-
1. Re: WARNING [HornetQServerImpl] Security risk!
jaikiran May 9, 2010 3:52 PM (in response to klinux)Hmm, unlike what the WARN message says:
23:58:58,631 WARNING [HornetQServerImpl] Security risk! It has been detected that the cluster admin user and password have not been changed from the installation default. Please see the HornetQ user guide, cluster chapter, for instructions on how to do this.
I did not find the password configuration info in the "Cluster chapter" of HornetQ docs http://hornetq.sourceforge.net/docs/hornetq-2.0.0.BETA5/user-manual/en/html_single/index.html
I however did notice this in the Management chapter (Section 31.5. Management Cluster Credentials) of that doc http://hornetq.sourceforge.net/docs/hornetq-2.0.0.BETA5/user-manual/en/html_single/index.html#management:
To allow this management replication with JMX, HornetQ defines management cluster credentials: this special user/password must be shared by all nodes. To configure it, change the value in hornetq-configuration.xml:
<management-cluster-user>HORNETQ.MANAGEMENT.ADMIN.USER</management-cluster-user> <management-cluster-password>CHANGE ME!!</management-cluster-password>
It is strongly suggested to change these values from their default. If they are not changed from the default, HornetQ will detect this and pester you with a warning on every start-up.
The JBOSS_HOME/server/< servername>/deploy/hornetq/hornetq-configuration.xml file in the AS doesn't explicitly have those two configs. So I went and added those 2 configs to that file, but it failed to deploy because management-cluster-user and management-cluster-password aren't valid elements in that xml.
Looking at the xsd, I then instead added these 2 elements to that xml (after the < clustered> element in that file):
<cluster-user>SomeUserNameOfYourChoice</cluster-user> <cluster-password>BLAH</cluster-password>
Rebooted the server and I see that it no longer prints out the WARN message.
I'll however move this thread to the HornetQ forum, because they will have a better idea whether this is the right way to do it and maybe decide whether the doc needs to be updated.
-
2. Re: WARNING [HornetQServerImpl] Security risk!
timfox May 10, 2010 6:49 AM (in response to jaikiran)AS6 doesn't contain 2.0.0.Beta5, it contains 2.1.0 beta something, so you would need to consult the docs for that.
You can find them if you check out the SVN tag.
I'm not sure if they'll need updating, quite a few things changed from 2.0->2.1
-
3. Re: WARNING [HornetQServerImpl] Security risk!
clebert.suconic May 10, 2010 10:49 AM (in response to jaikiran)There was an issue also with M3. The default has a clustered configuration.
-
4. Re: WARNING [HornetQServerImpl] Security risk!
klinux May 10, 2010 1:48 PM (in response to jaikiran)Jaikiran pai, this solve the warning messages:
<cluster-user>SomeUserNameOfYourChoice</cluster-user>
<cluster-password>BLAH</cluster-password>Thank you very much.
-
5. Re: WARNING [HornetQServerImpl] Security risk!
hughbragg Aug 20, 2010 2:06 AM (in response to timfox)hornetq-2.1.1.Final/docs/user-manual/en/html_single/index.html#management 30.7.1. JMS Queues says see chapter 31 Security,
which says: 31.7. Changing the username/password for clustering: see chapter 30 Management
Searching for <cluster-user> finds
38.3.2. Cluster User Credentials, but <clusters> section is not described so it's not clear where it goes.
A bit hard to follow.
Can you say how to turn clustering off completely so discovery isn't tried and the WARNING message on startup goes away please?
-
6. Re: WARNING [HornetQServerImpl] Security risk!
jaikiran Aug 20, 2010 2:12 AM (in response to hughbragg)Are you using HornetQ standalone or are you using it in JBoss AS? If you are using JBoss AS, which version of JBoss AS? And which configuration (like "default", "all") in JBoss AS?
-
7. Re: WARNING [HornetQServerImpl] Security risk!
hughbragg Aug 20, 2010 2:24 AM (in response to jaikiran)I'm using JBoss AS5 wuth default-with-hornetq but I'm planning on trialing standalone.
I was just pointing out that the use manual isn't very helpful on this topic even though the startup process gives a load WARNING message.
I noticed it on the standalone examples I tried as well.
-
8. Re: WARNING [HornetQServerImpl] Security risk!
jaikiran Aug 20, 2010 2:52 AM (in response to hughbragg)Hugh Bragg wrote:
I was just pointing out that the use manual isn't very helpful on this topic even though the startup process gives a load WARNING message.
Ah I see what you mean. Indeed, it looks like a minor bug in the documentation (even in the latest 2.1.2). The cluster chapter http://hornetq.sourceforge.net/docs/hornetq-2.1.2.Final/user-manual/en/html/security.html section 31.7 points to the "Management" chapter for changing the cluster user/password. But the "Management" chapter doesn't have any info on it. The correct chapter/section containing this information is http://hornetq.sourceforge.net/docs/hornetq-2.1.2.Final/user-manual/en/html/clusters.html#clusters.clusteruser
-
10. Re: WARNING [HornetQServerImpl] Security risk!
hughbragg Aug 24, 2010 10:02 PM (in response to jaikiran)So is there a quick way to disable this. I don't need clusters now and I just want it turned off so the security risk is eliminated and there is no warning message.
Can you give an exact description please?
-
11. Re: WARNING [HornetQServerImpl] Security risk!
jaikiran Aug 24, 2010 11:41 PM (in response to hughbragg)One of my previous replies in this thread, already has the details https://community.jboss.org/message/541929#541929
-
12. Re: WARNING [HornetQServerImpl] Security risk!
hughbragg Aug 25, 2010 12:37 AM (in response to jaikiran)Sorry, my mistake. I was sure I'd already tried that, but when I did it again, it worked.
This doesn't actually disable clustering though does it?
It still attempts broadcast/discovery but uses these credentials.
-
13. Re: WARNING [HornetQServerImpl] Security risk!
jaikiran Aug 25, 2010 12:54 AM (in response to hughbragg)Hugh Bragg wrote:
Sorry, my mistake. I was sure I'd already tried that, but when I did it again, it worked.
This doesn't actually disable clustering though does it?
It still attempts broadcast/discovery but uses these credentials.
If you built the JBAS5 default-with-hornetq as explained here http://hornetq.sourceforge.net/docs/hornetq-2.1.2.Final/quickstart-guide/en/html/installation.html#installation.jboss.as5 then you will be runnning a non-clustered configuration. i.e. there won't be any broadcast/discovery attempts.
-
14. Re: WARNING [HornetQServerImpl] Security risk!
hughbragg Aug 25, 2010 1:29 AM (in response to jaikiran)Actually, I'm running in stand-alone mode so that doesn't help.
Thanks anyway.