Task #703

Avatar?id=1733&size=50

Securing JBoss Web & JMX console - BV, IBGCore & UPass

Added by Ahmad Hazri over 13 years ago. Updated over 13 years ago.

Status:Work Completed-End life cycleStart date:December 28, 2010
Priority:UrgentDue date:December 29, 2010
Assignee:Avatar?id=1733&size=14Ahmad Hazri % Done:

100%

Category:-Estimated time:3.00 hours
Target version:-Spent time:3.00 hours

Description

KFH Security team reported BV, IBGCore & UPass is not secured.
By default JBoss Web and JMX console is accessible by everyone without username/password enable.

Ref: http://community.jboss.org/wiki/SecureTheJmxConsole

History

#1 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress
  • % Done changed from 0 to 10

Test Server: Demo Server - 219.95.244.227

1) BV server - JBoss 4.0.6
2) UPass Server - JBoss 5.0.1

#2 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

Storing username/password

1) Plain text in xml file
2) Storing plain password in DB
3) Storing hashing (encrypted) password in DB

#3 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

Storing password

Currently working fine using method 1, trying with 2 (storing in DB) now

#4 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

  • % Done changed from 10 to 60

BV Server (JBoss 4.0.6)- Storing username/password

1) Plain text in xml file
2) Storing plain password in DB
3) Storing hashing (encrypted) password in DB

Choosing method 3 since the password is encrypted.
Testing on BV server, ok.

File involved:

JMX Console

1) $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml 
2) $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
3) $JBOSS_HOME/server/default/conf/login-config.xml 
4) $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties

Web Console

1) $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
2) $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml

#6 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

In BV server the datasource was configured, hence it can use without additional setting.
But in UPass and IBGCore server the datasource is not configured.

Searching on doc how to configure JDBC connection to DB.
clue:
1)DB_NAME
2)DB_USER
3)DB_PASSWORD
4)URL
5)DB_HOST

#7 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

  • % Done changed from 60 to 70

Done the testing
Creating the document.

#8 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 13 years ago

  • Status changed from Development / Work In Progress to Work Completed-End life cycle
  • % Done changed from 70 to 100

Also available in: Atom PDF