Red Hat Jboss Fuse 6.3 Security Guide
Total Page:16
File Type:pdf, Size:1020Kb
Red Hat JBoss Fuse 6.3 Security Guide Making it safe for your systems to work together Last Updated: 2017-11-09 Red Hat JBoss Fuse 6.3 Security Guide Making it safe for your systems to work together JBoss A-MQ Docs Team Content Services [email protected] Legal Notice Copyright © 2016 Red Hat. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract This guide describes how to secure the Red Hat JBoss Fuse container, the web console, message brokers, routing and integration components, web and RESTful services, and it provides a tutorial on LDAP authentication. Table of Contents Table of Contents .C .H . A. P. T. .E . R. 1. .. S. E. .C . U. .R . I.T . Y. A. .R . C. .H . I. T. E. .C . T. U. R. .E . .4 . 1.1. OSGI CONTAINER SECURITY 4 1.2. APACHE CAMEL SECURITY 5 .C .H . A. P. T. .E . R. 2. S. .E . C. .U . R. .I N. .G . .T . H. .E . .C . O. .N . T. .A . I.N . E. .R . .8 . 2.1. JAAS AUTHENTICATION 8 2.2. ROLE-BASED ACCESS CONTROL 34 2.3. USING ENCRYPTED PROPERTY PLACEHOLDERS 47 2.4. ENABLING REMOTE JMX SSL 52 .C .H . A. P. T. .E . R. 3. S. .E . C. .U . R. .I N. .G . .T . H. .E . .J .E . T. .T .Y . .H . T. .T . P. S. E. .R . V. .E . R. 5. .7 . JETTY SERVER 57 CREATE X.509 CERTIFICATE AND PRIVATE KEY 57 ENABLING SSL/TLS FOR JETTY IN A STANDALONE CONTAINER 57 CUSTOMIZING ALLOWED TLS PROTOCOLS AND CIPHER SUITES 58 CONNECT TO THE SECURE CONSOLE 58 ADVANCED JETTY SECURITY CONFIGURATION 59 ENABLING SSL/TLS FOR JETTY IN A FABRIC 63 REFERENCES 66 .C .H . A. P. T. .E . R. 4. .S .E . C. .U . R. .I N. G. T . H. .E . .C . A. .M . E. .L . .A . C. .T .I .V . E. M. Q. C. .O . M. P. O. N. .E .N . .T . 6. .8 . 4.1. SECURE ACTIVEMQ CONNECTION FACTORY 68 4.2. EXAMPLE CAMEL ACTIVEMQ COMPONENT CONFIGURATION 69 .C .H . A. P. T. .E . R. 5. S. .E . C. .U . R. .I N. .G . .T . H. .E . .C . A. .M . E. .L . J. .E . T. T. .Y . .C . O. .M . .P .O . .N . E. N. T. .7 . 1. 5.1. ENABLING SSL/TLS SECURITY 71 5.2. BASIC AUTHENTICATION WITH JAAS 77 .C .H . A. P. T. .E . R. 6. .C . O. .N . .F .I G. .U . .R . I.N . G. T. .R . A. .N . S. .P . O. .R . T. .S . E. .C . U. .R . I.T . Y. F. O. .R . C . A. .M . .E . L. .C . O. .M . .P .O . .N . E. .N . T. S. 8. .2 . .C .H . A. P. T. .E . R. 7. .. S. .E . C. U. R. .I N. .G . .T . H. .E . .C .A . .M . E. .L . C. .X . F. C. O. .M . .P . O. .N . E. .N . T. 8. .4 . 7.1. THE CAMEL CXF PROXY DEMONSTRATION 84 7.2. SECURING THE WEB SERVICES PROXY 87 7.3. DEPLOYING THE APACHE CAMEL ROUTE 91 7.4. SECURING THE WEB SERVICES CLIENT 93 .C .H . A. P. T. .E . R. 8. .S .E . C. .U . R. .I N. .G . .T . H. .E . .M . A. N. .A . G. .E . M. .E . N. .T . .C .O . .N . S. O. L. E. 1. 0. .0 . 8.1. CONTROLLING ACCESS TO THE FUSE MANAGEMENT CONSOLE 100 .C .H . A. P. T. .E . R. 9. L. .D . A. .P . .A . U. .T . H. .E . N. .T . I.C . A. .T . I.O . N. T. .U . T. .O . R. .I A. .L . .1 .0 . 1. 9.1. TUTORIAL OVERVIEW 101 9.2. SET-UP A DIRECTORY SERVER AND CONSOLE 101 9.3. ADD USER ENTRIES TO THE DIRECTORY SERVER 104 9.4. ENABLE LDAP AUTHENTICATION IN THE OSGI CONTAINER 108 9.5. ENABLE SSL/TLS ON THE LDAP CONNECTION 115 .A . P. .P .E . N. .D . I. X. A. .. .M . A. N. .A . G. .I N. .G . .C . E. .R . T. I. F. I. C. .A . T. E. .S . 1. 2. .0 . A.1. WHAT IS AN X.509 CERTIFICATE? 120 A.2. CERTIFICATION AUTHORITIES 121 A.3. CERTIFICATE CHAINING 122 A.4. SPECIAL REQUIREMENTS ON HTTPS CERTIFICATES 123 A.5. CREATING YOUR OWN CERTIFICATES 125 .A . P. .P .E . N. .D . I. X. B. .. .A . S. .N . ..1 . A . .N . D. D. .I S. .T . I.N . G. .U . I. S. H. .E . D. N. .A . .M . E. .S . .1 3. .2 . ..