0 Replies Latest reply on Mar 25, 2015 3:15 PM by netsteven

    How to login to JBoss JMX platform MBean Server using LDAP as the authentication provider

    netsteven
    netsteven Mar 25, 2015 3:15 PM

      Hello everyone,

       

      I am trying to use JConsole to secuerly (and remotely) connect to the JBoss platform mbean server, in the mean time, I must also use an external LDAP server as the authentication service provider. I am using JBoss 7.1.1 in standalone mode. I could not get it working. Here is how I did it.

       

      1) Confirm that, after setting "com.sun.management.jmxremote.authenticate=false", I could login from Jconsole remotely to {host}:{port}. All the related configuration goes into standalone.conf file, such as the following:

       

      set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote"

      set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.port=8089"

      set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl=false"

      rem set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=false"

       

      set "JAVA_OPTS=%JAVA_OPTS% -Djava.util.logging.manager=org.jboss.logmanager.LogManager"

      set "JAVA_OPTS=%JAVA_OPTS% -Xbootclasspath/p:d:/J01/modules/org/jboss/logmanager/main/jboss-logmanager-1.2.2.GA.jar"

      set "JAVA_OPTS=%JAVA_OPTS% -Xbootclasspath/p:d:/J01/modules/org/jboss/logmanager/log4j/main/jboss-logmanager-log4j-1.0.0.GA.jar"

      set "JAVA_OPTS=%JAVA_OPTS% -Xbootclasspath/p:d:/J01/modules/org/apache/log4j/main/log4j-1.2.16.jar -Djboss.modules.system.pkgs=org.jboss.logmanager"

       

      2) I then add/modify the following:

      set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=true"

      set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.auth.login.config=ldap.config

      set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.login.config=MgmtLdapConfig"

       

      The content of the ldap.config is something like this:

      MgmtLdapConfig {

          com.sun.security.auth.module.LdapLoginModule REQUIRED

              userProvider="ldaps://ahost:15636/ou=Users,ou=Management,ou=thing1,dc=thing2,dc=thing3,o=company"

              authIdentity="uid={USERNAME},ou=Users,ou=Management,ou=thing1,dc=thing2,dc=thing3,o=company"

              authzIdentity=controlRole

              useSSL=false

              debug=false;

          };

       

      This whole thing works for Tomcat and Weblogic, but not on JBoss and WebSphere. It sounded like for JBoss 7.1.1, “java.security.auth.login.config=ldap.config” is not even used. Anyway, the login does not work, and I got "unable to find LoginModule class: org.jboss.as.security.remoting.RemotingLoginModule".

       

      From scattered posts online, I feel like this use case has to be resolved in JBoss's security setting. In standalone.xml file, one could setup a security-realms (managementRealm, ApplicationRealms, etc) to use an ldap authentication, and set up a outbound-connection for configuring the ldap server connection. I made some attemps but didn't get any success.

       

      Does anyone have experience making such use case work? How to configure the JBoss to at least hook up with a working LoginModule? In order to get the use case to work, is it a must to engage the security realm configuration?

       

      thanks for any advice!

       

      Steven

      • 353 Views
      • Tags: