RCM JBOSS Security Settings.

Document ID : KB000050967
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

How to set the security settings for JBoss and RCM.

Solution:

Simple Security for JBOSS Web-Console

The web-console {http://localhost:8080/web-console/} is the default console that is available with the JBoss Application Server. It displays the various MBean Services that are running in a JBoss Application Server instance. A user is able to get and set attributes and invoke operations on the various services.

User / Password Authentication

To have simple secured web console where the user/password and user/roles come from properties files, follow the following steps:

  1. Locate the web-console.war directory under [RCM Install Folder]\eurekify-jboss\server\eurekify\deploy\management\console-mgr.sar\


  2. Edit the web.xml file under web-console.war/WEB-INF directory and uncomment the security constraint block as shown below:

    D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\management\console-mgr.sar\web-console.war\WEB-INF\web.xml

    <!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. -->

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>JBossAdmin</role-name>
    </auth-constraint>
    </security-constraint>


  3. Edit the jboss-web.xml file under the web-console.war/WEB-INF directory and uncomment the security-domain element as shown below:

    D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\management\console-mgr.sar\web-console.war\WEB-INF\jboss-web.xml

    <jboss-web>
    JBoss 1.0 1
    <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. -->
    <security-domain>java:/jaas/jmx-console</security-domain>
    <!-- The war depends on the -->
    <depends>jboss.admin:service=PluginManager</depends>
    </jboss-web>

  4. Locate the two properties files called as web-console-users.properties and web-console-roles.properties under {RCM Install Folder]\eurekify-jboss\server\eurekify\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes

  5. In the web-console-users.properties, you can add/change the userid/password combination.

  6. In the web-console-roles.properties, you will need to assign roles to the users you added or changed in step.4. Just remember to add JBossAdmin role to the users who will be using the jmx-console.

  7. Restart JBOSS Application Server.

Encrypting web-Console User Password

The login module has support for password hashing; rather than storing passwords in plain text, a one-way hash of the password is stored (using an algorithm such as MD5) in a similar fashion to the /etc/passwd file on a UNIX system. This has the advantage that anyone reading the hash won't be able to use it to log in. However, there is no way of recovering the password should the user forget it. To enable password hashing in the database example above, you would add the following module options to the login configuration:

<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>

This indicates that we want to use MD5 hashes and use base64 encoding to covert the binary hash value to a string. JBoss will now calculate the hash of the supplied password using these options before authenticating the user.

Steps to Encrypt Password

  1. Locate login-config.xml file in [RCM Install Directory]\eurekify-jboss\server\eurekify\conf. Add password hashing module options in web-console policy.

    <!-- A template configuration for the web-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. -->


    <application-policy name = "web-console">
    <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
    <module-option name="usersProperties">web-console-users.properties</module-option>
    <module-option name="rolesProperties">web-console-roles.properties</module-option>
    <module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">base64</module-option>
    </login-module>
    </authentication>
    </application-policy>

  2. To hash the password, execute following command from command prompt on RCM Server.

    For JBoss 4.x The org.jboss.security.Base64Encoder class is available in jbosssx.jar to hash the password:
    java -cp "[RCM Install Folder]\eurekify-jboss\server\eurekify\lib\jbosssx.jar" org.jboss.security.Base64Encoder passwordvalue MD5

    For JBoss 5.x - change directory to "[RCM Install Folder]\eurekify-jboss\"
    java -cp client\jboss-logging-spi.jar;lib\jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule passwordvalue

    For more information please refer to the suitable section, based on the exact JBoss version you are using
    http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_Data_Source_Passwords.html

    Note: Above command will return password hash value in square bracket. Discard the square bracket. It is not part of the password hash.

    Example:
    In figure below ISMvKXpXpadDiUoOSoAfww== is the hash of password admin

    Figure 1

  3. The web-console-users.properties property file stores userID and password for web-console user in Userid=password format. Locate web-console-users.property file in [RCM Install Folder]\eurekify-jboss\server\eurekify\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes and paste the password hash value for corresponding user.

    Figure 2

  4. Restart JBOSS application Server.

Simple Security for JBOSS JMX-Console

The jmx-console {http://localhost:8080/jmx-console/} is the default console that is available with the JBoss Application Server. It displays the various MBean Services that are running in a JBoss Application Server instance. A user is able to get and set attributes and invoke operations on the various services.

User / Password Authentication

To have simple secured jmx console where the user/password and user/roles come from properties files follow the following steps:

  1. Locate the jmx-console.war directory under
    [RCM Install Folder]\eurekify-jboss\server\eurekify\deploy directory.

  2. Edit the web.xml file under jmx-console.war/WEB-INF directory and uncomment the security constraint block as shown below:

    <!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. -->

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>JBossAdmin</role-name>
    </auth-constraint>
    </security-constraint>

  3. Edit the jboss-web.xml file jmx-console.war/WEB-INF directory and uncomment the security-domain element as shown below:

    <jboss-web>
    JBoss 1.0 1
    <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. -->
    <security-domain>java:/jaas/jmx-console</security-domain>
    </jboss-web>

  4. Locate the two properties files called as jmx-console-users.properties and jmx-console-roles.properties under
    [RCM Install Folder]\eurekify-jboss\server\eurekify\conf\props\

  5. In the jmx-console-users.properties, you can add/change the user/password combination.

  6. In the jmx-console-roles.properties, you will need to assign roles to the users you added or changed in step.4. Just remember to add JBossAdmin role to the users who will be using the jmx-console.

  7. Restart JBOSS Application Server.

Encrypting JMX-Console User Password

The login module has support for password hashing. Rather than storing passwords in plain text, a one-way hash of the password is stored (using an algorithm such as MD5) in a similar fashion to the /etc/passwd file on a UNIX system. This has the advantage that anyone reading the hash won't be able to use it to log in. However, there is no way of recovering the password should the user forget it. To enable password hashing in the database example above, you would add the following module options to the login configuration:

<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>

This indicates that we want to use MD5 hashes and use base64 encoding to covert the binary hash value to a string. JBoss will now calculate the hash of the supplied password using these options before authenticating the user.

Steps to Encrypt Password

  1. Locate login-config.xml file in [RCM Install Directory]\eurekify-jboss\server\eurekify\conf. Add password hashing module options in jmx-console policy.

    <!-- A template configuration for the jmx-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. -->
    <application-policy name = "jmx-console">
    <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
    <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
    <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
    <module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">base64</module-option>
    </login-module>
    </authentication>
    </application-policy>

  2. To hash the password, execute following command from command prompt on RCM Server.

    For JBoss 4.x The org.jboss.security.Base64Encoder class is available in jbosssx.jar to hash the password:
    java -cp "[RCM Install Folder]\eurekify-jboss\server\eurekify\lib\jbosssx.jar" org.jboss.security.Base64Encoder passwordvalue MD5

    For JBoss 5.x - change directory to "[RCM Install Folder]\eurekify-jboss\"
    java -cp client\jboss-logging-spi.jar;lib\jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule passwordvalue

    For more information please refer to the suitable section, based on the exact JBoss version you are using:
    http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_Data_Source_Passwords.html

    Note: Above command will return password hash value in square bracket. Discard the square bracket it is not part of password hash.

    Example:
    In figure below ISMvKXpXpadDiUoOSoAfww== is the hash of password admin.

    Figure 3

  3. The jmx-console-users.properties property file stores userID and password for jmx-console user in Userid=password format. Locate jmx-console-users.property file in [RCM Install Folder]/ eurekify-jboss\server\eurekify\conf\props\ and paste the password hash value for corresponding user.

    Figure 4

  4. Restart JBOSS application Server.

Encrypting RCM Data Source Password

CA RCM application uses four databases

  1. Eurekify_sdb : RCM User, role, resource configuration database
  2. WPDS : RCM Workpoint Workflow database
  3. Eurekify_Ticketdb : RCM Ticket database
  4. Eurekify_Reportdb : RCM Report Database

For the CA RCM Application, the JBOSS Data Source XML configuration files are used to configure datasources. The Datasource configuration files names ends with suffix *-ds.xml can be located under:

[RCM Install Folder]\eurekify-jboss\server\eurekify\deploy\

  1. eurekify-ds.xml: DS configuration for eurekify_sdb and eurekify_ticketdb database
  2. reportdb-ds.xml: DS configuration for eurekify_reportdb database
  3. wp-ds.xml : DS Configuration WPDS (Workpoint) database

    By default all DS configuration files are configured to hold database password in plain text. The org.jboss.resource.security.SecureIdentityLoginModule can be used to encrypt database passwords rather than using clear text passwords in the datasource configuration. It uses a hard-coded password to encrypt/decrypt the datasource password.

Following are high level steps to configure JBOSS to use encrypted Datasource password:

  1. Create policy for each datasource in login-config.xml file. The policy holds login module, UserName, encrypted password and Managedconnection parameter for each data source.
  2. Use this policy to use as a security domain in corresponding datasource configuration file.

Note : The example below uses MSSQL server as RCM database.

Using Encrypted Datasource password for RCM Databases

  1. Locate login-config.xml file under: [RCM Install Directory]\eurekify-jboss\server\eurekify\conf
  2. Add policies as in attached file (eurekifyDA_Login-config.xml) at the end of login-config.xml configuration file and before </Policy> XML tag.
  3. Modify eurekify-ds.xml: In eurekify-ds.xml file comment User Name and Password XML tag and add Security-Domain entry for eurekify_sdb and eurekify_ticketdb database.
    *Note: Remember to change the clear text password in the commented out sections

    For eurekify_sdb:
    <security-domain>eurekify_SDB</security-domain>

    For eurekify_ticketdb:
    <security-domain>eurekify_TicketDB</security-domain>

    The eurekify-ds.xml file should look like as attached.

  4. Modify reportdb-ds.xml: In eurekify-reportdb.xml file, comment User Name and Password XML tag and add Security-Domain entry for eurekify_reportdb database. <security-domain>eurekify_ReportDB</security-domain>

    The reportdb-ds.xml file should look like as attached.

  5. Modify wp-ds.xml: In wp-ds.xml file comment User Name and Password XML tag and add Security-Domain entry for WPDS database.

    <security-domain>eurekify_WP</security-domain>

    The wp-ds.xml file should look like as attached file .

Encrypting data source password

1. To encrypt the password using class execute following command on eurekify application server.

Where;

[eurekify_Install_Folder] : eurekify application install folder.

Password : password value

java -cp "[eurekify_Install_Folder] \eurekify-jboss\lib\jboss-common.jar";"[eurekify_Install_Folder] \eurekify-jboss\lib\jboss-jmx.jar";"[eurekify_Install_Folder] \eurekify-jboss\server\eurekify\lib\jbosssx.jar";"[eurekify_Install_Folder] \eurekify-jboss\server\eurekify\lib\jboss-jca.jar" org.jboss.resource.security.SecureIdentityLoginModule password

java -cp "D:\Program Files\CA\RCM\Server\eurekify-jboss\lib\jboss-common.jar";"D:\Program Files\CA\RCM\Server\eurekify-jboss\lib\jboss-jmx.jar";"D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\lib\jbosssx.jar";"D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\lib\jboss-jca.jar" org.jboss.resource.security.SecureIdentityLoginModule password

2. Paste encrypted password value in

<module-option name="password"> </module-optioname="password"> tag for each database policy.

File Attachments:
TEC535784.zip