SecureTheJmxConsole

Securing the JMX Console and Web Console (HTTP)

 

Both the jmx-console and web-console are standard servlet 2.3 deployments that can be secured using J2EE role-based security. Both consoles ship with a skeleton configuration, allowing an administrator to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes, users.properties and roles.properties files.

 

The security setup is based on two pieces: the standard servlet URI to role specification, and the specification of the JAAS configuration which defines how authentication and role mapping is performed.

 

In AS 6 M3 and greater deployments, the JSR-160 JMXConnector is opened for remote access and should also be secured.

 

To secure the JMX Console using a username/password file:

  • Locate the JMX Console web.xml file. On JBoss AS 5.x, this is located in the server/PROFILE/deploy/jmx-console.war/WEB-INF directory. On JBoss AS 6, this is located in the common/deploy/jmx-console.war/WEB-INF directory.

  • Edit web.xml and uncomment the security-constraint block. See the important security note - CVE-2010-0738 below.

  • Edit the server/PROFILE/deploy/jmx-console.war/WEB-INF/jboss-web.xml (AS5) or common/deploy/jmx-console.war/WEB-INF/jboss-web.xml (AS6) file and uncomment the security-domain block. The security-domain value of jmx-console maps to the server/PROFILE/conf/login-config.xml JAAS configuration file, which defines how authentication and authorization is to be performed.

  • Edit the server/PROFILE/conf/props/jmx-console-users.properties file and change the users and passwords as desired. They will need the JBossAdmin role as specified in the web.xml file to run the JMX Console.

 

Important security note - CVE-2010-0738

 

On JBoss AS 5.x and earlier versions, the web.xml file includes a security-constraint block with flawed settings. The block includes:

<http-method>GET</http-method>

<http-method>POST</http-method>

This configuration will only apply security to the HTTP GET and POST verbs, allowing requests using other HTTP verbs to circumvent security. Please ensure that you remove the http-method tags from the security-constraint block. Without these tags, security will apply to all HTTP verbs. More details on this flaw are available here. A JBoss worm is currently in circulation, exploiting this flaw. For more details on the worm, see the statement here.

 

To secure the JMX Console using your own JAAS domain:

  • Edit web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console.

  • Edit jboss-web.xml as above, setting the security domain to be the name of your security domain.

  • After making all the changes, redeploy the application. The application can be redeployed by touching the file or by restarting the server.

 

The process to secure the web console is similar:

  • Edit server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml and server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml as described above to enable security.
  • Edit the server/PROFILE/conf/props/jmx-console-users.properties file and change the users and passwords as desired.

 

Remember to pay attention to the important security note - CVE-2010-0738 above. You can use a custom JAAS domain or customize the existing domain in the same way as with the JMX console. Typically you would just use the same domain as the jmx-console (java:/jaas/jmx-console), so that you have a single user/role mapping to configure.

 

If you are unable to login, it may be because another users.properties file is being used. Change the web-console login-config.xml entry so that that properties files are uniquely named to avoid ambiguity regarding which resource is picked up. You also would need to rename the web-console properties files. For details, see http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53346.

 

As an extra level of security you may also want to Limit Access to Certain Clients in a particular IP address range.

 

Secure the JMXConnector (AS 6 M3 or greater)

To secure the JSR-160 JMXConnector, open JBossAS/server/profile/deploy/jmx-jboss-beans.xml and change from:

 

 

<!--  To enable authentication security checks, uncomment the following security domain name -->
      <!--UNCOMMENT THIS
      <property name="securityDomain">jmx-console</property>
      -->

 

Change to:

 

<!--  To enable authentication security checks, uncomment the following security domain name -->
      <property name="securityDomain">jmx-console</property>

 

Note that the above uses the same security domain as is used for the jmx console.

 

 

Secure the JMX Invokers

Take care to secure remote access to JMX as well, see the Chapter 3 in the technical paper bellow.

 

 

 


Update for 4.0.2

 

The   and  files have been moved to . This is because of the change to use the servlet 2.3 class loading model and these properties files would not be visible to the other deployments using the jmx-console security domain. You can move the files from  to , or leave them in place and edit the password for admin.

 

Similarly for the web console, please note that the web console is unpacked already in the server configuration as . Proceed to edit the  and files as per securing the JMX console, and either edit the  and , or move those files to  and edit them there.

 

For the impatient

vi ${jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml

uncomment the security-constraint block

 

and add a <login-config> block after the end of the <security-constraint> block:




vi ${jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/jboss-web.xml

Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (i.e. JMXConsole)

 

vi ${jboss.server.home.dir}/conf/props/jmx-console-users.properties

change the password for admin

 

vi ${jboss.server.home.dir}/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml

uncomment the security-constraint block

 

and add a <login-config> block after the end of the <security-constraint> block:

 

 




 

 

vi ${jboss.server.home.dir}/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml

 

Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)

 

 

vi ${jboss.server.home.dir}/conf/login-config.xml

Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

 

<module-option name="usersProperties">props/web-console-users.properties</module-option>
<module-option name="rolesProperties">props/web-console-roles.properties</module-option>

 

cp ${jboss.server.home.dir}/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-.properties ${jboss.server.home.dir}/conf/props

 

edit as needed

 

cp ${jboss.server.home.dir}/conf/props/jmx-console-roles.properties ${jboss.server.home.dir}/conf/props/web-console-roles.properties

edit as needed

 

edit ${jboss.server.home.dir}/conf/login-config.xml, find the jmx-console and web-console applicaiton-policy, and set the name to jmx-console and web-console, respectively. That is make sure that the application policy name maps to the realm name (i.e. JMXConsole)

 

restart jboss

 


 

Additional to secure jmx-console and web-console authentication via SSL

 

  • must perform the above steps to enable http authenication ...

   the following steps below will redirect jboss admin pages to https://localhost:8443

 

  • edit both web.xml to include the following just before end of tag security-constraint

<security-constraint>
    ...      
  <user-data-constraint>      
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint> 

 

 

 

or quick setup and verify:

$ keytool -genkey -keystore /data01/jboss/server/xxx/conf/keystore -alias jbossAdmin
$ keytool -list -keystore /data01/jboss/server/xxx/conf/keystore

 

$ vi /data01/jboss/server/xxx/deploy/jbossweb-tomcat50.sar/server.xml
    • secure file permission via chmod 600 server.xml
    • uncomment section "SSL/TLS Connector" to enable Connector port="8443"
    • replace keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" with  keystoreFile="${jboss.server.home.dir}/conf/keystore"
    • replace keystorePass="rmi+ssl" sslProtocol = "TLS" /> with keystorePass="<your new secure password>" sslProtocol = "TLS" />

 

 


Technical White Paper

Technical White Paper on Securing JMX (jboss-secure.jmx.html attached)