WildFly Management API Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
<br>
<br>
<br>
<br>
<center><Font color=red>''In process migration from https://home.feodorov.com:9443/wiki/Wiki.jsp?page=JBoss7ManagementConfiguration''</font></center>
<br>
<br>
<br>
<br>
=Internal=
=Internal=


* [[WildFly Configuration#Subjects|WildFly Configuration]]
* [[WildFly Configuration#Subjects|WildFly Configuration]]
* [[WildFly Security Realms]]
* [[WildFly_Management_Interfaces#Configuration|Managment Interfaces]]
=Relevance=
* EAP 6


=Overview=
=Overview=
Line 53: Line 68:
                 <socket-binding http="management-http"/>
                 <socket-binding http="management-http"/>
             </http-interface>
             </http-interface>
            <!-- Optional -->
            <!--
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            -->


         </management-interfaces>
         </management-interfaces>
Line 68: Line 90:


   ...
   ...
</pre>


Corresponding interfaces:
<pre>
    ...
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        ...
    </interfaces>
    ...
</pre>
Corresponding socket bindings:
<pre>
    ...
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
    </socket-binding-group>
    ...
</pre>
</pre>


=Management Realm Configuration Files=
=Management Realm Configuration Files=


The security information is maintained in flat files. The files are configured with <tt><security-realm><authentication><properties></tt> configuration element and their location is relative to <tt></tt>, which could be <tt>$JBOSS_HOME/standalone/configuration</tt> or <tt>$JBOSS_HOME/domain/configuration</tt>, depending on the mode WildFly is run in (standalone or domain). For more details, see <tt>[[WildFly System Properties#jboss.server.config.dir|jboss.server.config.dir]]</tt>.
The security information is maintained in flat files. The files are configured with <tt><security-realm><authentication><properties></tt> configuration element and their location is relative to <tt>jboss.server.config.dir</tt>, which could be <tt>$JBOSS_HOME/standalone/configuration</tt> or <tt>$JBOSS_HOME/domain/configuration</tt>, depending on the mode WildFly is run in (standalone or domain). For more details, see <tt>[[WildFly System Properties#jboss.server.config.dir|jboss.server.config.dir]]</tt>. The files can be modified at any time, updates after the server has started will be automatically detected.
 
==<tt>mgmt-users.properties</tt>==
 
<tt>mgmt-users.properties</tt> stores usernames and hashed passwords. By default, the realm expects the entries to be in the format


The files can be modified at any time, updates after the server has started will be automatically detected.
<pre>
username=HEX(MD5(username ':' realm':' password))
</pre>
 
Users can be added with the utility scripts <tt>bin/add-user.sh</tt>, <tt>bin/add-user.bat</tt>.
 
Example:
 
<pre>
#
admin=2a0923285184943425d1f53ddd58ec7a
</pre>
 
==<tt>mgmt-roles.properties</tt>==
 
<tt>mgmt-roles.properties</tt> stores user-to-role mappings.
 
==<tt>mgmt-groups.properties</tt>==
 
This is an optional file. It stores user-to-group mappings and it is only used when Role-based Access Control (RBAC) is enabled. For more details about RBAC, see https://home.feodorov.com:9443/wiki/Wiki.jsp?page=JBoss7SecurityConcepts#section-JBoss7SecurityConcepts-RoleBasedAccessControl
 
Groups membership information is used to assign the user specific management roles. This is used for domain management.  The format of this file is as follows:
 
<pre>
username=role1,role2,role3,
</pre>
 
Groups can be managed with the utility scripts <tt>bin/add-user.sh</tt>, <tt>bin/add-user.bat</tt>.


=Application Realm Configuration Files=
=Application Realm Configuration Files=
The security information is maintained in flat files. The application realm stores authentication and authorization information. The realm files can be modified at any time, updates after the server has started will be automatically detected. The files are configured with <tt><security-realm><authentication><properties></tt> configuration element and their location is relative to <tt>jboss.server.config.dir</tt>, which could be <tt>$JBOSS_HOME/standalone/configuration</tt> or <tt>$JBOSS_HOME/domain/configuration</tt>, depending on the mode WildFly is run in (standalone or domain).
==<tt>application-users.properties</tt>==
<tt>application-users.properties</tt> stores usernames and hashed password.
==<tt>application-roles.properties</tt>==
<tt>application-roles.properties</tt> stores user-to-role mappings.
=Enabling SSL/TSL for the Management Interfaces=
==Enabling SSL/TSL for the Native Management Interface==
* [[Enabling SSL/TSL for the Native Management Interface in EAP 7 Domain Mode]]
==Enabling SSL/TSL for the HTTP Management Interface==

Latest revision as of 20:20, 20 March 2017





In process migration from https://home.feodorov.com:9443/wiki/Wiki.jsp?page=JBoss7ManagementConfiguration





Internal

Relevance

  • EAP 6

Overview

    ...

    <management>

        <security-realms>

            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>

            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>

        </security-realms>

        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
            </formatters>
            <handlers>
                <file-handler name="file" formatter="json-formatter" relative-to="jboss.server.data.dir" path="audit-log.log"/>
            </handlers>
            <logger log-boot="true" log-read-only="false" enabled="false">
                <handlers>
                    <handler name="file"/>
                </handlers>
            </logger>
        </audit-log>

        <management-interfaces>

            <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
                <socket-binding http="management-http"/>
            </http-interface>

            <!-- Optional -->
            <!--
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            -->

        </management-interfaces>

        <access-control provider="simple">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>

   ...

Corresponding interfaces:

    ...
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        ...
    </interfaces>
    ...

Corresponding socket bindings:

    ...
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
    </socket-binding-group>
    ...

Management Realm Configuration Files

The security information is maintained in flat files. The files are configured with <security-realm><authentication><properties> configuration element and their location is relative to jboss.server.config.dir, which could be $JBOSS_HOME/standalone/configuration or $JBOSS_HOME/domain/configuration, depending on the mode WildFly is run in (standalone or domain). For more details, see jboss.server.config.dir. The files can be modified at any time, updates after the server has started will be automatically detected.

mgmt-users.properties

mgmt-users.properties stores usernames and hashed passwords. By default, the realm expects the entries to be in the format

username=HEX(MD5(username ':' realm':' password))

Users can be added with the utility scripts bin/add-user.sh, bin/add-user.bat.

Example:

#
admin=2a0923285184943425d1f53ddd58ec7a

mgmt-roles.properties

mgmt-roles.properties stores user-to-role mappings.

mgmt-groups.properties

This is an optional file. It stores user-to-group mappings and it is only used when Role-based Access Control (RBAC) is enabled. For more details about RBAC, see https://home.feodorov.com:9443/wiki/Wiki.jsp?page=JBoss7SecurityConcepts#section-JBoss7SecurityConcepts-RoleBasedAccessControl

Groups membership information is used to assign the user specific management roles. This is used for domain management. The format of this file is as follows:

username=role1,role2,role3,

Groups can be managed with the utility scripts bin/add-user.sh, bin/add-user.bat.

Application Realm Configuration Files

The security information is maintained in flat files. The application realm stores authentication and authorization information. The realm files can be modified at any time, updates after the server has started will be automatically detected. The files are configured with <security-realm><authentication><properties> configuration element and their location is relative to jboss.server.config.dir, which could be $JBOSS_HOME/standalone/configuration or $JBOSS_HOME/domain/configuration, depending on the mode WildFly is run in (standalone or domain).

application-users.properties

application-users.properties stores usernames and hashed password.

application-roles.properties

application-roles.properties stores user-to-role mappings.

Enabling SSL/TSL for the Management Interfaces

Enabling SSL/TSL for the Native Management Interface

Enabling SSL/TSL for the HTTP Management Interface