Securing JBOSS JMX and Web Console

After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBOSS Application Server.

1. Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace “all” with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.

Ex : sysadmin=Password007 — This configuration will create a new jmx and web console user as “sysadmin” and set the password as “Password007″

2. To provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.

Ex : sysadmin=JBossAdmin — This configuration will provide admin privileges to sysadmin user on jmx and web console.

3. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.

java:/jaas/jmx-console

4. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.

HtmlAdaptor

An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
/*
GET
POST

JBossAdmin

5. The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login- -config.xml file. Sample configuration is given below.

“org.jboss.security.auth.spi.UsersRolesLoginModule”
flag=”required”>

props/jmx-console-users.properties

props/jmx-console-roles.properties

6. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.

java:/jaas/web-console
jboss.admin:service=PluginManager

7. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.

HtmlAdaptor
An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
/*
GET
POST

JBossAdmin

8. Restart JBOSS.

Enabling HTTPS Support in JBOSS

Perform the below steps to enable HTTPS support in JBOSS :

1. Execute the following command to generate encryption key for HTTPS.

/usr/java/jdk1.5.0_14/bin/keytool -genkey -keyalg RSA -keystore

jboss.keystore -validity 3650

2. The command will ask you some information like, name company, country etc.  Provide the information, keystore password and key password for mykey. The command will create a file with name jboss.keystore in your current working directory.

3. Copy the keystore file to $JBOSS_HOME/server/all/conf/ folder.

4. Edit the $JBOSS_HOME/server/all/deploy/jboss-web.deployer/server.xml file and uncomment the SSL/TLS Connector section.  Also update the keystore file location and keystore password in the server.xml file as shown below.

maxThreads="150" scheme="https" secure="true"

clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/jboss.keystore"

keystorePass="server" sslProtocol = "TLS" />

5. Restart JBOSS.

How To configure a JBOSS Cluster

To accomplish failover and load balancing feature, either we can use a hardware based load balancer or apache with JK module.  Here I am going to explain how to configure JBOSS cluster using apache and JK Module.

We require two different servers running JBOSS Application Server.  We can install the apache http server either on any one JBOSS server or we can also have a different server running apache http server.

Make sure that the following applications packages are installed and configured on the apache httpd server.

1. Apache httpd server 2.0.x
2. Mod_JK apache module 1.2.26

Installation and configuration of Apache httpd server:

1. Install apache httpd server using up2date or yum or download the packages and install manually.  We can also download the source code and compile the packages.  (Installation of Zend Core for Oracle software is a good idea as it installs apache http server with almost all the modules except JK Module).
2. Verify that JK module is installed.  If the JK module is installed then you see mod_jk.so file in /etc/httpd/modules folder provided the http server is installed in /etc/httpd.
3. Load the JK module in apache httpd server’s configuration file by adding the following lines to /etc/httpd/conf/httpd.conf file.                              

LoadModule jk_module modules/mod_jk.so

4.    Append the following lines to the end of the /etc/httpd/conf/httpd.conf file.

include conf/modjk.conf

5.   Create a file named /etc/httpd/conf/modjk.conf and add the following contents:

JkLogFile logs/modjk.log

JkLogLevel info

JkWorkersFile conf/jkworkers.properties

JkMountFile conf/jkmount.properties

JkMount jkstatus

Order deny,allow

Allow from all

6.   Create a file named /etc/httpd/conf/jkworkers.properties and add the following lines:

worker.list=jboss,jkstatus

# Entries for 1st node

worker.node1.type=ajp13

worker.node1.host=10.154.2.202 ## IP address of 1st node

worker.node1.port=8009

worker.node1.lbfactor=1

worker.node1.disabled=false

worker.node1.socket_timeout=10

worker.node1.connect_timeout=20000

# Entries for 2nd node

worker.node2.type=ajp13

worker.node2.host=10.154.2.186 ## IP address of 2nd node

worker.node2.port=8009

worker.node2.lbfactor=1

worker.node2.disabled=false

worker.node2.socket_timeout=10

worker.node2.connect_timeout=20000

#Load Balancer

worker.jboss.type=lb

worker.jboss.balance_workers=node1,node2

worker.jboss.sticky_session=true

worker.jboss.sticky_session_force=false

worker.jboss.method=R

worker.jboss.lock=P

worker.jkstatus.type=status

7.    Create the file /etc/httpd/conf/jkmount.properties and add the following contents:

/jmx-console*=jboss

/application/* = jboss ## Add your application url i.e. if you are accessing application ashttp://jbossserver:8080/myapp then add /myapp/*=jboss.

8.   Restart httpd server.

The next step is to configure the JBOSS Nodes.

1.   Copy server/all to server/nodex.

2.   To differentiate between the JBOSS server instances add the jvmroute attribute with the syntax jvmRoute=”nodeX” in the file $JBOSS_HOME/deploy/jboss-web.deployer/server.xml by making the following changes:

Locate the line which contains the following

Change it to the following

3.    Enable JK by editing $JBOSS_HOME/server/nodex/deploy/jboss-web.deployer/META-INF/jboss-service.xml file by making the following changes

Locate the line which contains the following

false

Change the attribute value to true as follows:

4.   Repeat the steps 1, 2 & 3 for all the nodes.  Replace nodex with appropriate node number i.e. node1, node2 etc.

5.   Restart jboss application server with appropriate profile i.e. node1, node2 etc

Deploying Web Applications:

Deploy all the applications in server/profile/farm folder.  Replace profile with the appropriate profile i.e. node1, node2 etc.  Once the application is deployed on any node in cluster, the cluster service will copy the war file to other nodes and automatically deploy the application on all the nodes.

Accessing the Web Applications:

The application can be accessed directly by accessing the apache http server url i.e. http://httpserver/application.  Replace httpserver with domainname or ip address of http server and application with the application you configured in jkmount.properties file. The additional port number is not required to access the Web application.  The JK module will automatically forward the request to specific port on JBOSS Application Server.