Friday, November 9, 2012

Securing the JBoss Jmx Console

One of the important applications that is provided by JBoss is the jmx-console application. The application is available in the deploy location of jBoss. We can use jmx-console application for obtaining many details like connection pool settings, Application Status and many more. Besides these features there are some operations that should not be performed using this like starting and stopping a server, application e.t.c.

When we use this jmx-console application in production, that should be password protected. Here are steps that we can use for password protecting the jmx-console application.

1.jmx-console application is available in the deploy directory.

Go to  /deploy/jmx-console.war/WEB-INF" Location. We need to modify 2 files here

     a. In web.xml: uncomment the following section:
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application

b. in Jboss- -web.xml uncomment the following section:
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users. -->

At this point we need to make sure that the security domain points to java:/jaas/jmx-console

2. Go to jmx-invoker-service.xml : Path -->"/deploy/jmx-invoker-service.xml"

Even though we password protect the jmx-console, application teams can still use the twiddle tool to perform operations on the JBoss server. This is because jmx-console is a HTTP based application and twiddle tool invokes operations using the jmx invoker layer. The
jmx-invoker-service.xml available in /deploy location is the file that manages the invoker layer. We need to secure this too.

          Uncomment the following section:

<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"                     securityDomain="java:/jaas/jmx-console"/>
Once the Changes are done .Recycle the Instance.
Try to access the jmx-console , this will ask the user Name and Password now.