Access to the Management Console and the CLI is controlled using a common infrastructure. By default, local access (that is, from the node itself) is not restricted, but remote access is restricted by credentials (the administrator username and password) specified during installation. By default, the same credentials are used by slave FAS nodes to communicate with the master node.
This section does not describe Trust Management. For details of Trust Management configuration, see the Trust Management article.
Controlling Access to the Management Interfaces
Remote access to the Management Console and the CLI is restricted by the credentials stored in the <install dir>/domain/configuration/mgmt-users.properties
file. This file consists of one or more lines with the following format:
<user name>=<password hash>
When installing FAS, you are asked for an administrator username and password, and the installer adds these credentials to this file. If you want to add any further users, you must add them manually using the add-user.sh script.
In addition to accessing the CLI and Management Console, by default the same credentials are used by slave nodes to communicate with the master node. This is all configured automatically on installation.
Changing the Local User Credentials
The procedure described below should only be used when FCSDK (or any product which includes and uses FCSDK) is not installed. If it is installed, FAS and FCSDK share the account, and you should only change the credentials using the FCSDK web UI (see the FCSDK Administration Guide for details). Also note that if FCSDK has configured LDAP as its security mechanism, then users can also log into the FAS administration interfaces using LDAP-provided credentials; the page on the FCSDK web GUI for changing credentials and login mechanisms applies to both FAS and FCSDK.
To change the local user credentials, use the <install dir>/bin/change-local-admin.sh
script. This script gives you with the option to change the username and password of the administrator; there can only be one administrator:
./change-local-admin.sh
\-------------------------------------------------------------------------------
This utility will allow you to change the local admin username and/or password.
\-------------------------------------------------------------------------------
First please authenticate using the current local username and password.
Username: **admin**
Password:
Authentication successful.
The current admin username is 'admin'.
Would you like to change this username? yes/no **yes**
New username: **administrator**
Re-enter new username: **administrator**
Username updated to 'administrator'
Would you like to change the password for 'administrator'? yes/no **yes**
New password:
Re-enter new password:
Password updated
Things which you must type are shown in this font; display from the script is shown like this. You also need to type the password at the prompt - the script does not echo the password to the screen.
Adding a New User
There is an add-user.sh script provided in the <install dir>/bin
directory which adds users to either the mgmt-users.properties or the application-users.properties file. The application-users.properties file contains users in the ApplicationRealm realm, which is available for use by applications (see the Files in the domain/configuration Directory section in the File System article), but is otherwise not used. Normally, you will want to create users in mgmt-users.properties.
- Log onto the FAS master node and run:
<install dir>/bin/add-user.sh
- The display will show:
What type of user do you wish to add?
a) Management User (mgmt-sers.properties)
b) Application User (application-users.properties)
(a):
Unless you have an application which uses the application realm, you can accept the default (a) by pressing <span class="smallcaps">Enter</span>
.
- The display will show:
Enter the details of the new user to add.
Realm (ManagementRealm) :
Management users will normally be in the ManagementRealm realm, so again you can accept the default by pressing <span class="smallcaps">Enter</span>
.
- The display will show:
Username :
Enter the user name, such as user1, and press <span class="smallcaps">Enter</span>
- The display will show:
Password:
Enter the password to use for the user, and press <span class="smallcaps">Enter</span>
- The display will show:
Re-enter Password
Enter the password again, and press <span class="smallcaps">Enter</span>
.
- The display will show:
About to add user 'user1' for realm 'ManagementRealm'
Is this correct yes/no?
If the information is correct, type yes to add the user.
- The display will show:
Added user 'test' to file 'mgmt-users.properties'
Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller?
-
If this user is to be used solely for access to the Management Console and CLI, enter no
-
If you are creating this user on the master node to be used by slave nodes to communicate with the master node, type yes
- If you typed yes above, the display will show:
To represent the user add the following to the server-identities definition <secret value="jeGioqQA91p7SQBLdwW6SrhSeM="/>
Press any key to continue...
The secret value is a Base64 encoded password hash. Make a copy of it - you will need it when you alter the credentials on the slave nodes.
Changing the Credentials used between Master and Slave
You can provide the same set of credentials for all slave nodes (that is, all slaves use the same user name), or use different credentials for each one (each slave has its own user name); the decision will be based on the security needs of each deployment.
To use new credentials on a slave FAS node, you must first run the procedure in the Adding a New User section in this article on the master node, making a note of the secret value; then edit two files on the slave node, host.xml and fas.properties:
host.xml
-
Open the
<install dir>/domain/configuration/host.xml
file in an editor. -
Find the part of the contents which look like:
<security-realm name="ManagementRealm">
<server-identities>
<secret value="YWRtaW5pc3RyYXRvcg=="/>
</server-identities>
<authentication>
<local default-user="$local" />
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
</security-realm>
-
Replace the existing value property of the
<secret>
element with the one you noted when you added the user. -
Save the file.
fas.properties
-
Open the
<install dir>/domain/configuration/fas.properties
file in an editor. -
Change the value of the domain.controller.user property to be the username of the user you created on the master node for this slave:
domain.controller.user=user1
-
Save the file.
-
Restart the slave node to use the new credentials.
Resetting Administrator Credentials
If you have FCSDK installed, or something which uses FCSDK, you should follow the procedure for resetting the Administrator credentials in the FCSDK Administration Guide. Administrator credentials are shared between FAS and FCSDK, and only the FCSDK procedure will reset them correctly.
If you have forgotten the administrator credentials, you can reset them to the defaults by setting a system property, which will reset the credentials on the next login attempt:
-
Add the system property appserver.admin.password.reset=true in the
<install dir>/domain/configuration/fas.properties
file. -
Restart the FAS master node
-
Start the CLI (see the Starting the CLI section in the Management Interfaces article) or navigate to the Management Console (see the Starting the Management Console section in the Management Interfaces article), and attempt to log in .
Note: The login will fail; this is expected behavior.
-
Remove the system property appserver.admin.password.reset from the
<install dir>/domain/configuration/fas.properties
file. -
Restart the FAS master node.
Login is now re-enabled, and the credentials have been reset to their default values.
Configuring TLS Cipher Suites
On installation, a default list of enabled cipher suites is configured for both HTTPS and SIPS traffic.
For HTTPS traffic on ASs and the Management Server, the list of enabled cipher suites is specified in the fas.properties file, in a property called openssl.cipher.suites, which has a default value of:
ALL:!SSLv2:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For SIPS traffic on ASs, and both SIPS and HTTPS traffic on LBs, the list of enabled cipher suites is specified in the fas.properties file in a property called jsse.cipher.suites, which has a default value of:
SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
You can configure these global values (for example, if you want to remove one of the cipher suites for all server processes), by editing the values in the fas.properties file.
If you want to configure the list of enabled cipher suites for individual server processes (for example, to enable different cipher suites for each server process type), you can do so using the CLI (see the Command Line Interface (CLI) section in the Management Interfaces article). For the CLI commands needed to make these changes, see the HTTPS section and the SIPS section below.
HTTPS
For ASs and the Management Server, the list of supported HTTPS cipher suites is specified by the cipher-suite attribute of the HTTP connector’s <ssl>
element, in the web subsystem. By default, this is set to the variable openssl.cipher.suites.
Note: JBoss 'native' connectors are used; the format of the list of supported cipher suites must conform to the OpenSSL Cipher List Format. See http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT.
To specify the HTTPS cipher suites for ASs, use a command like the following, which replaces the variable with the required list of cipher suites:
/profile=ha/subsystem=web/connector=https/ssl=configuration/:write-attribute(name=cipher-suite,value=ALL:\!aNULL:\!ADH:\!eNULL:\!LOW:\!EXP:RC4+RSA:+HIGH:+MEDIUM)
To change the HTTPS cipher suites for the Management Server, use a command like the following:
/profile=management/subsystem=web/connector=https/ssl=configuration/:write-attribute(name=cipher-suite,value=ALL:\!aNULL:\!ADH:\!eNULL:\!LOW:\!EXP:RC4+RSA:+HIGH:+MEDIUM)
For LBs, the list of supported HTTPS cipher suites is specified in a property called com.alicecallsbob.loadbalancer.http.ssl.cipherSuites. By default this is set to the variable jsse.cipher.suites.
To specify the supported HTTPS cipher suites for LBs, use a command like the following:
/profile=lb/subsystem=lb/property=com.alicecallsbob.loadbalancer.http.ssl.cipherSuites/:write-attribute(value=TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA,SSL\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA,TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA,SSL\_DH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA)
SIPS
For SIPS, the list of supported cipher suites is specified by a property called gov.nist.javax.net.ssl.cipherSuites for both ASs (in the ha profile) and LBs (in the lb profile). By default this is set to the variable jsse.cipher.suites.
To specify a list of supported SIPS cipher suites for ASs, use a command like the following, which replaces the variable with the required list of cipher suites:
/profile=ha/subsystem=sip/property=gov.nist.javax.net.ssl.cipherSuites/:write-attribute(value=TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA,SSL\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA,TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA,SSL\_DH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA)
To specify the list of supported SIPS cipher suites for LBs, use a command like the following:
/profile=lb/subsystem=lb/property=gov.nist.javax.net.ssl.cipherSuites/:write-attribute(value=TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA,SSL\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA,TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA,SSL\_DH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA)
Enabling and Disabling TLS v.1 and 1.1
Older versions of Transport Layer Security, as well as versions of its predecessor, SSL, have been found to be insecure. FAS provides scripts to enable and disable them in HTTPS traffic to and from the FAS.
To disable TLS v.1 and 1.1 (as well as SSL):
<install dir>/resources/disable-tlsv1.x.sh <admin\_user> <admin\_password>
To enable them:
<install dir>/resources/enable-tlsv1.x.sh <admin\_user> <admin\_password>
where <admin\_user>
is the admin user (see the Controlling Access to the Management Interfaces section in this article), and <admin\_password>
is the password for that user.
Note:
-
You must run these scripts on each node in the cluster.
-
You will need to restart FAS on each node after running the script, for the changes to take effect.
Comments
0 comments
Please sign in to leave a comment.