Securing JBOSS JMX and Web Console

After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBOSS Application Server.

1. Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace all with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.

Ex : sysadmin=Password007 ## This configuration will create a new jmx and web console user as sysadmin and set the password as Password007

2. To provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.

Ex : sysadmin=JBossAdmin ## This configuration will provide admin privileges to sysadmin user on jmx and web console.

3. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.

<jboss-web>
<security-domain>
java:/jaas/jmx-console
</security-domain>
</jboss-web>

4. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.

<security-constraint>
<web-resource-collection>
<web-resource-name>
HtmlAdaptor
</web-resource-name>
<description>
An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>

5. The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login- -config.xml file. Sample configuration is given below.

<application-policy name=”jmx-console”>
<authentication>
<login-module code=
“org.jboss.security.auth.spi.UsersRolesLoginModule”
flag=”required”>
<module-option name=”usersProperties”>
props/jmx-console-users.properties
</module-option>
<module-option name=”rolesProperties”>
props/jmx-console-roles.properties
</module-option>
</login-module>
</authentication>
</application-policy>

6. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.

<jboss-web>
<security-domain>java:/jaas/web-console</security-domain>
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>

7. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>

8. Restart JBOSS.

Read More

Sharing Keyboard and Mouse without KVM Switch using Synergy

Synergy is an open source platform independent application which allows you to control two system using the same Keyboard and Mouse without using a KVM Switch and help the organization save few dollars
Latest release of Synergy supports almost all Windows Platforms and Unix platforms with X Windows Version 11 revision 4 or up. Synergy uses the network to share keyboard and mouse hence, all the systems must support TCP/IP Networking .
Synergy is open source and released under the GNU Public License (GPL).
Setting up Synergy on Linux

1.  Download and install Synergy Software from http://sourceforge.net/projects/synergy2/files/
2.  Identify one system as server system and other would be the client.  I always prefer using a unix machine as server.
3.  In this example, I am going to use one Linux System and one Windows System to configure synergy. On the linux system, create /etc/synergy.conf file with the following information.

[root@linuxhost ~]# cat /etc/synergy.conf
# define the hosts
section: screens
linuxhost:
windowshost:
end
# define links i.e. which host is @ which side
section: links
linuxhost:
right=windowshost
windowshost:
left=linuxhost
end
[root@linuxhost ~]#

There are two sections in the configuration file.
Screens: This section defines the hosts or systems on which you want to share keyboard and mouse.  The dns must be configured or else an entry has to be made in the hosts file before using the host names in /etc/synergy.conf file.
Links: This section defines which host is on which side i.e. in the above example windows host machine is @ the right side of linux machine, so if you move the mouse pointer to the right side on linux machine, the pointer should go to Windows Machine and vice versa.
4.  Execute the following command to start Synergy as Server on Linux Machine.  You should see a message in /var/log/messages files that the synergy server is started.

[root@linuxhost ~]# synergys
[root@linuxhost ~]# tail -1 /var/log/messages
Mar 31 12:35:54 linuxhost Synergy 1.3.1: NOTE: synergys.cpp,500: started server
[root@linuxhost ~]#

5.  To make sure synergy starts at system boot time, add “synergys ” to /etc/rc.local file.
6.  Now open synergy application on the windows system.
7.  Select “Use another computer’s shared keyboard and mouse (client) and type the linux system’s hostname in “Other Computer’s Host Name” text box.

8.  Click on “Test”.

9.  If you see a message “Connected to server”, then the configuration is successful.
10.  Close the test window and click on “Stop”.

11.  Now, click on “AutoStart”

12.  Click on “Install” under “When Computer Starts”.  You will get a dialog box saying “Installed auto-start”.  Click on “OK”.

13.  Click on “Start”.  You will get a message that synergy is successfully started.  Click on “OK”

Cheers!!

Read More

Setting up slewing NTP option in Linux

Many times while installing/configuring Oracle Cluster, DBA’s receive the following error message.

Checking NTP daemon command line for slewing option “-x”

Check: NTP daemon command line

Node Name   Slewing Option Set?

vcsnode1 no

vcsnode2 no

Result:NTP daemon slewing option check failed on some nodes PRVF-5436 : The NTP daemon running on one or more nodes lacks the slewing option “-x”Result: Clock synchronization check using Network Time Protocol(NTP) failed

To fix this error, slewing needs to be configured.
Follow the below steps to configure slewing in Linux.

• Stop ntpd daemon using the following command.

[root@vcsnode1 ~]# service ntpd stop

Shutting down ntpd:  [OK]

[root@vcsnode1 ~]#

• Edit /etc/sysconfig/ntpd file.  Usually the file looks as given below.

[root@vcsnode1 sysconfig]# cat ntpd
# Drop root to id ‘ntp:ntp’ by default.
OPTIONS=”-u ntp:ntp -p /var/run/ntpd.pid”

# Set to ‘yes’ to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no
[root@vcsnode1 sysconfig]#

• Edit the file and add “-x” to  “OPTIONS=”-u ntp:ntp -p /var/run/ntpd.pid”" line befor e”-u”
• After editing the file, the contents should look like given below

[root@vcsnode1 sysconfig]# cat ntpd
# Drop root to id ‘ntp:ntp’ by default.
OPTIONS=”-x -u ntp:ntp -p /var/run/ntpd.pid”

# Set to ‘yes’ to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no
[root@vcsnode1 sysconfig]#

• Start ntpd daemon using the following command

[root@VCSNode2 ~]# service ntpd start

Starting ntpd:  [OK]

[root@VCSNode2 ~]#

• Ask the DBA to install/proceed to configure Oracle Cluster

Cheers!!

Read More