10/24/2017 SecureTheJmxConsole | JBoss Developer

All Places > JBoss AS > Articles

SecureTheJmxConsole  Version 52

Created by Unknown User on Feb 8, 2004 5:24 PM. Last modified by David Jorm on Oct 24, 2011 12:57 AM.

Securing the JMX Console and Web Console (HTTP)

Both the jmx-console and web-console are standard servlet 2.3 deployments that can be secured using J2EE role-based security. Both consoles ship with a
skeleton configuration, allowing an administrator to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war
deployments in the corresponding WEB-INF/classes, users.properties and roles.properties files.

The security setup is based on two pieces: the standard servlet URI to role specification, and the specification of the JAAS configuration which defines how
authentication and role mapping is performed.

In AS 6 M3 and greater deployments, the JSR-160 JMXConnector is opened for remote access and should also be secured.

To secure the JMX Console using a username/password file:

Locate the JMX Console web.xml file. On JBoss AS 5.x, this is located in the server/PROFILE/deploy/jmx-console.war/WEB-INF directory. On JBoss AS 6, this is
located in the common/deploy/jmx-console.war/WEB-INF directory.
Edit web.xml and uncomment the security-constraint block. See the important security note - CVE-2010-0738 below.
Edit the server/PROFILE/deploy/jmx-console.war/WEB-INF/jboss-web.xml (AS5) or common/deploy/jmx-console.war/WEB-INF/jboss-web.xml (AS6) file and
uncomment the security-domain block. The security-domain value of jmx-console maps to the server/PROFILE/conf/login-config.xml JAAS configuration file,
which defines how authentication and authorization is to be performed.
Edit the server/PROFILE/conf/props/jmx-console-users.properties file and change the users and passwords as desired. They will need the JBossAdmin role as
specified in the web.xml file to run the JMX Console.

Important security note - CVE-2010-0738

On JBoss AS 5.x and earlier versions, the web.xml file includes a security-constraint block with flawed settings. The block includes:

<http-method>GET</http-method>
<http-method>POST</http-method>

This configuration will only apply security to the HTTP GET and POST verbs, allowing requests using other HTTP verbs to circumvent security. Please ensure that you
remove the http-method tags from the security-constraint block. Without these tags, security will apply to all HTTP verbs. More details on this flaw are available here
. A JBoss worm is currently in circulation, exploiting this flaw. For more details on the worm, see the statement here.

To secure the JMX Console using your own JAAS domain:

Edit web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console.
Edit jboss-web.xml as above, setting the security domain to be the name of your security domain.
After making all the changes, redeploy the application. The application can be redeployed by touching the file or by restarting the server.

The process to secure the web console is similar:

Edit server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml and server/PROFILE/deploy/management/console-mgr.sar/web-
console.war/WEB-INF/jboss-web.xml as described above to enable security.
Edit the server/PROFILE/conf/props/jmx-console-users.properties file and change the users and passwords as desired.

Remember to pay attention to the important security note - CVE-2010-0738 above. You can use a custom JAAS domain or customize the existing domain in the
same way as with the JMX console. Typically you would just use the same domain as the jmx-console (java:/jaas/jmx-console), so that you have a single user/role
mapping to configure.

If you are unable to login, it may be because another users.properties file is being used. Change the web-console login-config.xml entry so that that properties files are
uniquely named to avoid ambiguity regarding which resource is picked up. You also would need to rename the web-console properties files. For details, see
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53346 .

As an extra level of security you may also want to Limit Access to Certain Clients in a particular IP address range.

Secure the JMXConnector (AS 6 M3 or greater)

To secure the JSR-160 JMXConnector, open JBossAS/server/profile/deploy/jmx-jboss-beans.xml and change from:

<!-- To enable authentication security checks, uncomment the following security domain name -->
<!--UNCOMMENT THIS
<property name="securityDomain">jmx-console</property>
-->

Change to:

https://developer.jboss.org/wiki/SecureTheJmxConsole 1/7
10/24/2017 SecureTheJmxConsole | JBoss Developer

<!-- To enable authentication security checks, uncomment the following security domain name -->
<property name="securityDomain">jmx-console</property>

Note that the above uses the same security domain as is used for the jmx console.

Secure the JMX Invokers

Take care to secure remote access to JMX as well, see the Chapter 3 in the technical paper bellow.

Update for 4.0.2

The and files have been moved to . This is because of the change to use the servlet 2.3 class loading model and these properties files would not be visible to the
other deployments using the jmx-console security domain. You can move the files from to , or leave them in place and edit the password for admin.

Similarly for the web console, please note that the web console is unpacked already in the server configuration as . Proceed to edit the and files as per securing the
JMX console, and either edit the and , or move those files to and edit them there.

For the impatient

01. vi ${jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml
uncomment the security-constraint block

and add a <login-config> block after the end of the <security-constraint> block:
01.
01. vi ${jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (i.e. JMXConsole)

01. vi ${jboss.server.home.dir}/conf/props/jmx-console-users.properties
change the password for admin

01. vi ${jboss.server.home.dir}/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
uncomment the security-constraint block

and add a <login-config> block after the end of the <security-constraint> block:

01.

01. vi ${jboss.server.home.dir}/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml

Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)

01. vi ${jboss.server.home.dir}/conf/login-config.xml
Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

01. <module-option name="usersProperties">props/web-console-users.properties</module-option>

02. <module-option name="rolesProperties">props/web-console-roles.properties</module-option>

01. cp ${jboss.server.home.dir}/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-.properties ${jboss.server.home.dir}/conf/

edit as needed

01. cp ${jboss.server.home.dir}/conf/props/jmx-console-roles.properties ${jboss.server.home.dir}/conf/props/web-console-roles.properties

edit as needed

edit ${jboss.server.home.dir}/conf/login-config.xml, find the jmx-console and web-console applicaiton-policy, and set the name to jmx-console and web-console, respectively.
That is make sure that the application policy name maps to the realm name (i.e. JMXConsole)

restart jboss

Additional to secure jmx-console and web-console authentication via SSL

must perform the above steps to enable http authenication ...

the following steps below will redirect jboss admin pages to https://localhost:8443

edit both web.xml to include the following just before end of tag security-constraint
01. <security-constraint>
02. ...
03. <user-data-constraint>

https://developer.jboss.org/wiki/SecureTheJmxConsole 2/7
10/24/2017 SecureTheJmxConsole | JBoss Developer
04. <transport-guarantee>CONFIDENTIAL</transport-guarantee>
05. </user-data-constraint>
06. </security-constraint>

generate /data01/jboss/server/xxxx/conf/keystore and select your own new secure password (@see Creating an SSL Keystore Using the Java Keytool )

or quick setup and verify:

01. $ keytool -genkey -keystore /data01/jboss/server/xxx/conf/keystore -alias jbossAdmin
02. $ keytool -list -keystore /data01/jboss/server/xxx/conf/keystore

01. $ vi /data01/jboss/server/xxx/deploy/jbossweb-tomcat50.sar/server.xml
secure file permission via chmod 600 server.xml
uncomment section "SSL/TLS Connector" to enable Connector port="8443"
replace keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" with keystoreFile="${jboss.server.home.dir}/conf/keystore"
replace keystorePass="rmi+ssl" sslProtocol = "TLS" /> with keystorePass="<your new secure password>" sslProtocol = "TLS" />

Technical White Paper

Technical White Paper on Securing JMX (jboss-secure.jmx.html attached)

jboss-securejmx.html
18.8 K

408474 Views Categories: Tags: jbossas, security

Average User Rating

(3 ratings)

19 Comments

Carl Miller May 2, 2009 6:43 AM

Does anything special need to be done to enable SSL in JBoss 5.0.1?

I created a keystore and verified that it works properly, then uncommented the ssl/port 8443 section of the server.xml and updated the keystore info, but am not
able to connect on port 8443.

If anyone has successfully enabled SSL connections for the web-console, please list the steps here, since they are missing in the Administration and
Configuration document.

Actions Like (0)

jackie Xie May 21, 2010 9:16 PM (in response to Carl Miller)

My SSL is working, steps are same as what you described, here is what I did:
- generate SSL certificate:
keytool -genkey -alias web -keyalg RSA -keystore web.keystore -validity 3650
- copy keystore file to jboss server's home directory, eg. server/default
- modify server.xml file to enable SSL: (..server/default/deploy/jbossweb.sar/server.xml)
* uncomment ssl/port 8443
* update keystore info as:
keystoreFile="${jboss.server.home.dir}/web.keystore"
keystorePass="<keystore password>" sslProtocol="TLS" />
- restart server

Actions Like (0)

Shailesh Dyade Jul 15, 2009 12:36 AM

I tried this stuff on JBoss 4.2.3 GA, It seems JMX-Console does need any restarts while we configure the BASIC authentication but.. web-console needs
restarts when we configure same as jmx-console..

Does anyboday aware of this.. why do we need to restart the server for enabling security configuration for web-console.. as both jmx and web consoles are in
deploy directory and are hot deployable. ?

https://developer.jboss.org/wiki/SecureTheJmxConsole 3/7
10/24/2017 SecureTheJmxConsole | JBoss Developer

Thanks
Shailesh Dyade

Actions Like (0)

Sebastian Otaegui Aug 3, 2009 12:25 PM (in response to Shailesh Dyade)

Hi Shailesh,

Is my understanding that the content in ${jboss.server.home.dir}/conf is only loaded at startup so unless you already have this config in your login-
config.xml:

<application-policy name = "jmx-console">

<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

You will need to restart the server.

Actions Like (0)

Richard Kuryk Mar 2, 2010 10:03 AM

For jboss 5.1.0 the admin console is controlled in admin-console.war/WEB-INF/components.xml, see the security-identity which contains the jaas-config-name.
It seems this overrides the settings in the jboss-web.xml that one would normally use.

Actions Like (0)

Jared Morgan Jul 13, 2010 1:14 AM

Just checking the info in this paragraph (just after the JMX console section:

The process to secure the web console is similar. In the deploy directory, locate and make the same changes as above to to , and the users/groups
properties file. The default JAAS domain used by the web-console is and is defined in in the conf directory. You can use a custom JAAS domain or
customize the existing domain in the same way as with the JMX console. Typically you would just use the same domain (java:/jaas/jmx-console) as the
jmx-console so that you have a single user/role mapping to configurue.

There seems to be information missing from this paragraph. There are instances of "..make changes to above to to", and a similar issue further on in this
paragraph. Could someone please clarify?

Cheers

Jared

Actions Like (0)

Sean Flanigan Jan 3, 2011 9:43 PM (in response to Jared Morgan)

It looks like a lot of text went missing in revision 47 of this document. See http://community.jboss.org/wiki/SecureTheJmxConsole/diff?
secondVersionNumber=47

It might be easiest to revert to revision 46 and re-apply the deliberate changes from later revisions.

Actions Like (0)

Ondrej Medek Jan 4, 2011 3:15 AM (in response to Sean Flanigan)

Sean, you are righ. I have made rev. 47 and rev. 48. But I have just added a few lines and fixed a few mistypes. I do not know, why some text
has been deleted, too.

I have not the permission to restore rev. 46. Is there anyone who can do it? If not, I'll try to bring the deleted text from rev. 46 to the current
version later.

https://developer.jboss.org/wiki/SecureTheJmxConsole 4/7
10/24/2017 SecureTheJmxConsole | JBoss Developer

Actions Like (0)

Daniel Manyemwe Feb 4, 2011 6:12 AM (in response to Ondrej Medek)

Hi All,

I have followed these steps exactly but I am still not being prompted for a user name and password! Is there another configuration
elsewhere in JBoss that overrides the application policy? Im using JBoss-5.1.0.GA. Thanks!

Actions Like (0)

Francois Andry Jul 29, 2010 4:23 PM

I have posted additional details on how determine the configuration and locate the various files in the following article: How to secure the JBoss JMX and Web
Consoles .

Cheers.

Francois

Actions Like (0)

Bhanu Pratap Padmanabhuni Aug 2, 2010 2:19 PM (in response to Francois Andry)

Hi,

I am working on securing the JMX console for JBOSS 4.2.1 and following the below article to make the necessary configuration changes:

http://community.jboss.org/wiki/securetheJmxConsole

But, even after doing the necessary steps and when I tried to login to the JMX console it is not working...I am getting the below error message int he
Jboss server console:

13:48:00,014 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files

java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

I did the below steps:

1. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml : Uncommented the block :<security-constraint>

and added <login-config> block like the one below:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jmx-console</realm-name>
</login-config>

2. Changed the username/password in the file :

{jboss.server.home.dir}/conf/props/jmx-console-users.properties

3. {jboss.server.home.dir}/conf/login-config.xml
Changed the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)
Restarted my server and tried to login to JMX- Console, it is prompting for the user/pwd but when I give the right one it is giving the above error.

Can some body please guide me through the steps.

Actions Like (0)

Zemian Deng Aug 11, 2010 7:50 AM

The article seems to miss some directories text under :

To secure the JMX Console using a username/password file -

Locate the directory. This will normally be in directory.

Actions Like (0)

https://developer.jboss.org/wiki/SecureTheJmxConsole 5/7
10/24/2017 SecureTheJmxConsole | JBoss Developer

Bhanu Pratap Padmanabhuni Mar 16, 2011 7:53 AM (in response to Zemian Deng)

I was able to make it work. Please follow the below steps:

1. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml :
Uncomment the block :<security-constraint> and remove the explicit denial of the GET and POST http methods in accordance with:

https://access.redhat.com/kb/docs/DOC-30741

This resolves CVE-2010-0738 .

Then add a <login-config> block like the one below:

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jmx-console</realm-name>
</login-config>

<security-role>
<role-name>JBossAdmin</role-name>
</security-role>

2. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/jboss-web.xml
Uncomment the security-domain block:
<security-domain>java:/jaas/jmx-console</security-domain>

3. Change the username/password in the file :

{jboss.server.home.dir}/conf/props/jmx-console-users.properties
Eg: admin=admin (or give your own password)

And the file {jboss.server.home.dir}/conf/props/jmx-console-roles.properties should have the below entry (the user mapped to the JBossAdmin role)

admin=JBossAdmin,HttpInvoker

4. {jboss.server.home.dir}/conf/login-config.xml
Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

<application-policy name = "jmx-console">

<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option>props\jmx-console-users.properties</module-option>
<module-option>props\jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

Actions Like (0)

Nicklas Karlsson Feb 4, 2011 6:29 AM

Daniel: please post your web.xml on the forums

Actions Like (0)

Owen Skriloff Oct 21, 2011 9:16 AM

If we are on JBOSS 4.05 GA and do not have a jmx-console.war

Are we vulnerable?

https://developer.jboss.org/wiki/SecureTheJmxConsole 6/7
10/24/2017 SecureTheJmxConsole | JBoss Developer
The only thing I see is
\<jbossRoot>\server\default\deploy\jmx-invoker-service.xml

Actions Like (0)

Rajkumar Patel Oct 21, 2011 7:40 PM

Hi,
We are running Jboss 5.1.0 GA in production. Please can you advise steps or reference to the documents or community link to the changes (verified) needs to
be done to secure JMX-console and Web-console.

regards
Rajkumar Patel

Actions Like (0)

Felipe Salazar Apr 24, 2012 3:41 PM

Hi,
As Rajkumar, I have the same problem, we are running Jbos 5.1.0 GA and zecmd is still loading on our both servers, production and test, is there someone that
has tested this method?, we need to implement it on production server. Thanks for your answers.

Regards,
Felipe Salazar

Actions Like (0)

Wissem Ayari Apr 5, 2016 11:22 AM

Could any one precise please which jBoss server versions are affected with this vulnerability ?

Actions Like (0)

Radoslav Husar Apr 6, 2016 4:31 AM (in response to Wissem Ayari)

List of affected products is here https://access.redhat.com/solutions/30744

Actions Like (0)

Copyright ©2017 Red Hat, Inc. Privacy Statement Terms of Use All policies and guidelines

https://developer.jboss.org/wiki/SecureTheJmxConsole 7/7