Can't secure management interfaces in JBoss AS 7.1
stinc.male Dec 15, 2012 12:57 PMI have a domain controller (host "master" in /usr/jb-master/domain/configuration/host-master.xml) and a slave host controller (host "slave1" in /usr/jb-slave1/domain/configuration/host-slave.xml) on the same machine but in different JBoss AS installations (see defferent paths /usr/jb-master and /usr/jb-slave1). I try to secure management interfaces of both master and slave1 hosts with properties authentication as described in Securing the Management Interfaces.
So I've configured <management-interfaces> as follows:
file name | text from file |
---|---|
host-master.xml | <management> <security-realms> <security-realm name="UserNetManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> <security-realm name="UserNetApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.domain.config.dir" /> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="UserNetManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> <http-interface security-realm="UserNetManagementRealm"> <socket interface="management" port="${jboss.management.http.port:9990}"/> </http-interface> </management-interfaces> </management> |
master: mgmt-users.properties | admin=... slave1=... #encryptedPasswd1 |
host-slave.xml | <management> <security-realms> <security-realm name="UserNetSlave1ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> <security-realm name="UserNetApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.domain.config.dir" /> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="UserNetSlave1ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> </management-interfaces> </management>
<domain-controller> <remote host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9999}" security-realm="UserNetSlave1ManagementRealm"/> </domain-controller> |
slave1: mgmt-users.properties | master=... #encryptedPasswd2 |
Now in order to "master" and "slave1" could communicate via management interfaces each host must provide a secret value in <server-identities>. For example for slave1 in host-slave.xml must be presented:
<security-realm name="UserNetSlave1ManagementRealm">
<server-identities>
<secret value="..." /> <!-- #encryptedPasswd1 -->
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
</security-realm>
But as you can see in the table above, I haven't placed any secret value in my host-slave.xml, and still slave1 successfully registered in the domain and I can see its nodes in the JBoss admin console. This tells me that my management interfaces are still not secured, although I've specified authentication via properties files for this interfaces.
Can anyone tell me what I'm doing wrong and what should be changed in order to enable authentication for management interfaces?