Task #703
Securing JBoss Web & JMX console - BV, IBGCore & UPass
Status: | Work Completed-End life cycle | Start date: | December 28, 2010 | |
---|---|---|---|---|
Priority: | Urgent | Due date: | December 29, 2010 | |
Assignee: | Ahmad Hazri | % Done: | 100% | |
Category: | - | Estimated time: | 3.00 hours | |
Target version: | - | Spent time: | 3.00 hours |
Description
KFH Security team reported BV, IBGCore & UPass is not secured.
By default JBoss Web and JMX console is accessible by everyone without username/password enable.
History
#1 Updated by Ahmad Hazri over 13 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- % Done changed from 0 to 10
Test Server: Demo Server - 219.95.244.227
1) BV server - JBoss 4.0.6
2) UPass Server - JBoss 5.0.1
#2 Updated by Ahmad Hazri over 13 years ago
Storing username/password
1) Plain text in xml file
2) Storing plain password in DB
3) Storing hashing (encrypted) password in DB
#3 Updated by Ahmad Hazri over 13 years ago
Storing password
Currently working fine using method 1, trying with 2 (storing in DB) now
#4 Updated by Ahmad Hazri over 13 years ago
- % Done changed from 10 to 60
BV Server (JBoss 4.0.6)- Storing username/password
1) Plain text in xml file
2) Storing plain password in DB
3) Storing hashing (encrypted) password in DB
Choosing method 3 since the password is encrypted.
Testing on BV server, ok.
File involved:
JMX Console
1) $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml 2) $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml 3) $JBOSS_HOME/server/default/conf/login-config.xml 4) $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
Web Console
1) $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml 2) $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
#5 Updated by Ahmad Hazri over 13 years ago
#6 Updated by Ahmad Hazri over 13 years ago
In BV server the datasource was configured, hence it can use without additional setting.
But in UPass and IBGCore server the datasource is not configured.
Searching on doc how to configure JDBC connection to DB.
clue:
1)DB_NAME
2)DB_USER
3)DB_PASSWORD
4)URL
5)DB_HOST
#7 Updated by Ahmad Hazri over 13 years ago
- % Done changed from 60 to 70
Done the testing
Creating the document.
#8 Updated by Ahmad Hazri over 13 years ago
- Status changed from Development / Work In Progress to Work Completed-End life cycle
- % Done changed from 70 to 100