2 Replies Latest reply on Mar 8, 2013 10:44 AM by kevgo

    JBoss AS 7.1.x Securing Management Console - Authentication/SSL

    kevgo

      I have JBoss EAP 6 (AS 7.1.3) up and running and delivering our application.  I would like to configure the management console to authenticate based upon 'local accounts' on the box.  We are currently using winbind (RHEL 6) and authenticating users against AD based upon group membership.  Are there any authentication modules which can use the same authentication method?  I also need a bit of direction to kick the management console over to 'management-https'.  I am using HTTPS with the app, have a valid keystore and just need to do the same with the management console but am having a few difficulties.

       

      I'm new to JBoss definitely a beginner.. any insights would be appreciated.

       

      kevgo.

        • 1. Re: JBoss AS 7.1.x Securing Management Console - Authentication/SSL
          kevgo

          An example of a full standalone.xml/standalone-full.xml file from someone who is using SSL for the management console, and are tied into AD for authentication would be extremely helpful. 

           

          My application is running fine using https.  Certificates from the CA were added to the keystore and the connector created as per;

           

               <subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">

                   <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                       <ssl name="https" password="changeit" certificate-key-file="/usr/java/jdk1.7.0_13/bin/jboss.keystore"/>

                   </connector>

                       <virtual-server name="default-host" enable-welcome-root="false">

                       <alias name="localhost"/>

                       <alias name="example.com"/>

                   </virtual-server>

               </subsystem> 

           

          I tried the following:

          <management>
          <security-realms>
          <security-realm name="ManagementRealm">
          <server-identities>
          <ssl>
          <keystore path="/usr/java/jdk1.7.0_13/bin/jboss.keystore" password="changeit"/>
          </ssl>

          </server-identities>

          </security-realms>

           

          <management-interfaces>

          <http-interface security-realm="ManagementRealm">

          <socket-binding https="management-https"/>

          </http-interface>

          </management-interfaces>

          </management>

           

          But was a no go..

          • 2. Re: JBoss AS 7.1.x Securing Management Console - Authentication/SSL
            kevgo

            Who would have thought spelling mattered..

             

                <management>
                    <security-realms>
                        <security-realm name="ManagementRealm">

            <!-- server-identities is required for the ManagementRealm to point to SSL certs keystore can be placed anywhere that makes sense -->

                            <server-identities>
                                    <ssl>
                                    <keystore path="/usr/share/jboss-as/jboss-eap-6.0/jboss.keystore" keystore-password="changeit"/>
                                    </ssl>
                            </server-identities>
                    <authentication>
                                <local default-user="$local"/>
                                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                            </authentication>
                        </security-realm>

             

            And then..

             

                        <http-interface security-realm="ManagementRealm">

            <!-- Small typos causes grief don't forget socket-binding http's' in this statement -->

                            <socket-binding https="management-https"/>
                        </http-interface>
                    </management-interfaces>
                </management>

             

            Likely won't be the last time I stare at XML looking for typos...

             

            Next step is the tie in to LDAP.

            1 of 1 people found this helpful