender





                      <param name="DatePattern" value="'.'-dd"/>





                      And it is used in the following category:



                      <appender-ref ref="CONSOLE"/>
                      <appender-ref ref="apacheFileAppender"/>
                      <appender-ref ref="serverDbInfoAppender"/>


                      Hope it helps to understand my question,
                      Andre

                      • 8. Re: Secure jmx-console and web-console

                        Peter,

                        I can´t post my log4j configuration.


                        Andre

                        • 9. Re: Secure jmx-console and web-console
                          peterj

                          When posting XML text or source code, please enclose the text in UBBCode "code" tags - you can do this by selecting the text and clicking the Code button above the editor window. Also, click the Preview button to ensure that the formatting is correct and the XML text shows up before posting.

                          • 10. Re: Secure jmx-console and web-console

                            I have a jboss running on my windows desktop. In order to test the app I think that Jboss starts some products of Apache, for instance, coyote, catalina, etc...

                            The file apache.log appears in a log4j appender:

                            <appender name="apacheFileAppender" class="org.jboss.logging.appender.DailyRollingFileAppender">
                             <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
                             <param name="File" value="${jboss.server.log.dir}/apache.log"/>
                             <param name="Append" value="true"/>
                             <param name="DatePattern" value="'.'-dd"/>
                             <layout class="org.apache.log4j.PatternLayout">
                             <param name="ConversionPattern" value="%d %-5p [%c{1}] %m %n"/>
                             </layout>
                             </appender>



                            And it is used by the following category:

                            <!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
                             <category name="org.apache" additivity="false">
                             <priority value="INFO"/>
                             <appender-ref ref="CONSOLE"/>
                             <appender-ref ref="apacheFileAppender"/>
                             <appender-ref ref="serverDbInfoAppender"/>
                             </category>
                            


                            Any ideias about the stack trace?

                            Thanks,
                            Andre

                            • 11. Re: Secure jmx-console and web-console
                              peterj

                              No ideas on the stack trace. Looks like it is debugging time. Try this: start with a fresh JBoss AS install and edit only that one jboss-web.xml file and see if that works.

                              • 12. Secure jmx-console and web-console
                                vgarmash

                                People! LDAP, database.....

                                How about to read

                                JBoss Getting Started guide.? Section

                                9.2. Using Password Hashing