2 Replies Latest reply on Aug 11, 2010 7:46 AM by saltnlight5

    password protect JMX, status and web console [Securing Jboss]

    nonboss
    nonboss Aug 4, 2010 6:39 AM

      Hi

       

      I found in Jboss wiki the article Securing the JMX Console and Web Console (HTTP): http://community.jboss.org/wiki/SecureTheJmxConsole

       

      The wiki page is fragmentary:

       

      To secure the JMX Console using a username/password file -
          * Locate the  directory.  This will normally be in  directory.
          * Edit  and uncomment the security-constraint block.
          * Edit  or  (version >=4.0.2) and  or  (version >=4.0.2) and change the users and passwords to what you desire.  They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
          * Edit  and uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.

       

      Where are those files to add password protection?

       

      Additionlay how to disable or add a password the JBoss status page?

       

      We installed Jboss with a BMC product (it was automatically included)

       

      $ pwd
      /opt/idmsuiteuser/bmc/idm/idm-suite7.5/jboss-4.2.0.GA
      $ ls -lrt
      total 340
      -rwxrwxr-x   1 idmsuiteuser   other      57627 Feb  4  2009 jar-versions.xml
      -rwxrwxr-x   1 idmsuiteuser   other       3869 Feb  4  2009 readme_j2ee.html
      -rwxrwxr-x   1 idmsuiteuser   other       8102 Feb  4  2009 JBossORG-EULA.txt
      -rwxrwxr-x   1 idmsuiteuser   other      57055 Feb  4  2009 readme.html
      -rwxrwxr-x   1 idmsuiteuser   other       6095 Feb  4  2009 copyright.txt
      -rwxrwxr-x   1 idmsuiteuser   other      33732 Feb  4  2009 lgpl.html
      drwxrwxr-x   7 idmsuiteuser   other        512 Jul  9  2009 docs
      drwxrwxr-x   2 idmsuiteuser   other       2048 Jul  9  2009 client
      drwxrwxr-x   3 idmsuiteuser   other        512 Jul  9  2009 lib
      drwxrwxr-x   6 idmsuiteuser   other        512 Jul  9  2009 server
      drwxrwxr-x   2 idmsuiteuser   other       1024 Aug 28  2009 bin

       

      cheers nonboss

        • 1. Re: password protect JMX, status and web console [Securing Jboss]
          dangvo
          dangvo Aug 10, 2010 8:55 PM (in response to nonboss)

          Uncomment the <security-constraint> block in ./server/default/deploy/jmx-console.war/WEB-INF/web.xml.

            • Actions
          • 2. Re: password protect JMX, status and web console [Securing Jboss]
            saltnlight5
            saltnlight5 Aug 11, 2010 7:46 AM (in response to nonboss)

            Besides enable (uncomment) the security-constriant in JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml, you would also need to enable the security-domain in WEB-INF/jboss-web.xml as well.

             

            Do the same for web-console.war application, which in JBoss4, it's located under JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war

             

            Once you uncommented those, the user and password are configured and stored under JBOSS_HOME/server/default/conf/props/jmx-console-user.properties (web-console uses this file as well).

              • Actions