security

Accessing JBoss Management Console over Https in JBossAS7.1.2

Hi,

In this demonstration we will see how to access the JBoss Management Console over HTTPS in a secured manner, As it is desired in many production/secure environment to access the JBoss Management Console over https sothat the communication will be in SSL encrypted format. So in this example we will see how to configure the JBoss AS7.1.2 sothat we can connect to JBoss Management Console via SSL port 9991 (management-console-https socket binding).

Step1). First if all we will create Security certificates with the help of JDK provided utility “keytool”, So make sure that the JDK’s bin directory is added in your shell/command prompts PATH variable like following (We are creating the “chap8.keystore” inside “$JBOSS_HOME/standalone/configuration” directory):

.
[userone@localhost ~]$ cd /home/userone/jboss-as-7.1.2.Final/standalone/configuration/

[userone@localhost configuration]$ export PATH=/home/userone/MyJdks/jdk1.6.0_21/bin:$PATH

[userone@localhost configuration] keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl -keyalg RSA -alias chapter8 -validity 3650 -dname "cn=chapter8 example,ou=admin book,dc=jboss,dc=org"
.

Step2). Make sure that the JBoss AS7.1.2 is running, In our case we started JBossAS7.1.2 “standalone-full.xml” profile.

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml
.

Step3). Now We will configure the <server-identities> for ManagementRealm By specifying the SSL informations. We will use the following CLI Commands in order to achieve the goal

[userone@localhost bin]$ cd /home/userone/jboss-as-7.1.2.Final/bin

[userone@localhost bin]$ ./jboss-cli.sh -c --controller=localhost:9999
.
[standalone@localhost:9999 /] /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-password="rmi+ssl", keystore-path="chap8.keystore", keystore-relative-to="jboss.server.config.dir", alias="chapter8",protocol="TLSv1")
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}


[standalone@localhost:9999 /] /socket-binding-group=standard-sockets/socket-binding=management-console-https/:add(port=9991,interface=management,fixed-port=false)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}


[standalone@localhost:9999 /] /core-service=management/management-interface=http-interface/:write-attribute(name=secure-socket-binding,value=management-console-https)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}


[standalone@localhost:9999 /] /core-service=management/management-interface=http-interface/:undefine-attribute(name=socket-binding)
{
    "outcome" => "success",
    "response-headers" => {"process-state" => "reload-required"}
}
.

Once your above CLI command is executed successfully you will notice the following in your JBossAS 7.1.2 configuration file “standalone-full.xml”:


    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <server-identities>
                    <ssl protocol="TLSv1">
                        <keystore path="chap8.keystore" relative-to="jboss.server.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket-binding https="management-console-https"/>
            </http-interface>
        </management-interfaces>
    </management>
    .
    .
    .
    .
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
         .
         .
        <socket-binding name="management-console-https" interface="management" port="9991" fixed-port="false"/>
         .
         .
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>

Step4). Now restart your JBoss AS 7.1.2 again as following:

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml 
.

Step5). Now Try to access the JBoss Management Console with the following URL:

https://localhost:9991/console

Achieving same in Domain Mode

In your “master” Host “$JBOSS_HOME/domain/configuration/host.xml” you will need to define the tag as following:

            <security-realm name="ManagementRealm">
                <server-identities>
                    <ssl protocol="TLSv1">
                        <keystore path="chap8.keystore" relative-to="jboss.domain.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
            </security-realm>

Alter the “http-interface” as following in the same “master” host.xml file.

        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket interface="management" secure-port="9991"/>
            </http-interface>
        </management-interfaces>

Or you can use the following command to achieve the same:

/host=master/core-service=management/management-interface=http-interface/:write-attribute(name=secure-port,value=9991)
/host=master/core-service=management/management-interface=http-interface/:undefine-attribute(name=port)

Restart JBoss EAP6 and then check the CONSOLE output to see if you find the following:

[Host Controller] 10:00:04,445 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015952: Admin console listening on https://127.0.0.1:9991

.
.
Thanks 🙂
MiddlewareMagic Team


Enabling SSL Communication for the Native Management Interface using CLI

Hi,

In this demonstration we will see how to configure Native Management Interface to use the SSL, As it is desired in many production/secure environment to access the JBoss via CLI utility over SSL sothat the communication will be in SSL encrypted format. So in this example we will see how to configure the JBoss AS7.1.2 sothat we can connect to it via SSL port 9443 (management-https socket binding).

Step1). First if all we will create Security certificates with the help of JDK provided utility “keytool”, So make sure that the JDK’s bin directory is added in your shell/command prompts PATH variable like following (We are creating the “chap8.keystore” inside “$JBOSS_HOME/standalone/configuration” directory):

.
[userone@localhost ~]$ cd /home/userone/jboss-as-7.1.2.Final/standalone/configuration/

[userone@localhost configuration]$ export PATH=/home/userone/MyJdks/jdk1.6.0_21/bin:$PATH

[userone@localhost configuration] keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl -keyalg RSA -alias chapter8 -validity 3650 -dname "cn=chapter8 example,ou=admin book,dc=jboss,dc=org"
.

Step2). Make sure that the JBoss AS7.1.2 is running, In our case we started JBossAS7.1.2 “standalone-full.xml” profile.

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml
.

Step3). Now We will configure the <server-identities> for ManagementRealm By specifying the SSL informations. We will use the following CLI Commands in order to achieve the goal

[userone@localhost bin]$ cd /home/userone/jboss-as-7.1.2.Final/bin

[userone@localhost bin]$ ./jboss-cli.sh -c --controller=localhost:9999

[standalone@localhost:9999 /] /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-password="rmi+ssl", keystore-path="chap8.keystore", keystore-relative-to="jboss.server.config.dir", alias="chapter8",protocol="TLSv1")


{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}


[standalone@localhost:9999 /] /core-service=management/management-interface=native-interface/:write-attribute(name=socket-binding,value=management-https)


{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Once your above CLI command is executed successfully you will notice the following in your JBossAS 7.1.2 configuration file “standalone-full.xml”:


    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <server-identities>
                    <ssl protocol="TLSv1">
                        <keystore path="chap8.keystore" relative-to="jboss.server.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-https"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
    </management>

Step4). Now restart your JBoss AS 7.1.2 again as following:
-Djavax.net.debug=all This System property will give us more details about the SSL Communication so we enabled it just to varify if the SSL configuration is working properly or not.

.
[userone@localhost bin]$ ./standalone.sh -c standalone-full.xml  -Djavax.net.debug=all
.

Step5). Now there will be a slignt change in the way we used to connect to the JBoss Via CLI command, It will be happening via “management-https” (9443) now as following:

.
[userone@localhost bin]$ ./jboss-cli.sh -c --controller=localhost:9443
Unable to connect due to unrecognised server certificate
Subject    - CN=chapter8 example,OU=admin book,DC=jboss,DC=org
Issuer     - CN=chapter8 example, OU=admin book, DC=jboss, DC=org
Valid From - Sat Sep 15 20:13:01 IST 2012
Valid To   - Tue Sep 13 20:13:01 IST 2022
MD5 : 20:c7:41:56:34:c2:15:49:e3:95:84:ab:19:fc:1f:ca
SHA1 : c9:c0:b4:8b:82:18:6b:3d:35:c3:1e:26:7f:52:e5:8c:ab:93:35:78

Accept certificate? [N]o, [T]emporarily, [P]ermenantly : T
[standalone@localhost:9443 /] 

.

.
.
Thanks 🙂
MiddlewareMagic Team


How to generate JBossAS7 encrypted passwords programatically

Hi,

We have seen that using “$JBOSS_HOME/bin/add-user.sh” script we can create Management & Application Users. Using “add-user.sh” script when we create users then the credentials of Management user is stored inside the “$JBOSS_HOME/standalone/configuration/mgmt-users.properties” and inside the “$JBOSS_HOME/standalone/configuration/mgmt-users.properties” file.

Just for awareness as part of this article we are going to see how JBossAS7 actually encodes our passwords when we create a user using “$JBOSS_HOME/bin/add-user.sh”, What kind of “hashAlgorithm” (MD5) and “hashEncoding” (hex) it uses. We will also see how we can create the encoded passwords programatically easily.

We will see it in more details so first we will proceed with creating the Hashed Password. Here we will write a simple program in order to Encrypt the Management User’s password.

Program to Encrypt Management/Application User’s Password

Step1). Write the following program “EncryptPassword.java” inside your file system somewhere.


import java.security.MessageDigest;
import java.math.BigInteger;
import org.jboss.crypto.CryptoUtil;

public class EncryptPassword
  {
    public static void main(String ar[]) throws Exception
     {
       /*
       You will need the following JAFRs in your classpath in order to compile & run this program 
       export CLASSPATH=$JBOSS_HOME/modules/org/picketbox/main/picketbox-4.0.7.Final.jar:$JBOSS_HOME/bin/client/jboss-client.jar:$CLASSPATH:.:
       */

       /*
           JBossAS7 encrypts passwords in the following format:
              HEX( MD5( username ':' realm ':' password))
       */

       String userName=ar[0];
       String realmName=ar[1];
       String password=ar[2];

       String clearTextPassword=userName+":"+realmName+":"+password; 

       String hashedPassword=CryptoUtil.createPasswordHash("MD5", "hex", null, null, clearTextPassword);
       System.out.println("nntclearTextPassword: "+clearTextPassword);
       System.out.println("nthashedPassword: "+hashedPassword);
       System.out.println("ntIf you will create user using "$JBOSS_HOME/bin/add-user.sh" script then you will see the same Hash Value of Password.nn");
     }
  }

Step2). Now Open a terminal/Command prompt then set the PATH to include the JDK “bin” directory in it. Also we will set the CLASSPATH by including the “picketbox-4.0.7.Final.jar” and “jboss-client.jar” jar, which are required in order to compile and run the program. As soon as we will run the following program we will see the HashedPassword which we need to insert in the database “PRINCIPLES” table.


export JBOSS_HOME=/home/userone/jboss-as-7.1.1.Final

export CLASSPATH=$JBOSS_HOME/modules/org/picketbox/main/picketbox-4.0.7.Final.jar:$JBOSS_HOME/bin/client/jboss-client.jar:$CLASSPATH:.:

javac EncryptPassword.java 

java EncryptPassword testUserOne ApplicationRealm testPasswordOne

_________

OUTPUT
_________

	clearTextPassword: testUserOne:ApplicationRealm:testPasswordOne

	hashedPassword: cf8f98f5b90ccc568e1ffc7767ac9d8b

	If you will create user using "$JBOSS_HOME/bin/add-user.sh" script then you will see the same Hash Value of Password.

Now try creating a user using “$JBOSS_HOME/bin/add-user.sh” where userName=testUserOne , realmName=ApplicationRealm and password=testPasswordOne then you will see the “jboss-as-7.1.1.Final/standalone/configuration/application-users.properties” file will have the same Encoded credential as we generated using the above program.

[userone@localhost bin]$ ./add-user.sh 

What type of user do you wish to add? 
 a) Management User (mgmt-users.properties) 
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) : ApplicationRealm
Username : testUserOne
Password : testPasswordOne
Re-enter Password : testPasswordOne
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none) : testRole
About to add user 'testUserOne' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'testUserOne' to file '/home/userone/jboss-as-7.1.1.Final/standalone/configuration/application-users.properties'
Added user 'testUserOne' to file '/home/userone/jboss-as-7.1.1.Final/domain/configuration/application-users.properties'
Added user 'testUserOne' with roles testRole to file '/home/userone/jboss-as-7.1.1.Final/standalone/configuration/application-roles.properties'
Added user 'testUserOne' with roles testRole to file '/home/userone/jboss-as-7.1.1.Final/domain/configuration/application-roles.properties'

.
.
Thanks 🙂
MiddlewareMagic Team


Copyright © 2010-2012 Middleware Magic. All rights reserved. |