4 Replies Latest reply on Dec 17, 2012 6:14 AM by Valentin Kovalenko

    Can't secure management interfaces in JBoss AS 7.1

    Valentin Kovalenko Newbie

      I have a domain controller (host "master" in /usr/jb-master/domain/configuration/host-master.xml) and a slave host controller (host "slave1" in /usr/jb-slave1/domain/configuration/host-slave.xml) on the same machine but in different JBoss AS installations (see defferent paths /usr/jb-master and /usr/jb-slave1). I try to secure management interfaces of both master and slave1 hosts with properties authentication as described in Securing the Management Interfaces.

       

      So I've configured <management-interfaces> as follows:

       

      file name
      text from file
      host-master.xml

          <management>

              <security-realms>

                  <security-realm name="UserNetManagementRealm">

                      <authentication>

                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

                      </authentication>

                  </security-realm>

                  <security-realm name="UserNetApplicationRealm">

                      <authentication>

                           <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />

                      </authentication>

                  </security-realm>

              </security-realms>

              <management-interfaces>

                  <native-interface security-realm="UserNetManagementRealm">

                      <socket interface="management" port="${jboss.management.native.port:9999}"/>

                  </native-interface>

                  <http-interface security-realm="UserNetManagementRealm">

                      <socket interface="management" port="${jboss.management.http.port:9990}"/>

                  </http-interface>

              </management-interfaces>

          </management>

      master: mgmt-users.properties

      admin=...

      slave1=... #encryptedPasswd1

      host-slave.xml

          <management>

              <security-realms>

                  <security-realm name="UserNetSlave1ManagementRealm">

                      <authentication>

                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

                      </authentication>

                  </security-realm>

                  <security-realm name="UserNetApplicationRealm">

                      <authentication>

                          <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />

                      </authentication>

                  </security-realm>

              </security-realms>

              <management-interfaces>

                  <native-interface security-realm="UserNetSlave1ManagementRealm">

                      <socket interface="management" port="${jboss.management.native.port:9999}"/>

                  </native-interface>

              </management-interfaces>

          </management>

       

          <domain-controller>

             <remote host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9999}" security-realm="UserNetSlave1ManagementRealm"/>

          </domain-controller>

      slave1: mgmt-users.propertiesmaster=... #encryptedPasswd2

       

      Now in order to "master" and "slave1" could communicate via management interfaces each host must provide a secret value in <server-identities>. For example for slave1 in host-slave.xml must be presented:

                  <security-realm name="UserNetSlave1ManagementRealm">

                  <server-identities>

                     <secret value="..." /> <!-- #encryptedPasswd1 -->

                  </server-identities>

                      <authentication>

                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

                      </authentication>

                  </security-realm>

      But as you can see in the table above, I haven't placed any secret value in my host-slave.xml, and still slave1 successfully registered in the domain and I can see its nodes in the JBoss admin console. This tells me that my management interfaces are still not secured, although I've specified authentication via properties files for this interfaces.

       

      Can anyone tell me what I'm doing wrong and what should be changed in order to enable authentication for management interfaces?